| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Dec 2017 14:47:34 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Stephen Smalley <sds@...ho.nsa.gov>
Cc: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
syzbot
<bot+015afdb01dbf2abb6a6bfdd5430b72e5503fca6d@...kaller.appspotmail.com>,
linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
syzkaller-bugs@...glegroups.com,
LKML <linux-kernel@...r.kernel.org>, dledford@...hat.com,
Matthias Kaehlcke <mka@...omium.org>, junil0814.lee@....com,
kyeongdon kim <kyeongdon.kim@....com>,
Paul Moore <pmoore@...hat.com>
Subject: Re: KASAN: slab-out-of-bounds Read in strcmp
On Mon, Dec 4, 2017 at 2:43 PM, Stephen Smalley <sds@...ho.nsa.gov> wrote:
> On Sun, 2017-12-03 at 20:33 +0900, Tetsuo Handa wrote:
>> On 2017/12/02 3:52, syzbot wrote:
>> > ==================================================================
>> > BUG: KASAN: slab-out-of-bounds in strcmp+0x96/0xb0 lib/string.c:328
>> > Read of size 1 at addr ffff8801cd99d2c1 by task
>> > syzkaller242593/3087
>> >
>> > CPU: 0 PID: 3087 Comm: syzkaller242593 Not tainted 4.15.0-rc1-next-
>> > 20171201+ #57
>> > Hardware name: Google Google Compute Engine/Google Compute Engine,
>> > BIOS Google 01/01/2011
>> > Call Trace:
>> > __dump_stack lib/dump_stack.c:17 [inline]
>> > dump_stack+0x194/0x257 lib/dump_stack.c:53
>> > print_address_description+0x73/0x250 mm/kasan/report.c:252
>> > kasan_report_error mm/kasan/report.c:351 [inline]
>> > kasan_report+0x25b/0x340 mm/kasan/report.c:409
>> > __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
>> > strcmp+0x96/0xb0 lib/string.c:328
>>
>> This seems to be out of bound read for "scontext" at
>>
>> for (i = 1; i < SECINITSID_NUM; i++) {
>> if (!strcmp(initial_sid_to_string[i], scontext)) {
>> *sid = i;
>> return 0;
>> }
>> }
>>
>> because "initial_sid_to_string[i]" is "const char *".
>>
>> > security_context_to_sid_core+0x437/0x620
>> > security/selinux/ss/services.c:1420
>> > security_context_to_sid+0x32/0x40
>> > security/selinux/ss/services.c:1479
>> > selinux_setprocattr+0x51c/0xb50 security/selinux/hooks.c:5986
>> > security_setprocattr+0x85/0xc0 security/security.c:1264
>>
>> If "value" does not terminate with '\0' or '\n', "value" and
>> "size" are as-is passed to "scontext" and "scontext_len" above
>>
>> /* Obtain a SID for the context, if one was specified. */
>> if (size && str[0] && str[0] != '\n') {
>> if (str[size-1] == '\n') {
>> str[size-1] = 0;
>> size--;
>> }
>> error = security_context_to_sid(value, size, &sid,
>> GFP_KERNEL);
>>
>> which will allow strcmp() to trigger out of bound read when "size" is
>> larger than strlen(initial_sid_to_string[i]).
>>
>> Thus, I guess the simplest fix is to use strncmp() instead of
>> strcmp().
>
> Already fixed by
> https://www.spinics.net/lists/selinux/msg23589.html
Paul, please also follow this part:
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> Note: all commands must start from beginning of the line in the email body.
This will greatly help to keep overall process running. Thanks.
Powered by blists - more mailing lists