lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 24 Oct 2017 19:46:16 -0400
From:   Dave Jones <davej@...emonkey.org.uk>
To:     Tyler Hicks <tyhicks@...onical.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Linux Kernel <linux-kernel@...r.kernel.org>
Subject: out of bounds strscpy from seccomp_actions_logged_handler

(Triggered with trinity, but it seems just a 'cat
/proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).


BUG: KASAN: global-out-of-bounds in strscpy+0x133/0x2d0
Read of size 8 at addr ffffffff824b0028 by task trinity-c63/6883

CPU: 3 PID: 6883 Comm: trinity-c63 Not tainted 4.14.0-rc6-think+ #1 
Call Trace:
 dump_stack+0xbc/0x145
 ? dma_virt_map_sg+0xfb/0xfb
 print_address_description+0x2d/0x260
 kasan_report+0x277/0x360
 ? strscpy+0x133/0x2d0
 strscpy+0x133/0x2d0
 ? strcasecmp+0xb0/0xb0
 seccomp_actions_logged_handler+0x2c5/0x440
 ? seccomp_send_sigsys+0xd0/0xd0
 ? lock_downgrade+0x310/0x310
 ? lock_release+0x890/0x890
 ? do_raw_spin_unlock+0x147/0x220
 ? do_raw_spin_trylock+0x100/0x100
 ? do_raw_spin_trylock+0x40/0x100
 ? do_raw_spin_lock+0x110/0x110
 proc_sys_call_handler+0x1b1/0x1f0
 ? seccomp_send_sigsys+0xd0/0xd0
 ? proc_sys_readdir+0x6d0/0x6d0
 do_iter_read+0x23b/0x280
 vfs_readv+0x107/0x180
 ? compat_rw_copy_check_uvector+0x1d0/0x1d0
 ? native_sched_clock+0xf9/0x1a0
 ? cyc2ns_read_end+0x10/0x10
 ? __fget_light+0x181/0x200
 ? fget_raw+0x10/0x10
 ? __lock_is_held+0x2e/0xd0
 ? rcu_read_lock_sched_held+0x90/0xa0
 ? __context_tracking_exit.part.4+0x223/0x290
 ? context_tracking_recursion_enter+0x50/0x50
 ? __task_pid_nr_ns+0x1c4/0x300
 ? do_preadv+0xb0/0xf0
 do_preadv+0xb0/0xf0
 ? SyS_preadv+0x10/0x10
 do_syscall_64+0x182/0x400
 ? syscall_return_slowpath+0x270/0x270
 ? rcu_read_lock_sched_held+0x90/0xa0
 ? __context_tracking_exit.part.4+0x223/0x290
 ? mark_held_locks+0x1b/0xa0
 ? return_from_SYSCALL_64+0x2d/0x7a
 ? trace_hardirqs_on_caller+0x17a/0x250
 ? trace_hardirqs_on_thunk+0x1a/0x1c
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x7f52d5f45219
RSP: 002b:00007fff8a422838 EFLAGS: 00000246
 ORIG_RAX: 0000000000000147
RAX: ffffffffffffffda RBX: 0000000000000147 RCX: 00007f52d5f45219
RDX: 00000000000000f3 RSI: 000055d6d5b413d0 RDI: 00000000000000b2
RBP: 00007fff8a4228e0 R08: 0000316c1272491c R09: 0000000000000000
R10: 00000000725c3dd7 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f52d645b058 R14: 00007f52d661b698 R15: 00007f52d645b000

The buggy address belongs to the variable:
 kdb_rwtypes+0x1268/0x1320

Memory state around the buggy address:
 ffffffff824aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff824aff80: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
>ffffffff824b0000: fa fa fa fa 00 05 fa fa fa fa fa fa 02 fa fa fa
                                  ^
 ffffffff824b0080: fa fa fa fa 00 00 01 fa fa fa fa fa 00 00 04 fa
 ffffffff824b0100: fa fa fa fa 00 06 fa fa fa fa fa fa 00 07 fa fa
==================================================================
Disabling lock debugging due to kernel taint

Powered by blists - more mailing lists