lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 2 Nov 2016 22:29:47 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Andrey Konovalov <andreyknvl@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Nicolas Dichtel <nicolas.dichtel@...nd.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Matti Vaittinen <matti.vaittinen@...ia.com>,
        Tycho Andersen <tycho.andersen@...onical.com>,
        stephen hemminger <stephen@...workplumber.org>,
        Tom Herbert <tom@...bertland.com>,
        Florian Westphal <fw@...len.de>,
        netdev <netdev@...r.kernel.org>
Subject: Re: net/netlink: global-out-of-bounds in genl_family_rcv_msg/validate_nla

On Wed, Nov 2, 2016 at 10:25 PM, Cong Wang <xiyou.wangcong@...il.com> wrote:
> On Wed, Nov 2, 2016 at 5:25 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
>> Hi,
>>
>> I've got the following error report while running the syzkaller fuzzer:
>>
>> ==================================================================
>> BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr
>> ffffffff8407e3ac
>> Read of size 2 by task a.out/3877
>> Address belongs to variable[<        none        >]
>> cgroupstats_cmd_get_policy+0xc/0x40 ??:?
>
> Seems taskstats doesn't use genetlink correctly, CGROUPSTATS_CMD_ATTR_FD
> is not within 0~TASKSTATS_CMD_ATTR_MAX.
>
> I guess we need the following patch, but it certainly breaks user-space... :-/


Wait, maybe just this one-line fix is enough:

diff --git a/kernel/taskstats.c b/kernel/taskstats.c
index b3f05ee..e6b342e 100644
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -54,7 +54,7 @@ static const struct nla_policy
taskstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1
        [TASKSTATS_CMD_ATTR_REGISTER_CPUMASK] = { .type = NLA_STRING },
        [TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK] = { .type = NLA_STRING },};

-static const struct nla_policy
cgroupstats_cmd_get_policy[CGROUPSTATS_CMD_ATTR_MAX+1] = {
+static const struct nla_policy
cgroupstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1] = {
        [CGROUPSTATS_CMD_ATTR_FD] = { .type = NLA_U32 },
 };

Powered by blists - more mailing lists