lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 24 Oct 2017 18:54:25 -0500
From:   Tyler Hicks <tyhicks@...onical.com>
To:     Dave Jones <davej@...emonkey.org.uk>
Cc:     Kees Cook <keescook@...omium.org>,
        Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: out of bounds strscpy from seccomp_actions_logged_handler

On 10/24/2017 06:46 PM, Dave Jones wrote:
> (Triggered with trinity, but it seems just a 'cat
> /proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).

Hi Dave - Thanks for the report. This is a false positive that was
previously discussed here:

https://lkml.kernel.org/r/<20171010182805.52b9b2af@...uba.netronome.com>

Tyler

> 
> 
> BUG: KASAN: global-out-of-bounds in strscpy+0x133/0x2d0
> Read of size 8 at addr ffffffff824b0028 by task trinity-c63/6883
> 
> CPU: 3 PID: 6883 Comm: trinity-c63 Not tainted 4.14.0-rc6-think+ #1 
> Call Trace:
>  dump_stack+0xbc/0x145
>  ? dma_virt_map_sg+0xfb/0xfb
>  print_address_description+0x2d/0x260
>  kasan_report+0x277/0x360
>  ? strscpy+0x133/0x2d0
>  strscpy+0x133/0x2d0
>  ? strcasecmp+0xb0/0xb0
>  seccomp_actions_logged_handler+0x2c5/0x440
>  ? seccomp_send_sigsys+0xd0/0xd0
>  ? lock_downgrade+0x310/0x310
>  ? lock_release+0x890/0x890
>  ? do_raw_spin_unlock+0x147/0x220
>  ? do_raw_spin_trylock+0x100/0x100
>  ? do_raw_spin_trylock+0x40/0x100
>  ? do_raw_spin_lock+0x110/0x110
>  proc_sys_call_handler+0x1b1/0x1f0
>  ? seccomp_send_sigsys+0xd0/0xd0
>  ? proc_sys_readdir+0x6d0/0x6d0
>  do_iter_read+0x23b/0x280
>  vfs_readv+0x107/0x180
>  ? compat_rw_copy_check_uvector+0x1d0/0x1d0
>  ? native_sched_clock+0xf9/0x1a0
>  ? cyc2ns_read_end+0x10/0x10
>  ? __fget_light+0x181/0x200
>  ? fget_raw+0x10/0x10
>  ? __lock_is_held+0x2e/0xd0
>  ? rcu_read_lock_sched_held+0x90/0xa0
>  ? __context_tracking_exit.part.4+0x223/0x290
>  ? context_tracking_recursion_enter+0x50/0x50
>  ? __task_pid_nr_ns+0x1c4/0x300
>  ? do_preadv+0xb0/0xf0
>  do_preadv+0xb0/0xf0
>  ? SyS_preadv+0x10/0x10
>  do_syscall_64+0x182/0x400
>  ? syscall_return_slowpath+0x270/0x270
>  ? rcu_read_lock_sched_held+0x90/0xa0
>  ? __context_tracking_exit.part.4+0x223/0x290
>  ? mark_held_locks+0x1b/0xa0
>  ? return_from_SYSCALL_64+0x2d/0x7a
>  ? trace_hardirqs_on_caller+0x17a/0x250
>  ? trace_hardirqs_on_thunk+0x1a/0x1c
>  entry_SYSCALL64_slow_path+0x25/0x25
> RIP: 0033:0x7f52d5f45219
> RSP: 002b:00007fff8a422838 EFLAGS: 00000246
>  ORIG_RAX: 0000000000000147
> RAX: ffffffffffffffda RBX: 0000000000000147 RCX: 00007f52d5f45219
> RDX: 00000000000000f3 RSI: 000055d6d5b413d0 RDI: 00000000000000b2
> RBP: 00007fff8a4228e0 R08: 0000316c1272491c R09: 0000000000000000
> R10: 00000000725c3dd7 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f52d645b058 R14: 00007f52d661b698 R15: 00007f52d645b000
> 
> The buggy address belongs to the variable:
>  kdb_rwtypes+0x1268/0x1320
> 
> Memory state around the buggy address:
>  ffffffff824aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffffffff824aff80: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
>> ffffffff824b0000: fa fa fa fa 00 05 fa fa fa fa fa fa 02 fa fa fa
>                                   ^
>  ffffffff824b0080: fa fa fa fa 00 00 01 fa fa fa fa fa 00 00 04 fa
>  ffffffff824b0100: fa fa fa fa 00 06 fa fa fa fa fa fa 00 07 fa fa
> ==================================================================
> Disabling lock debugging due to kernel taint
> 




Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists