lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Nov 2016 22:29:47 -0700 From: Cong Wang <xiyou.wangcong@...il.com> To: Andrey Konovalov <andreyknvl@...gle.com> Cc: "David S. Miller" <davem@...emloft.net>, Nicolas Dichtel <nicolas.dichtel@...nd.com>, LKML <linux-kernel@...r.kernel.org>, Matti Vaittinen <matti.vaittinen@...ia.com>, Tycho Andersen <tycho.andersen@...onical.com>, stephen hemminger <stephen@...workplumber.org>, Tom Herbert <tom@...bertland.com>, Florian Westphal <fw@...len.de>, netdev <netdev@...r.kernel.org> Subject: Re: net/netlink: global-out-of-bounds in genl_family_rcv_msg/validate_nla On Wed, Nov 2, 2016 at 10:25 PM, Cong Wang <xiyou.wangcong@...il.com> wrote: > On Wed, Nov 2, 2016 at 5:25 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote: >> Hi, >> >> I've got the following error report while running the syzkaller fuzzer: >> >> ================================================================== >> BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr >> ffffffff8407e3ac >> Read of size 2 by task a.out/3877 >> Address belongs to variable[< none >] >> cgroupstats_cmd_get_policy+0xc/0x40 ??:? > > Seems taskstats doesn't use genetlink correctly, CGROUPSTATS_CMD_ATTR_FD > is not within 0~TASKSTATS_CMD_ATTR_MAX. > > I guess we need the following patch, but it certainly breaks user-space... :-/ Wait, maybe just this one-line fix is enough: diff --git a/kernel/taskstats.c b/kernel/taskstats.c index b3f05ee..e6b342e 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -54,7 +54,7 @@ static const struct nla_policy taskstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1 [TASKSTATS_CMD_ATTR_REGISTER_CPUMASK] = { .type = NLA_STRING }, [TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK] = { .type = NLA_STRING },}; -static const struct nla_policy cgroupstats_cmd_get_policy[CGROUPSTATS_CMD_ATTR_MAX+1] = { +static const struct nla_policy cgroupstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1] = { [CGROUPSTATS_CMD_ATTR_FD] = { .type = NLA_U32 }, };
Powered by blists - more mailing lists