lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 01 Dec 2017 10:52:01 -0800
From:   syzbot 
        <bot+015afdb01dbf2abb6a6bfdd5430b72e5503fca6d@...kaller.appspotmail.com>
To:     danielj@...lanox.com, dledford@...hat.com, eparis@...isplace.org,
        james.l.morris@...cle.com, junil0814.lee@....com,
        kyeongdon.kim@....com, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, mka@...omium.org,
        paul@...l-moore.com, sds@...ho.nsa.gov, selinux@...ho.nsa.gov,
        serge@...lyn.com, syzkaller-bugs@...glegroups.com
Subject: KASAN: slab-out-of-bounds Read in strcmp

syzkaller has found reproducer for the following crash on  
fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


==================================================================
BUG: KASAN: slab-out-of-bounds in strcmp+0x96/0xb0 lib/string.c:328
Read of size 1 at addr ffff8801cd99d2c1 by task syzkaller242593/3087

CPU: 0 PID: 3087 Comm: syzkaller242593 Not tainted  
4.15.0-rc1-next-20171201+ #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:252
  kasan_report_error mm/kasan/report.c:351 [inline]
  kasan_report+0x25b/0x340 mm/kasan/report.c:409
  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
  strcmp+0x96/0xb0 lib/string.c:328
  security_context_to_sid_core+0x437/0x620  
security/selinux/ss/services.c:1420
  security_context_to_sid+0x32/0x40 security/selinux/ss/services.c:1479
  selinux_setprocattr+0x51c/0xb50 security/selinux/hooks.c:5986
  security_setprocattr+0x85/0xc0 security/security.c:1264
  proc_pid_attr_write+0x1e6/0x280 fs/proc/base.c:2574
  __vfs_write+0xef/0x970 fs/read_write.c:480
  __kernel_write+0xfe/0x350 fs/read_write.c:501
  write_pipe_buf+0x175/0x220 fs/splice.c:797
  splice_from_pipe_feed fs/splice.c:502 [inline]
  __splice_from_pipe+0x328/0x730 fs/splice.c:626
  splice_from_pipe+0x1e9/0x330 fs/splice.c:661
  default_file_splice_write+0x40/0x90 fs/splice.c:809
  do_splice_from fs/splice.c:851 [inline]
  direct_splice_actor+0x125/0x180 fs/splice.c:1018
  splice_direct_to_actor+0x2c1/0x820 fs/splice.c:973
  do_splice_direct+0x2a7/0x3d0 fs/splice.c:1061
  do_sendfile+0x5d5/0xe90 fs/read_write.c:1413
  SYSC_sendfile64 fs/read_write.c:1468 [inline]
  SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460
  entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x440189
RSP: 002b:00007fffa5fa4c08 EFLAGS: 00000207 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440189
RDX: 0000000020004ff8 RSI: 0000000000000003 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 68742f636f72702f R09: 68742f636f72702f
R10: 0000000000000001 R11: 0000000000000207 R12: 0000000000401a50
R13: 0000000000401ae0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3087:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
  set_track mm/kasan/kasan.c:459 [inline]
  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
  __do_kmalloc mm/slab.c:3712 [inline]
  __kmalloc_track_caller+0x15e/0x760 mm/slab.c:3727
  memdup_user+0x2c/0x90 mm/util.c:164
  proc_pid_attr_write+0x115/0x280 fs/proc/base.c:2563
  __vfs_write+0xef/0x970 fs/read_write.c:480
  __kernel_write+0xfe/0x350 fs/read_write.c:501
  write_pipe_buf+0x175/0x220 fs/splice.c:797
  splice_from_pipe_feed fs/splice.c:502 [inline]
  __splice_from_pipe+0x328/0x730 fs/splice.c:626
  splice_from_pipe+0x1e9/0x330 fs/splice.c:661
  default_file_splice_write+0x40/0x90 fs/splice.c:809
  do_splice_from fs/splice.c:851 [inline]
  direct_splice_actor+0x125/0x180 fs/splice.c:1018
  splice_direct_to_actor+0x2c1/0x820 fs/splice.c:973
  do_splice_direct+0x2a7/0x3d0 fs/splice.c:1061
  do_sendfile+0x5d5/0xe90 fs/read_write.c:1413
  SYSC_sendfile64 fs/read_write.c:1468 [inline]
  SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460
  entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 1668:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
  set_track mm/kasan/kasan.c:459 [inline]
  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
  __cache_free mm/slab.c:3492 [inline]
  kfree+0xca/0x250 mm/slab.c:3807
  load_elf_binary+0x1def/0x4c50 fs/binfmt_elf.c:1096
  search_binary_handler+0x142/0x6b0 fs/exec.c:1640
  exec_binprm fs/exec.c:1682 [inline]
  do_execveat_common.isra.30+0x1711/0x22a0 fs/exec.c:1804
  do_execve fs/exec.c:1849 [inline]
  SYSC_execve fs/exec.c:1930 [inline]
  SyS_execve+0x39/0x50 fs/exec.c:1925
  do_syscall_64+0x26c/0x920 arch/x86/entry/common.c:285
  return_from_SYSCALL_64+0x0/0x75

The buggy address belongs to the object at ffff8801cd99d2c0
  which belongs to the cache kmalloc-32 of size 32
The buggy address is located 1 bytes inside of
  32-byte region [ffff8801cd99d2c0, ffff8801cd99d2e0)
The buggy address belongs to the page:
page:000000007121f5c4 count:1 mapcount:0 mapping:00000000d98add9a  
index:0xffff8801cd99dfc1
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801cd99d000 ffff8801cd99dfc1 000000010000003f
raw: ffffea000736b3a0 ffffea0007347860 ffff8801db0001c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801cd99d180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
  ffff8801cd99d200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
> ffff8801cd99d280: fb fb fb fb fc fc fc fc 01 fc fc fc fc fc fc fc
                                            ^
  ffff8801cd99d300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
  ffff8801cd99d380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================


View attachment "config.txt" of type "text/plain" (126531 bytes)

Download attachment "raw.log" of type "application/octet-stream" (11612 bytes)

View attachment "repro.txt" of type "text/plain" (514 bytes)

Download attachment "repro.c" of type "application/octet-stream" (1479 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ