lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.20.1610111709120.25352@pc>
Date:   Tue, 11 Oct 2016 17:48:29 -0500 (CDT)
From:   Scot Doyle <lkml14@...tdoyle.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Peter Hurley <peter@...leysoftware.com>,
        Jiri Slaby <jslaby@...e.com>, linux-kernel@...r.kernel.org,
        plagnioj@...osoft.com, tomi.valkeinen@...com,
        jean-philippe.brucker@....com, linux-fbdev@...r.kernel.org,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: tty, fbcon: use-after-free in fbcon_invert_region

> On Tue, Oct 11, 2016 at 3:43 AM, Scot Doyle <lkml14@...tdoyle.com> wrote:
> > I wonder if the text selection is outside the newly resized vc?
> > Does this patch help?
> > 
> > --- vt.c        2016-10-11 00:32:43.079605599 -0000
> > +++ vt.c.new    2016-10-11 00:36:12.744650759 -0000
> > @@ -874,6 +874,9 @@
> > if (!newscreen)
> > return -ENOMEM;
> > 
> > +       if (vc == sel_cons)
> > +               clear_selection();
> > +
> > old_rows = vc->vc_rows;
> > old_row_size = vc->vc_size_row;
>
> This helped with the use-after-frees and out-of-bounds.
> Tested-by: Dmitry Vyukov <dvyukov@...gle.com>
>
> However, now the test program hanged in D unkillable stack on some
> kind of kernel deadlock. Don't know if it's induced by your patch, or
> just another bug. At least there are no vc_do_resize in stacks.
>
> # ps afxu | grep a.out
> root      6163  6.5  0.0      0     0 pts/0    Zl   13:25   0:00  |
>    \_ [a.out] <defunct>
>
> # ls /proc/6163/task/
> 6163  6191  6193  6194 6201
> 
> # cat /proc/6163/task/*/stack
> [<     inline     >] down_read_failed drivers/tty/tty_ldsem.c:241
> [<ffffffff831b8da6>] __ldsem_down_read_nested+0x2a6/0x5b0 drivers/tty/tty_ldsem.c:332
> [<ffffffff831b23f5>] tty_ldisc_ref_wait+0x35/0xb0 drivers/tty/tty_ldisc.c:274
> [<ffffffff831962b7>] tty_write+0x177/0x840 drivers/tty/tty_io.c:1250
> [<ffffffff8182c700>] __vfs_write+0x110/0x620 fs/read_write.c:510
> [<ffffffff8182dc05>] vfs_write+0x175/0x4e0 fs/read_write.c:560
> [<     inline     >] SYSC_write fs/read_write.c:607
> [<ffffffff818314c9>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
> [<ffffffff86daf545>] entry_SYSCALL_64_fastpath+0x23/0xc6
> arch/x86/entry/entry_64.S:208

The patch below removes the resize ioctl's from the first test program. 
Are there any use-after-free/out-of-bounds errors when running the patched 
test program on the unpatched kernel? If not, but there are still 
deadlocks, then perhaps they aren't caused by the proposed kernel patch?

--- test.c
+++ test.c.new
@@ -141,8 +141,6 @@
     NONFAILING(*(uint16_t*)0x20f77ff9 = (uint16_t)0x6);
     NONFAILING(*(uint16_t*)0x20f77ffb = (uint16_t)0x3f);
     NONFAILING(*(uint16_t*)0x20f77ffd = (uint16_t)0x0);
-    r[17] = execute_syscall(__NR_ioctl, r[8], 0x541cul, 0x20f77ff4ul, 0,
-                            0, 0, 0, 0, 0);
     break;
   case 8:
     NONFAILING(*(uint32_t*)0x20f6dffc = (uint32_t)0x5);
@@ -212,8 +210,6 @@
     NONFAILING(*(uint16_t*)0x20f78ffa = (uint16_t)0xeb8);
     NONFAILING(*(uint16_t*)0x20f78ffc = (uint16_t)0x9);
     NONFAILING(*(uint16_t*)0x20f78ffe = (uint16_t)0x7);
-    r2[17] = execute_syscall(__NR_ioctl, r2[5], 0x5609ul, 0x20f78ffaul, 0,
-                            0, 0, 0, 0, 0);
     break;
   case 8:
     r2[18] =
@@ -273,8 +269,6 @@
     NONFAILING(*(uint16_t*)0x20f70002 = (uint16_t)0x2);
     NONFAILING(*(uint16_t*)0x20f70004 = (uint16_t)0xd1e);
     NONFAILING(*(uint16_t*)0x20f70006 = (uint16_t)0x7);
-    r2[34] = execute_syscall(__NR_ioctl, r2[5], 0x5414ul, 0x20f70000ul, 0,
-                            0, 0, 0, 0, 0);
     break;
   }
   return 0;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ