lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 6 Sep 2016 12:05:07 -0300
From:   Arnaldo Carvalho de Melo <acme@...nel.org>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: perf: out-of-bounds write in perf_callchain_store

Em Tue, Sep 06, 2016 at 04:49:29PM +0200, Dmitry Vyukov escreveu:
> On Tue, Sep 6, 2016 at 4:44 PM, Arnaldo Carvalho de Melo
> <acme@...nel.org> wrote:
> > Em Tue, Sep 06, 2016 at 04:36:08PM +0200, Peter Zijlstra escreveu:
> >> On Tue, Sep 06, 2016 at 03:42:40PM +0200, Dmitry Vyukov wrote:
> >> > Hello,
> >> >
> >> > The following program trigger an out-of-bounds write in
> >> > perf_callchain_store (if run in a parallel loop):
> >> >
> >> > https://gist.githubusercontent.com/dvyukov/c05d883e776a353a1d063b670f50bde6/raw/1c8906b1aacfbd8a0cc0b5cf0cc4d0535345e497/gistfile1.txt
> >> >
> >> >
> >> > BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0xe65/0xfc0 at
> >> > addr ffff88003e162840
> >> > Write of size 8 by task syz-executor/22516
> >> > CPU: 0 PID: 22516 Comm: syz-executor Not tainted 4.8.0-rc5-next-20160905+ #14
> >> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> >> >  ffffffff886b6fe0 ffff88003ec07738 ffffffff82db81a9 ffffffff00000000
> >> >  fffffbfff10d6dfc ffff88003e800a00 ffff88003e161740 ffff88003e163740
> >> >  0000000000000001 ffff88003e162840 ffff88003ec07760 ffffffff8180b2ec
> >> > Call Trace:
> >> >  [<ffffffff8180b9c7>] __asan_report_store8_noabort+0x17/0x20
> >> > mm/kasan/report.c:332
> >> >  [<     inline     >] perf_callchain_store include/linux/perf_event.h:1146
> >> >  [<ffffffff81014925>] perf_callchain_user+0xe65/0xfc0 arch/x86/events/core.c:2441
> >> >  [<ffffffff816c5f48>] get_perf_callchain+0x448/0x680 kernel/events/callchain.c:235
> >> >  [<ffffffff816c62cd>] perf_callchain+0x14d/0x1a0 kernel/events/callchain.c:191
> >>
> >> Urgh, that callchain code is a pain with that context/entries
> >> separation. But I can't see an obvious overrun there.
> >>
> >> But WTF is max_contexts a sysctl? that doesn't seen to make any kind of
> >> sense.
> >>
> >> Acme, can you untangle that stuff and spot the fail?
> >
> > I looked at it briefly some moments ago, couldn't find it so far, have
> > to look at what was behind adding a sysctl for that :-\
> >
> > And yeah, that entry/ctx thing, IIRC, was done to reduce patch size,
> > probably needs some polishing to become clearer.
> 
> 
> I believe fuzzer wasn't messing with sysctl's.
> But, yeah, I guess it's really bad idea to try to change them on a
> running system.

Why? They start with a reasonable value, but that is not ok for all
cases, thus they were introduced, and they only can get changed if there
are _no_ callchain users, so what would be the problem?

- Arnaldo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ