lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jKNvUmgpqZdR+FEFRZZ34vfv5BPViCxZTGtkTiQ2Uy78w@mail.gmail.com>
Date:   Sat, 16 Dec 2017 15:31:01 -0800
From:   Kees Cook <keescook@...omium.org>
To:     syzbot 
        <bot+60f2c3a2a759796bd44ac3f94599ab78756b6a62@...kaller.appspotmail.com>
Cc:     keun-o.park@...kmatter.ae, Laura Abbott <labbott@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux-MM <linux-mm@...ck.org>,
        Mark Rutland <mark.rutland@....com>,
        Ingo Molnar <mingo@...nel.org>, syzkaller-bugs@...glegroups.com
Subject: Re: BUG: bad usercopy in ___sys_sendmsg

On Sat, Dec 16, 2017 at 12:29 PM, syzbot
<bot+60f2c3a2a759796bd44ac3f94599ab78756b6a62@...kaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 5c13e07580c8bd2af6aa902d6b62faa968c360bc
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> Unfortunately, I don't have any reproducer for this bug yet.
>

The report before the BUG output is:

[  518.368426] usercopy: kernel memory overwrite attempt detected to
000000009919ac15 (kmalloc-1024) (960 bytes)

This looks like a heap overflow (the offset into the 1024 buffer isn't
being reported, so it's not clear how far it goes):

                if (copy_from_user(ctl_buf,
                                   (void __user __force *)msg_sys->msg_control,
                                   ctl_len))

I would expect the 960 to be ctl_len, though this somehow means the
earlier sock_kmalloc() and kmalloc() broke in some insane fashion.

A reproducer would be nice here; maybe there is some other corruption
happening that manifests as an overflow?

-Kees


>
> ------------[ cut here ]------------
> netlink: 'syz-executor2': attribute type 5 has an invalid length.
> kernel BUG at mm/usercopy.c:72!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 24150 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #153
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
> RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
> RSP: 0018:ffff8801cece7940 EFLAGS: 00010282
> RAX: 0000000000000061 RBX: ffffffff85328d40 RCX: 0000000000000000
> RDX: 0000000000000061 RSI: ffffc90003cae000 RDI: ffffed0039d9cf1c
> RBP: ffff8801cece7a30 R08: ffff8801cece71a8 R09: 0000000000000000
> R10: 00000000712bcb5c R11: 0000000000000000 R12: ffffffff85328d00
> R13: ffff8801cb8936d0 R14: 00000000000003c0 R15: ffffea00072e2480
> FS:  00007f8422fd6700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000558e50e10460 CR3: 000000019cd91000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  check_object_size include/linux/thread_info.h:112 [inline]
>  check_copy_size include/linux/thread_info.h:143 [inline]
>  copy_from_user include/linux/uaccess.h:146 [inline]
>  ___sys_sendmsg+0x58f/0x8a0 net/socket.c:2003
>  __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2116
>  SYSC_sendmmsg net/socket.c:2147 [inline]
>  SyS_sendmmsg+0x35/0x60 net/socket.c:2142
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x452a39
> RSP: 002b:00007f8422fd5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 00007f8422fd6700 RCX: 0000000000452a39
> RDX: 0000000000000006 RSI: 000000002077ce98 RDI: 0000000000000015
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
> R13: 0000000000a6f7ff R14: 00007f8422fd69c0 R15: 0000000000000000
> Code: 48 0f 44 da e8 e0 6e c2 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c
> 89 e2 48 89 de 48 c7 c7 00 8e 32 85 49 89 c0 e8 e6 2c ac ff <0f> 0b 48 c7 c0
> c0 8b 32 85 eb 96 48 c7 c0 00 8c 32 85 eb 8d 48
> RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801cece7940
> RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801cece7940
> ---[ end trace 22ce313ea80c715c ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@...glegroups.com.
> Please credit me with: Reported-by: syzbot <syzkaller@...glegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.



-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ