lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 21 Jan 2024 21:48:36 -0800
From: Randy Dunlap <rdunlap@...radead.org>
To: Zhu Yanjun <yanjun.zhu@...ux.dev>, Chenyuan Yang <chenyuan0y@...il.com>,
 santosh.shilimkar@...cle.com, netdev@...r.kernel.org,
 linux-rdma@...r.kernel.org, rds-devel@....oracle.com,
 linux-kernel@...r.kernel.org
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, "syzkaller@...glegroups.com"
 <syzkaller@...glegroups.com>, Zijie Zhao <zzjas98@...il.com>
Subject: Re: [Linux Kernel Bug] UBSAN: array-index-out-of-bounds in
 rds_cmsg_recv

Hi,


On 1/21/24 00:34, Zhu Yanjun wrote:
> 在 2024/1/19 22:29, Chenyuan Yang 写道:
>> Dear Linux Kernel Developers for Network RDS,
>>
>> We encountered "UBSAN: array-index-out-of-bounds in rds_cmsg_recv"
>> when testing the RDS with our generated specifications. The C
>> reproduce program and logs for this crash are attached.
>>
>> This crash happens when RDS receives messages by using
>> `rds_cmsg_recv`, which reads the `j+1` index of the array
>> `inc->i_rx_lat_trace`
>> (https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L585).
>> The length of `inc->i_rx_lat_trace` array is 4 (defined by
>> `RDS_RX_MAX_TRACES`,
>> https://elixir.bootlin.com/linux/v6.7/source/net/rds/rds.h#L289) while
>> `j` is the value stored in another array `rs->rs_rx_trace`
>> (https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L583),
>> which is sent from others and could be arbitrary value.
> 
> I recommend to use the latest rds to make tests. The rds in linux kernel upstream is too old. The rds in oracle linux is newer.

Why is the upstream kernel lagging behind?  Is the RDS maintainer going
to submit patches to update mainline?

Thanks.

> Zhu Yanjun
> 
>>
>> This crash might be exploited to read the value out-of-bound from the
>> array by setting arbitrary values for the array `rs->rs_rx_trace`.
>>
>> If you have any questions or require more information, please feel
>> free to contact us.
>>
>> Best,
>> Chenyuan
> 
> 

-- 
#Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ