lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 6 Feb 2018 15:21:48 -0800
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     syzbot <syzbot+7525b19f9531f76b8b1e@...kaller.appspotmail.com>
Cc:     adobriyan@...il.com, arnd@...db.de, dave.jiang@...el.com,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        viro@...iv.linux.org.uk, David Rientjes <rientjes@...gle.com>
Subject: Re: WARNING: kmalloc bug in relay_open_buf

On Tue, 06 Feb 2018 14:58:02 -0800 syzbot <syzbot+7525b19f9531f76b8b1e@...kaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot hit the following crash on upstream commit
> e237f98a9c134c3d600353f21e07db915516875b (Mon Feb 5 21:35:56 2018 +0000)
> Merge tag 'xfs-4.16-merge-5' of  
> git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
> 
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7525b19f9531f76b8b1e@...kaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for  
> details.
> If you forward the report, please keep this part and the footer.
> 
> audit: type=1400 audit(1517939984.452:7): avc:  denied  { map } for   
> pid=4159 comm="syzkaller032522" path="/root/syzkaller032522586" dev="sda1"  
> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> WARNING: CPU: 0 PID: 4159 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70  
> mm/slab_common.c:1012
> Kernel panic - not syncing: panic_on_warn set ...


David sent a fix today which I believe will address this.


From: David Rientjes <rientjes@...gle.com>
Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE

chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
of chan->n_subbufs * sizeof(size_t *).

kmalloc_slab() will generate a warning when this fails if
chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.

Limit chan->n_subbufs to the maximum allowed kmalloc() size.

Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com
Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()")
Signed-off-by: David Rientjes <rientjes@...gle.com>
Reviewed-by: Andrew Morton <akpm@...ux-foundation.org>
Cc: Jens Axboe <axboe@...nel.dk>
Cc: Dave Jiang <dave.jiang@...el.com>
Cc: Al Viro <viro@...iv.linux.org.uk>
Cc: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
---

 kernel/relay.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN kernel/relay.c~kernel-relay-limit-kmalloc-size-to-kmalloc_max_size kernel/relay.c
--- a/kernel/relay.c~kernel-relay-limit-kmalloc-size-to-kmalloc_max_size
+++ a/kernel/relay.c
@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu
 {
 	struct rchan_buf *buf;
 
-	if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+	if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
 		return NULL;
 
 	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
_

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ