| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Nov 2017 21:05:25 +0900
From: Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>,
Fengguang Wu <fengguang.wu@...el.com>,
LKML <linux-kernel@...r.kernel.org>,
Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Aleksey Makarov <aleksey.makarov@...aro.org>,
Ingo Molnar <mingo@...nel.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>
Subject: Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in
copyin+0xea/0x170
On (11/07/17 12:09), Dmitry Vyukov wrote:
> > On (11/07/17 17:39), Fengguang Wu wrote:
[..]
> > devkmsg_write() does
> >
> > buf = kmalloc(len+1, GFP_KERNEL);
> > ...
> > kfree(buf);
> >
> > kasan reports that this kfree() is actually happening in unpack_to_rootfs(),
> > before we do copy_from_iter_full().
>
>
> Please ignore the free stack. For slab-out-of-bound bugs the object is
> not actually freed and KASAN prints the free stack where it was freed
> before it was re-allocated as new object.
ah, ok.
> Can that len+1 overflow? Is it checked?
hm, I don't think it overflows there.
__kernel_write()
__vfs_write()
new_sync_write()
__kernel_write() makes sure that if count > MAX_RW_COUNT then
count = MAX_RW_COUNT.
-ss
Powered by blists - more mailing lists