lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+aT9N=wv91PVAyOwD9g5vhNY623m-pdaUowVP2BoixW6Q@mail.gmail.com>
Date:   Tue, 6 Sep 2016 17:18:56 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Arnaldo Carvalho de Melo <acme@...nel.org>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: perf: out-of-bounds write in perf_callchain_store

On Tue, Sep 6, 2016 at 5:05 PM, Arnaldo Carvalho de Melo
<acme@...nel.org> wrote:
> Em Tue, Sep 06, 2016 at 04:49:29PM +0200, Dmitry Vyukov escreveu:
>> On Tue, Sep 6, 2016 at 4:44 PM, Arnaldo Carvalho de Melo
>> <acme@...nel.org> wrote:
>> > Em Tue, Sep 06, 2016 at 04:36:08PM +0200, Peter Zijlstra escreveu:
>> >> On Tue, Sep 06, 2016 at 03:42:40PM +0200, Dmitry Vyukov wrote:
>> >> > Hello,
>> >> >
>> >> > The following program trigger an out-of-bounds write in
>> >> > perf_callchain_store (if run in a parallel loop):
>> >> >
>> >> > https://gist.githubusercontent.com/dvyukov/c05d883e776a353a1d063b670f50bde6/raw/1c8906b1aacfbd8a0cc0b5cf0cc4d0535345e497/gistfile1.txt
>> >> >
>> >> >
>> >> > BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0xe65/0xfc0 at
>> >> > addr ffff88003e162840
>> >> > Write of size 8 by task syz-executor/22516
>> >> > CPU: 0 PID: 22516 Comm: syz-executor Not tainted 4.8.0-rc5-next-20160905+ #14
>> >> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> >> >  ffffffff886b6fe0 ffff88003ec07738 ffffffff82db81a9 ffffffff00000000
>> >> >  fffffbfff10d6dfc ffff88003e800a00 ffff88003e161740 ffff88003e163740
>> >> >  0000000000000001 ffff88003e162840 ffff88003ec07760 ffffffff8180b2ec
>> >> > Call Trace:
>> >> >  [<ffffffff8180b9c7>] __asan_report_store8_noabort+0x17/0x20
>> >> > mm/kasan/report.c:332
>> >> >  [<     inline     >] perf_callchain_store include/linux/perf_event.h:1146
>> >> >  [<ffffffff81014925>] perf_callchain_user+0xe65/0xfc0 arch/x86/events/core.c:2441
>> >> >  [<ffffffff816c5f48>] get_perf_callchain+0x448/0x680 kernel/events/callchain.c:235
>> >> >  [<ffffffff816c62cd>] perf_callchain+0x14d/0x1a0 kernel/events/callchain.c:191
>> >>
>> >> Urgh, that callchain code is a pain with that context/entries
>> >> separation. But I can't see an obvious overrun there.
>> >>
>> >> But WTF is max_contexts a sysctl? that doesn't seen to make any kind of
>> >> sense.
>> >>
>> >> Acme, can you untangle that stuff and spot the fail?
>> >
>> > I looked at it briefly some moments ago, couldn't find it so far, have
>> > to look at what was behind adding a sysctl for that :-\
>> >
>> > And yeah, that entry/ctx thing, IIRC, was done to reduce patch size,
>> > probably needs some polishing to become clearer.
>>
>>
>> I believe fuzzer wasn't messing with sysctl's.
>> But, yeah, I guess it's really bad idea to try to change them on a
>> running system.
>
> Why? They start with a reasonable value, but that is not ok for all
> cases, thus they were introduced, and they only can get changed if there
> are _no_ callchain users, so what would be the problem?


Sorry, I missed the "they only can get changed if there are _no_
callchain users" part.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ