lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 3 Nov 2016 16:28:37 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Nicolas Dichtel <nicolas.dichtel@...nd.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Matti Vaittinen <matti.vaittinen@...ia.com>,
        Tycho Andersen <tycho.andersen@...onical.com>,
        stephen hemminger <stephen@...workplumber.org>,
        Tom Herbert <tom@...bertland.com>,
        Florian Westphal <fw@...len.de>,
        netdev <netdev@...r.kernel.org>
Subject: Re: net/netlink: global-out-of-bounds in genl_family_rcv_msg/validate_nla

Hi Cong,

Yes, the last patch fixes the issue.

Tested-by: Andrey Konovalov <andreyknvl@...gle.com>

Thanks!

On Thu, Nov 3, 2016 at 6:29 AM, Cong Wang <xiyou.wangcong@...il.com> wrote:
> On Wed, Nov 2, 2016 at 10:25 PM, Cong Wang <xiyou.wangcong@...il.com> wrote:
>> On Wed, Nov 2, 2016 at 5:25 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
>>> Hi,
>>>
>>> I've got the following error report while running the syzkaller fuzzer:
>>>
>>> ==================================================================
>>> BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr
>>> ffffffff8407e3ac
>>> Read of size 2 by task a.out/3877
>>> Address belongs to variable[<        none        >]
>>> cgroupstats_cmd_get_policy+0xc/0x40 ??:?
>>
>> Seems taskstats doesn't use genetlink correctly, CGROUPSTATS_CMD_ATTR_FD
>> is not within 0~TASKSTATS_CMD_ATTR_MAX.
>>
>> I guess we need the following patch, but it certainly breaks user-space... :-/
>
>
> Wait, maybe just this one-line fix is enough:
>
> diff --git a/kernel/taskstats.c b/kernel/taskstats.c
> index b3f05ee..e6b342e 100644
> --- a/kernel/taskstats.c
> +++ b/kernel/taskstats.c
> @@ -54,7 +54,7 @@ static const struct nla_policy
> taskstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1
>         [TASKSTATS_CMD_ATTR_REGISTER_CPUMASK] = { .type = NLA_STRING },
>         [TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK] = { .type = NLA_STRING },};
>
> -static const struct nla_policy
> cgroupstats_cmd_get_policy[CGROUPSTATS_CMD_ATTR_MAX+1] = {
> +static const struct nla_policy
> cgroupstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1] = {
>         [CGROUPSTATS_CMD_ATTR_FD] = { .type = NLA_U32 },
>  };

Powered by blists - more mailing lists