lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Ypt_a4oRZewSqDeaKBscaWeVK-oY0RdN1vLoY6MUaLcA@mail.gmail.com>
Date:   Wed, 1 Feb 2017 16:26:58 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     David Howells <dhowells@...hat.com>
Cc:     james.l.morris@...cle.com, serge@...lyn.com,
        keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: keys: GPF in request_key

On Wed, Feb 1, 2017 at 3:54 PM, David Howells <dhowells@...hat.com> wrote:
> Dmitry Vyukov <dvyukov@...gle.com> wrote:
>
>> > Can you disassemble this function for me?  There are several possible paths
>> > and without the argument to the syscall and whether there's a key that was
>> > matched, it's hard to say which path is being taken - but this might help
>> > determine that.
>>
>> Here it is:
>> https://gist.githubusercontent.com/dvyukov/65efc41d00ef0033f9374853b9265c71/raw/9d8540dfb199b81f3d3534ec4cc6da378d07f5b2/gistfile1.txt
>
> Okay, it's called from here:
>
> ffffffff820490fd:       lea    -0x1b0(%rbp),%rdi
> ffffffff82049104:       callq  ffffffff82047800 <construct_get_dest_keyring>
> ffffffff82049109:       mov    -0x1b0(%rbp),%rdi
> ffffffff82049110:       mov    %r15,%rsi
> ffffffff82049113:       callq  ffffffff8203efd0 <key_link>  <---
> ffffffff82049118:       mov    -0x1b0(%rbp),%rdi
> ffffffff8204911f:       mov    %eax,%r14d
> ffffffff82049122:       callq  ffffffff82037ab0 <key_put>
>
> Which should correspond to this:
>
>         key_ref = search_process_keyrings(&ctx);
>
>         if (!IS_ERR(key_ref)) {
>                 key = key_ref_to_ptr(key_ref);
>                 if (dest_keyring) {
>                         construct_get_dest_keyring(&dest_keyring);
>                         ret = key_link(dest_keyring, key);  <---
>                         key_put(dest_keyring);
>                         if (ret < 0) {
>                                 key_put(key);
>                                 key = ERR_PTR(ret);
>                                 goto error_free;
>                         }
>                 }
>
> which means that the search was successful, the requested key already exists
> and there was a destination keyring nominated by userspace.  The first
> conditional clause of construct_get_dest_keyring() must've been true:
>
>         struct key *dest_keyring = *_dest_keyring
>         ...
>         if (dest_keyring) {
>                 /* the caller supplied one */
>                 key_get(dest_keyring);
>         } else {
>
> because it matches the containing if-condition in the calling function.
>
>> I actually know what were the arguments to the syscall. Since it
>> happened in a user process context, I know what syzkaller program it
>> was running at the time of the crash. It's just they are not
>> reproducible. Here are the 3 programs, and they are almost equivalent
>> as far as I can see. It's in syzkaller format, but I hope you can
>> decipher it, it's just syscall names, address and data in hex:
>> https://gist.githubusercontent.com/dvyukov/19bd59ffa286a74b49ca2371b69d4c5c/raw/004eaaa58a4ca775c008591fbb94eae78f92ef86/gistfile1.txt
>
> add_key(&(0x7f0000d02000)="6465616400", ...
>
> What does the "6465616400" represent?  A string containing only numeric
> characters or are these 2-digit hex codes and the string is actually "dead"?

Yes, it is hex. The actual data passed to the syscall is "dead".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ