lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 28 Dec 2016 16:40:16 -0500
From:   Dave Jones <davej@...emonkey.org.uk>
To:     Kees Cook <keescook@...omium.org>
Cc:     Linux Kernel <linux-kernel@...r.kernel.org>
Subject: sg_io HARDENED_USERCOPY_PAGESPAN trace

One of my machines won't boot 4.10rc1, because it hit this:

usercopy: kernel memory overwrite attempt detected to ffff88042601cff8 (<spans multiple pages>) (12 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:75!
invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 5 PID: 483 Comm: ata_id Not tainted 4.10.0-rc1-backup-debug+
task: ffff880427bd2ec0 task.stack: ffffc900011d0000
RIP: 0010:__check_object_size+0xf4/0x316
RSP: 0018:ffffc900011d3b28 EFLAGS: 00010282
RAX: 000000000000006a RBX: ffff88042601cff8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88043dd4cc28 RDI: ffff88043dd4cc28
RBP: ffffc900011d3b60 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 000000000000000c
R13: ffffea0010980700 R14: 0000000000000000 R15: ffff88042601d004
FS:  00007f05c3011b40(0000) GS:ffff88043dd40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f05c270ca30 CR3: 0000000427b38000 CR4: 00000000001406e0
Call Trace:
 sg_io+0x113/0x470
 ? __might_fault+0x43/0xa0
 ? __check_object_size+0x11b/0x316
 scsi_cmd_ioctl+0x335/0x4d0
 ? __might_sleep+0x4b/0x90
 scsi_cmd_blk_ioctl+0x42/0x50
 sd_ioctl+0x85/0x110
 blkdev_ioctl+0x53b/0xa20
 block_ioctl+0x3d/0x50
 do_vfs_ioctl+0xa3/0x730
 ? __context_tracking_exit.part.6+0x4a/0x190
 ? __seccomp_filter+0x67/0x220
 SyS_ioctl+0x41/0x70
 do_syscall_64+0x7b/0x700
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x7f05c271bcc7
RSP: 002b:00007ffe1559d8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f05c271bcc7
RDX: 00007ffe1559d930 RSI: 0000000000002285 RDI: 0000000000000003
RBP: 000056259fdfd010 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f05c3011b40 R11: 0000000000000246 R12: 00007ffe1559ef1c
R13: 00007ffe1559db90 R14: 0000000000000003 R15: 0000000000000000
Code: f9 01 00 00 49 c7 c0 3d 86 ef 8e 48 c7 c2 50 63 f0 8e 48 c7 c6 ed f4 ee 8e 4d 89 e1 48 89 d9 48 c7 c7 b0 58 ef 8e e8 fc f3 f9 ff <0f> 0b 4c 89 ea 4c 89 e6 48 89 df e8 3c b4 ff ff 48 85 c0 49 89 
RIP: __check_object_size+0xf4/0x316 RSP: ffffc900011d3b28
usercopy: kernel memory overwrite attempt detected to ffff88042624cff8 (<spans multiple pages>) (16 bytes)

For now I've disabled HARDENED_USERCOPY_PAGESPAN.  I suspect this only
showed up on the one machine because it's got a RAID6 array, and I don't
use md anywhere else.

	Dave

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ