lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 28 Nov 2015 13:40:08 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Vlad Yasevich <vyasevich@...il.com>,
	Neil Horman <nhorman@...driver.com>,
	"David S. Miller" <davem@...emloft.net>,
	linux-sctp@...r.kernel.org, netdev <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>
Cc:	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>,
	Eric Dumazet <edumazet@...gle.com>
Subject: user-controllable kmalloc size in sctp_getsockopt_local_addrs

Hello,

The following program triggers WARNING in kmalloc:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/socket.h>
#include <linux/in.h>

#define SOL_SCTP        132
#define SCTP_GET_LOCAL_ADDRS    109

int main()
{
        int fd = socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP);
        char buf[256];
        int len = 0x04000000;
        getsockopt(fd, SOL_SCTP, SCTP_GET_LOCAL_ADDRS, &buf, &len);
        return 0;
}



------------[ cut here ]------------
WARNING: CPU: 0 PID: 6006 at mm/page_alloc.c:2989
__alloc_pages_nodemask+0x695/0x14e0()
Modules linked in:
CPU: 0 PID: 6006 Comm: executor Not tainted 4.4.0-rc2+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff880033887720 ffffffff82719fc6 0000000000000000
 ffff8800338c2d80 ffffffff85a62a20 ffff880033887760 ffffffff81244ec9
 ffffffff8154e3e5 ffffffff85a62a20 0000000000000bad 0000000000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82719fc6>] dump_stack+0x68/0x92 lib/dump_stack.c:50
 [<ffffffff81244ec9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:460
 [<ffffffff812450f9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:493
 [<     inline     >] __alloc_pages_slowpath mm/page_alloc.c:2989
 [<ffffffff8154e3e5>] __alloc_pages_nodemask+0x695/0x14e0 mm/page_alloc.c:3235
 [<ffffffff8160ceee>] alloc_pages_current+0xee/0x340 mm/mempolicy.c:2055
 [<     inline     >] alloc_pages include/linux/gfp.h:451
 [<ffffffff81549c56>] alloc_kmem_pages+0x16/0xf0 mm/page_alloc.c:3414
 [<ffffffff81595e79>] kmalloc_order+0x19/0x60 mm/slab_common.c:1007
 [<ffffffff81595edf>] kmalloc_order_trace+0x1f/0xa0 mm/slab_common.c:1018
 [<     inline     >] kmalloc_large include/linux/slab.h:390
 [<ffffffff8161bd74>] __kmalloc+0x234/0x250 mm/slub.c:3525
 [<     inline     >] kmalloc include/linux/slab.h:463
 [<     inline     >] sctp_getsockopt_local_addrs net/sctp/socket.c:4931
 [<ffffffff854d9730>] sctp_getsockopt+0x11b0/0x3e00 net/sctp/socket.c:6007
 [<ffffffff84913ad5>] sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2604
 [<     inline     >] SYSC_getsockopt net/socket.c:1788
 [<ffffffff84911282>] SyS_getsockopt+0x142/0x230 net/socket.c:1770
 [<ffffffff859551f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 42716df2ed49f73e ]---


On commit 78c4a49a69e910a162b05e4e8727b9bdbf948f13 (Nov 25).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists