lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160731084108.GA538@swordfish>
Date:	Sun, 31 Jul 2016 17:41:08 +0900
From:	Sergey Senozhatsky <sergey.senozhatsky@...il.com>
To:	Vincent Brillault <vincent.brillault@...n.ch>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Petr Mladek <pmladek@...e.com>,
	Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
	Andrey Ryabinin <aryabinin@...tuozzo.com>,
	Kees Cook <keescook@...omium.org>,
	Thierry Reding <treding@...dia.com>,
	Geliang Tang <geliangtang@....com>, Tejun Heo <tj@...nel.org>,
	Ivan Delalande <colona@...sta.com>,
	linux-kernel@...r.kernel.org
Subject: Re: kernel/printk/printk.c: Invalid access when buffer wraps around?

Hello,

sorry for long reply. do you see this in practice?

On (07/25/16 11:22), Vincent Brillault wrote:
[..]
> To be specific, these circonstances are:
> - The buffer is almost full and the `log_next_seq` is closed to the end,
>   but there is still place for small messages
> - A reader updates its index and sequence to log_next_*
> - The next message is too large, resulting in the buffer wrapping-around and
>    a zeroed header to be added at the reader index position
> - The buffer is completely filled with new messages but without wrapping:
>  + The last message must not wrap around (thus log_first_seq will be equal to
>     the readers's index)
>  + The last message must override the zeroed header (Trigerring the bug)
> - The reader starts reading again, finding random data instead of the zero
>   'len' it was supposed to read...

the first printk()->console_unlock() to notice `seen_seq != log_next_seq`
will wakeup a task from log_wait, sleeping on
	wait_event_interruptible(seq != log_next_seq)

so I believe your assumption here is that we wrap around and then fill up
the log_buf again without waking up the klogd even once, correct?

	CPU0				CPU1

	console_lock();
	printk();
	...				devkmsg_read();
	printk();
	console_unlock();

like the above?

	-ss

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ