lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Wed, 27 Aug 2014 12:10:12 -0400
From:	Sasha Levin <sasha.levin@...cle.com>
To:	David Howells <dhowells@...hat.com>,
	James Morris <james.l.morris@...cle.com>, serge@...lyn.com
CC:	keyrings@...ux-nfs.org, linux-security-module@...r.kernel.org,
	LKML <linux-kernel@...r.kernel.org>,
	Dave Jones <davej@...hat.com>
Subject: keys: NULL ptr deref in key_alloc

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel, I've stumbled on the following spew:

[ 1587.614996] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[ 1587.619523] IP: rb_insert_color (lib/rbtree.c:94 lib/rbtree.c:388)
[ 1587.620675] PGD 29dead067 PUD 36687c067 PMD 0
[ 1587.621618] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1587.623858] Dumping ftrace buffer:
[ 1587.624346]    (ftrace buffer empty)
[ 1587.624346] Modules linked in:
[ 1587.624346] CPU: 16 PID: 23740 Comm: trinity-c574 Not tainted 3.17.0-rc2-next-20140827-sasha-00031-g9ff673f #1080
[ 1587.624346] task: ffff8803a49f3000 ti: ffff88040f394000 task.ti: ffff88040f394000
[ 1587.624346] RIP: rb_insert_color (lib/rbtree.c:94 lib/rbtree.c:388)
[ 1587.624346] RSP: 0018:ffff88040f397dd0  EFLAGS: 00010246
[ 1587.635541] RAX: ffff880372fa4c88 RBX: ffff880271300c84 RCX: 0000000000000000
[ 1587.635541] RDX: 0000000000000000 RSI: ffffffff9c9e9be0 RDI: ffff880271300c88
[ 1587.635541] RBP: ffff88040f397dd0 R08: 0000000000000000 R09: 0000000000000001
[ 1587.635541] R10: 000000000000cb01 R11: 0000000000000001 R12: ffffffff9adaf940
[ 1587.635541] R13: 00000000000000a6 R14: ffff88009bf7a760 R15: ffff880271300c80
[ 1587.635541] FS:  00007f28f4711700(0000) GS:ffff880278200000(0000) knlGS:0000000000000000
[ 1587.635541] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1587.635541] CR2: 0000000000000008 CR3: 000000029da66000 CR4: 00000000000006a0
[ 1587.635541] Stack:
[ 1587.635541]  ffff88040f397e40 ffffffff95a5698f 00000005000000d0 ffff88009bf7a820
[ 1587.635541]  0000000000000000 0000000000000004 ffff880272117400 000036363f010000
[ 1587.635541]  0000000000000005 ffff880272117400 0000000000000003 ffff8803a49f3000
[ 1587.635541] Call Trace:
[ 1587.635541] key_alloc (include/linux/spinlock.h:349 security/keys/key.c:172 security/keys/key.c:313)
[ 1587.635541] keyring_alloc (security/keys/keyring.c:500)
[ 1587.635541] ? creds_are_invalid (kernel/cred.c:701)
[ 1587.635541] install_thread_keyring_to_cred (security/keys/process_keys.c:138)
[ 1587.635541] lookup_user_key (security/keys/process_keys.c:160 security/keys/process_keys.c:538)
[ 1587.635541] ? key_validate (security/keys/process_keys.c:493)
[ 1587.635541] keyctl_set_timeout (include/linux/err.h:35 security/keys/keyctl.c:1334)
[ 1587.635541] SyS_keyctl (security/keys/keyctl.c:1585)
[ 1587.635541] tracesys (arch/x86/kernel/entry_64.S:542)
[ 1587.635541] Code: 8b 50 08 48 85 d2 75 eb 5d c3 31 c0 5d c3 0f 1f 44 00 00 55 48 8b 07 48 89 e5 48 85 c0 0f 84 21 01 00 00 48 8b 10 f6 c2 01 75 62 <48> 8b 4a 08 49 89 d0 48 39 c8 0f 84 93 00 00 00 48 85 c9 74 05
All code
========
   0:	8b 50 08             	mov    0x8(%rax),%edx
   3:	48 85 d2             	test   %rdx,%rdx
   6:	75 eb                	jne    0xfffffffffffffff3
   8:	5d                   	pop    %rbp
   9:	c3                   	retq
   a:	31 c0                	xor    %eax,%eax
   c:	5d                   	pop    %rbp
   d:	c3                   	retq
   e:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  13:	55                   	push   %rbp
  14:	48 8b 07             	mov    (%rdi),%rax
  17:	48 89 e5             	mov    %rsp,%rbp
  1a:	48 85 c0             	test   %rax,%rax
  1d:	0f 84 21 01 00 00    	je     0x144
  23:	48 8b 10             	mov    (%rax),%rdx
  26:	f6 c2 01             	test   $0x1,%dl
  29:	75 62                	jne    0x8d
  2b:*	48 8b 4a 08          	mov    0x8(%rdx),%rcx		<-- trapping instruction
  2f:	49 89 d0             	mov    %rdx,%r8
  32:	48 39 c8             	cmp    %rcx,%rax
  35:	0f 84 93 00 00 00    	je     0xce
  3b:	48 85 c9             	test   %rcx,%rcx
  3e:	74 05                	je     0x45
	...

Code starting with the faulting instruction
===========================================
   0:	48 8b 4a 08          	mov    0x8(%rdx),%rcx
   4:	49 89 d0             	mov    %rdx,%r8
   7:	48 39 c8             	cmp    %rcx,%rax
   a:	0f 84 93 00 00 00    	je     0xa3
  10:	48 85 c9             	test   %rcx,%rcx
  13:	74 05                	je     0x1a
	...
[ 1587.635541] RIP rb_insert_color (lib/rbtree.c:94 lib/rbtree.c:388)
[ 1587.635541]  RSP <ffff88040f397dd0>
[ 1587.635541] CR2: 0000000000000008


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ