| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Dec 2017 22:14:33 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: Cheng Jian <cj.chengjian@...wei.com>
Cc: <ananth@...ux.vnet.ibm.com>, <anil.s.keshavamurthy@...el.com>,
<davem@...emloft.net>, <linux-kernel@...r.kernel.org>,
<xiexiuqi@...wei.com>, <huawei.libin@...wei.com>
Subject: Re: [PATCH] kprobe : fix out-of-bounds in register_kretprobe when
parsing negative data_size
On Wed, 13 Dec 2017 20:27:21 +0800
Cheng Jian <cj.chengjian@...wei.com> wrote:
> When we register kretprobe, data_size used to allocate space
> for storing per-instance private data.
>
> If we use a negative values as data_size, It will register
> successfully, then cause slab-out-of-bounds which can be
> found by KASAN.
>
> The call trace is like :
>
> =============================================================
> BUG: KASAN: slab-out-of-bounds in trampoline_probe_handler
> +0xb4/0x2f0 at addr ffff8000b732a7a0
> Read of size 8 by task sh/1945
> =============================================================
> BUG kmalloc-64 (Tainted: G B W OE ):
> kasan: bad access detected
> -------------------------------------------------------------
> INFO: Allocated in register_kretprobe+0x12c/0x350
> age=157 cpu=4 pid=1947
> ......
> INFO: Freed in do_one_initcall+0x110/0x260
> age=169 cpu=4 pid=1947
> ......
> INFO: Slab 0xffff7bffc2dcca80 objects=21 used=10
> fp=0xffff8000b732aa80 flags=0x7fff00000004080
> INFO: Object 0xffff8000b732a780 @offset=1920 fp=0x (null)
>
> CPU: 7 PID: 1945 Comm: sh Tainted: G B W OE 4.1.46 #8
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> [<0008d2a0>] dump_backtrace+0x0/0x220
> [<0008d4e0>] show_stack+0x20/0x30
> [<00ff2278>] dump_stack+0xa8/0xcc
> [<002dc6c8>] print_trailer+0xf8/0x160
> [<002e20d8>] object_err+0x48/0x60
> [<002e48dc>] kasan_report+0x26c/0x5a0
> [<002e39a0>] __asan_load8+0x60/0x80
> [<01000054>] trampoline_probe_handler+0xb4/0x2f0
> [<00ffff38>] kretprobe_trampoline+0x54/0xbc
> Memory state around the buggy address:
> b732a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> b732a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >b732a780: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
> ^
>
> If data_size is invalid, then we should not register it.
Good catch!
Anyway, this influence is limited because this interface is
only exposed to custom kernel modules. So only roots can
shoot in the foot.
Acked-by: Masami Hiramatsu <mhiramat@...nel.org>
Thank you!
>
> Signed-off-by: Cheng Jian <cj.chengjian@...wei.com>
> Reported-by: Kong ZhangHuan <kongzhanghuan@...wei.com>
> ---
> kernel/kprobes.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/kprobes.c b/kernel/kprobes.c
> index da2ccf1..8002f28 100644
> --- a/kernel/kprobes.c
> +++ b/kernel/kprobes.c
> @@ -1924,6 +1924,9 @@ int register_kretprobe(struct kretprobe *rp)
> int i;
> void *addr;
>
> + if ((ssize_t)rp->data_size < 0)
> + return -EINVAL;
> +
> if (!kprobe_on_func_entry(rp->kp.addr, rp->kp.symbol_name, rp->kp.offset))
> return -EINVAL;
>
> --
> 1.8.3.1
>
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists