| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161205190339.GK1555@ZenIV.linux.org.uk>
Date: Mon, 5 Dec 2016 19:03:39 +0000
From: Al Viro <viro@...IV.linux.org.uk>
To: Johannes Thumshirn <jthumshirn@...e.de>
Cc: Dmitry Vyukov <dvyukov@...gle.com>,
syzkaller <syzkaller@...glegroups.com>,
Doug Gilbert <dgilbert@...erlog.com>, jejb@...ux.vnet.ibm.com,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi <linux-scsi@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, axboe@...nel.dk,
linux-block@...r.kernel.org, David Rientjes <rientjes@...gle.com>,
Hannes Reinecke <hare@...e.de>, mhocko@...e.cz
Subject: Re: scsi: use-after-free in bio_copy_from_iter
On Mon, Dec 05, 2016 at 04:17:53PM +0100, Johannes Thumshirn wrote:
> 633 hp = &srp->header;
> [...]
> 646 hp->dxferp = (char __user *)buf + cmd_size;
> So the memory for hp->dxferp comes from:
> 633 hp = &srp->header;
????
> >From my debug instrumentation I see that the dxferp ends up in the
> iovec_iter's kvec->iov_base and the faulting address is always dxferp + n *
> 4k with n in [1, 16] (and we're copying 16 4k pages from the iovec into the
> bio).
_Address_ of hp->dxferp comes from that assignment; the value is 'buf'
argument of sg_write() + small offset. In this case, it should point
inside a pipe buffer, which is, indeed, at a kernel address. Who'd
allocated srp is irrelevant.
And if you end up dereferencing more than one page worth there, you do have
a problem - pipe buffers are not going to be that large. Could you slap
WARN_ON((size_t)input_size > count);
right after the calculation of input_size in sg_write() and see if it triggers
on your reproducer?
Powered by blists - more mailing lists