lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 29 Dec 2017 18:19:47 -0600
From:   Eric Biggers <ebiggers3@...il.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Alexander Potapenko <glider@...gle.com>,
        David Miller <davem@...emloft.net>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Networking <netdev@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        Kostya Serebryany <kcc@...gle.com>
Subject: Re: KMSAN reports use of uninitialized memory in pfkey_sendmsg()

On Fri, Dec 29, 2017 at 05:49:34PM +0100, Dmitry Vyukov wrote:
> On Fri, Dec 29, 2017 at 5:48 PM, Alexander Potapenko <glider@...gle.com> wrote:
> > Hi all,
> >
> > KMSAN reports a use of uninitialized value on the following program:
> >
> > ==========================
> > // autogenerated by syzkaller (http://github.com/google/syzkaller)
> >
> > #include <string.h>
> > #include <sys/types.h>
> > #include <sys/socket.h>
> >
> > int main()
> > {
> >   int sock = socket(PF_KEY, SOCK_RAW, 2);
> >   char buf[24];
> >   memset(buf, 0, 24);
> >   buf[0] = 2;
> >   buf[1] = 4;
> >   buf[4] = 3;
> >   buf[16] = 1;
> >   buf[18] = 0x17;  // SADB_X_EXT_NAT_T_OA
> >   struct msghdr hdr;
> >   memset(&hdr, 0, sizeof(struct msghdr));
> >   struct iovec iov;
> >   hdr.msg_iov = &iov;
> >   hdr.msg_iovlen = 1;
> >   iov.iov_base = buf;
> >   iov.iov_len = 0x18;
> >   sendmsg(sock, &hdr, 0);
> > }
> > ==========================
> >
> > the report is below:
> >
> > ==================================================================
> > BUG: KMSAN: use of uninitialized memory in pfkey_sendmsg+0x11ad/0x1900
> > CPU: 0 PID: 2946 Comm: probe Not tainted 4.13.0+ #3626
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > Call Trace:
> >  show_stack+0x12f/0x180 arch/x86/kernel/dumpstack.c:177
> >  __dump_stack lib/dump_stack.c:16
> >  dump_stack+0x185/0x1d0 lib/dump_stack.c:52
> >  kmsan_report+0x137/0x1c0 mm/kmsan/kmsan.c:1066
> >  __msan_warning_32+0x69/0xb0 mm/kmsan/kmsan_instr.c:676
> >  verify_address_len net/key/af_key.c:404
> >  parse_exthdrs net/key/af_key.c:532
> >  pfkey_process net/key/af_key.c:2811
> >  pfkey_sendmsg+0x11ad/0x1900 net/key/af_key.c:3654
> >  sock_sendmsg_nosec net/socket.c:633
> >  sock_sendmsg net/socket.c:643
> >  ___sys_sendmsg+0xed5/0x1330 net/socket.c:2035
> >  __sys_sendmsg net/socket.c:2069
> >  SYSC_sendmsg+0x2a6/0x3d0 net/socket.c:2080
> >  SyS_sendmsg+0x54/0x80 net/socket.c:2076
> >  do_syscall_64+0x2f4/0x420 arch/x86/entry/common.c:284
> >  entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:245
> > RIP: 0033:0x401140
> > RSP: 002b:00007ffe52abc9e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401140
> > RDX: 0000000000000000 RSI: 00007ffe52abca10 RDI: 0000000000000003
> > RBP: 00007ffe52abca80 R08: 0000000000000002 R09: 0000000000000004
> > R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
> > R13: 00000000004063e0 R14: 0000000000406470 R15: 0000000000000000
> > origin:
> >  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:63
> >  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:303
> >  kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:213
> >  kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:339
> >  kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:346
> >  slab_post_alloc_hook mm/slab.h:442
> >  slab_alloc_node mm/slub.c:2724
> >  __kmalloc_node_track_caller+0xa46/0x1230 mm/slub.c:4335
> >  __kmalloc_reserve net/core/skbuff.c:139
> >  __alloc_skb+0x2c6/0x9f0 net/core/skbuff.c:232
> >  alloc_skb ./include/linux/skbuff.h:904
> >  pfkey_sendmsg+0x201/0x1900 net/key/af_key.c:3641
> >  sock_sendmsg_nosec net/socket.c:633
> >  sock_sendmsg net/socket.c:643
> >  ___sys_sendmsg+0xed5/0x1330 net/socket.c:2035
> >  __sys_sendmsg net/socket.c:2069
> >  SYSC_sendmsg+0x2a6/0x3d0 net/socket.c:2080
> >  SyS_sendmsg+0x54/0x80 net/socket.c:2076
> >  do_syscall_64+0x2f4/0x420 arch/x86/entry/common.c:284
> >  return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:245
> > ==================================================================
> >
> > Apparently pfkey_sendmsg reads skb past the end of the buffer copied
> > from the userspace.
> > Could someone please take a look?
> 

Thanks for reporting this!  The problem is that verify_address_len() doesn't
verify that the buffer has space for the ->sa_family field before reading it.
I've sent out a patch.

I also noticed a similar bug in parse_exthdrs(); it doesn't verify that the
buffer has space for the 'struct sadb_ext' before reading it.  I've sent out a
patch for that as well.

Eric

Powered by blists - more mailing lists