| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Jul 2016 14:33:27 -0400 From: Dave Jones <davej@...emonkey.org.uk> To: Al Viro <viro@...IV.linux.org.uk> Cc: Alexey Dobriyan <adobriyan@...il.com>, Linux Kernel <linux-kernel@...r.kernel.org> Subject: Re: 4.7-rc7: use-after-free in proc_map_files_readdir On Tue, Jul 19, 2016 at 05:20:36PM +0100, Al Viro wrote: > On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote: > > On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote: > > > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 > > > > > > Just in case can you addr2line this address or post disassembly? > > > > http://codemonkey.org.uk/junk/fs_proc_base.dis.txt > > > > Which by my math, looks to be.. > > > > 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax > > info.len = snprintf(info.name, > > The entire expression is > info.len = snprintf(info.name, > sizeof(info.name), "%lx-%lx", > vma->vm_start, vma->vm_end); > and we have > * address of array field in local structure. > * constant > * string literal > * two longs fetched from *vma, that being done under ->mmap_sem > * call of snprintf > * store into a field of local structure. > The only ways to get use-after-free in that would be to have *vma freed > under you or have the same happen to your stack frame. > > Could you dump the relevant part of vmlinux objdump, rather than whatever > you've used on base.o? Having relocations resolved makes it much easier > to figure out... Or just dump that vmlinux on anonftp somewhere... http://codemonkey.org.uk/junk/vmlinux.gz Dave
Powered by blists - more mailing lists