lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8a670028-cf7e-3ab7-5478-2a676e787241@gmail.com>
Date:   Tue, 7 Mar 2017 19:33:29 +0200
From:   Nikolay Borisov <n.borisov.lkml@...il.com>
To:     Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Andrey Ryabinin <aryabinin@...tuozzo.com>,
        LKML <linux-kernel@...r.kernel.org>,
        kasan-dev <kasan-dev@...glegroups.com>,
        Kees Cook <keescook@...gle.com>
Subject: Re: kasan behavior when built with unsupported compiler



On  7.03.2017 18:05, Alexander Potapenko wrote:
> On Tue, Mar 7, 2017 at 4:54 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>> On Tue, Mar 7, 2017 at 4:35 PM, Nikolay Borisov
>> <n.borisov.lkml@...il.com> wrote:
>>> Hello,
>>>
>>> I've been chasing a particular UAF as reported by kasan
>>> (https://www.spinics.net/lists/kernel/msg2458136.html). However, one
>>> thing which I took notice of rather lately is that I was building my
>>> kernel with gcc 4.7.4 which is not supported by kasan as indicated by
>>> the following string:
>>>
>>> scripts/Makefile.kasan:19: Cannot use CONFIG_KASAN:
>>> -fsanitize=kernel-address is not supported by compiler
>>>
>>>
>>> Nevertheless, the kernel compiles and when I boot it I see the kasan
>>> splats as per the referenced thread. If, however, I build the kernel
>>> with a newer compiler version 5.4.0 kasan no longer complains.
>>>
>>>
>>> At this point I'm wondering whether the splats can be due to old
>>> compiler being used e.g. false positives or are they genuine splats and
>>> gcc 5 somehow obfuscates them ? Clearly despite the warning about not
>>> being able to use CONFIG_KASAN it is still working since I'm seeing the
>>> splats. Is this valid behavior ?
>>
>>
>> Hi,
>>
>> Re the message that kasan is not supported while it's still enabled in the end.
>> I think it's an issue related to gcc plugins. Originally kasan was
>> supported with 5.0+ thus the message. However, later we extended this
>> support to 4.5+ with gcc plugins. However, that confusing message from
>> build system was not fixed. So yes, it's confusing and it's something
>> to fix, but mostly you can just ignore it.
>>
>> Re false positives with 4.7. By default I would assume that it is true
>> positive. Should be easy to check with manual printfs.
>>
>> Re why 5.4 does not detect it. Difficult to say.
>> If you confirm that it's a real bug and provide repro instructions,
>> then I can recheck it with latest gcc. If it's a real bug and the
>> latest gcc does not detect it, then we need to look more closely at
>> it. I afraid 5.4 won't be fixed.
>> It's also possible that it's a false positive in the old compiler (I
>> think there were some bugs). If so, I would recommend switching to a
>> newer compiler.
> 
> I wonder if there's actual KASAN instrumentation in the kernel in
> question built with GCC 4.7.
> If there's none, there's little point in investigating this further,
> as the tool is anyway barely usable.
> Note that the report originates from something like copy_to_user() (or
> hard to tell the exact place - Nikolay, could you please symbolize the
> report?), i.e. it could be triggered even without KASAN
> instrumentation.

Of course there is kasan instrumentation, otherwise I won't see kasan reports, no ? 
I bisected this to commit 1771c6e1a567ea0ba2cc which adds user memory access API 
instrumentation. Here is a symbolized report: 

==================================================================
BUG: KASAN: slab-out-of-bounds in filldir+0xc8/0x170 at addr ffff88006a22560e
Read of size 20 by task systemd/1
=============================================================================
BUG kmalloc-96 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in ext4_htree_store_dirent+0x3e/0x120 age=0 cpu=2 pid=1
[<        none        >] ___slab_alloc+0x636/0x6a0 mm/slub.c:2446
[<        none        >] __slab_alloc+0x4f/0x86 mm/slub.c:2475
[<     inline     >] slab_alloc_node mm/slub.c:2538
[<     inline     >] slab_alloc mm/slub.c:2580
[<        none        >] __kmalloc+0x27a/0x340 mm/slub.c:3561
[<     inline     >] kmalloc include/linux/slab.h:483
[<     inline     >] kzalloc include/linux/slab.h:622
[<        none        >] ext4_htree_store_dirent+0x3e/0x120 fs/ext4/dir.c:447
[<        none        >] htree_dirblock_to_tree+0x16a/0x190 fs/ext4/namei.c:1001
[<        none        >] ext4_htree_fill_tree+0xaa/0x310 fs/ext4/namei.c:1075
[<     inline     >] ext4_dx_readdir fs/ext4/dir.c:571
[<        none        >] ext4_readdir+0x698/0x950 fs/ext4/dir.c:121
[<        none        >] iterate_dir+0x7d/0x190 fs/readdir.c:50
[<     inline     >] SYSC_getdents fs/readdir.c:230
[<        none        >] SyS_getdents+0x91/0x120 fs/readdir.c:212
[<        none        >] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207

INFO: Freed in ext4_ext_map_blocks+0x7f9/0x23e0 age=1 cpu=2 pid=1
[<        none        >] __slab_free+0x31b/0x440 mm/slub.c:2657
[<     inline     >] slab_free mm/slub.c:2810
[<        none        >] kfree+0x27f/0x2d0 mm/slub.c:3662
[<        none        >] ext4_ext_map_blocks+0x7f9/0x23e0 fs/ext4/extents.c:4619
[<        none        >] ext4_map_blocks+0x3b4/0x5b0 fs/ext4/inode.c:529
[<        none        >] ext4_getblk+0x54/0x1a0 fs/ext4/inode.c:929
[<        none        >] ext4_bread+0x13/0x90 fs/ext4/inode.c:979
[<        none        >] __ext4_read_dirblock+0x3f/0x380 fs/ext4/namei.c:99
[<        none        >] htree_dirblock_to_tree+0x48/0x190 fs/ext4/namei.c:959
[<        none        >] ext4_htree_fill_tree+0xaa/0x310 fs/ext4/namei.c:1075
[<     inline     >] ext4_dx_readdir fs/ext4/dir.c:571
[<        none        >] ext4_readdir+0x698/0x950 fs/ext4/dir.c:121
[<        none        >] iterate_dir+0x7d/0x190 fs/readdir.c:50
[<     inline     >] SYSC_getdents fs/readdir.c:230
[<        none        >] SyS_getdents+0x91/0x120 fs/readdir.c:212
[<        none        >] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207
INFO: Slab 0xffffea0001a88900 objects=20 used=17 fp=0xffff88006a224e10 flags=0x4080
INFO: Object 0xffff88006a2255e0 @offset=5600 fp=0x45b282a2484c60d4

Bytes b4 ffff88006a2255d0: 02 00 00 00 01 00 00 00 c9 ac fb ff 00 00 00 00  ................
Object ffff88006a2255e0: d4 60 4c 48 a2 82 b2 45 18 8a 82 6a 00 88 ff ff  .`LH...E...j....
Object ffff88006a2255f0: 38 51 22 6a 00 88 ff ff 88 8b 82 6a 00 88 ff ff  8Q"j.......j....
Object ffff88006a225600: 00 00 00 00 00 00 00 00 28 03 08 00 14 01 66 62  ........(.....fb
Object ffff88006a225610: 64 65 76 2d 62 6c 61 63 6b 6c 69 73 74 2e 63 6f  dev-blacklist.co
Object ffff88006a225620: 6e 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00  nf..............
Object ffff88006a225630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
CPU: 2 PID: 1 Comm: systemd Tainted: G    B           4.7.0-nbor #171
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
 0000000000000000 ffff88006cd97c58 ffffffff8146bd4c ffff8800000946c0
 ffff88006a2255e0 ffff88006cd97c88 ffffffff81198d96 ffff8800000946c0
 ffffea0001a88900 ffff88006a2255e0 0000000000000000 ffff88006cd97cb0
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff8146bd4c>] dump_stack+0x85/0xc9 lib/dump_stack.c:51
 [<ffffffff81198d96>] print_trailer+0x116/0x190 mm/slub.c:667
 [<ffffffff811992c1>] object_err+0x41/0x50 mm/slub.c:674
 [<     inline     >] print_address_description mm/kasan/report.c:180
 [<     inline     >] kasan_report_error mm/kasan/report.c:276
 [<ffffffff811a0a42>] kasan_report+0x282/0x530 mm/kasan/report.c:298
 [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:292
 [<ffffffff8119ffa7>] check_memory_region+0x137/0x160 mm/kasan/kasan.c:299
 [<ffffffff811a0041>] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:304
 [<     inline     >] copy_to_user ./arch/x86/include/asm/uaccess.h:760
 [<ffffffff811ccc08>] filldir+0xc8/0x170 fs/readdir.c:195
 [<     inline     >] dir_emit include/linux/fs.h:3134
 [<ffffffff8124af38>] call_filldir+0x88/0x140 fs/ext4/dir.c:510
 [<     inline     >] ext4_dx_readdir fs/ext4/dir.c:586
 [<ffffffff8124b934>] ext4_readdir+0x714/0x950 fs/ext4/dir.c:121
 [<ffffffff811ccd2d>] iterate_dir+0x7d/0x190 fs/readdir.c:50
 [<     inline     >] SYSC_getdents fs/readdir.c:230
 [<ffffffff811ccf71>] SyS_getdents+0x91/0x120 fs/readdir.c:212
 [<ffffffff816d7d80>] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207
Memory state around the buggy address:
 ffff88006a225500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88006a225580: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00
>ffff88006a225600: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88006a225680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88006a225700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ