| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Feb 2018 05:57:20 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: syzbot <syzbot+7525b19f9531f76b8b1e@...kaller.appspotmail.com>,
Alexey Dobriyan <adobriyan@...il.com>,
Arnd Bergmann <arnd@...db.de>,
Dave Jiang <dave.jiang@...el.com>,
LKML <linux-kernel@...r.kernel.org>,
syzkaller-bugs@...glegroups.com, Al Viro <viro@...iv.linux.org.uk>,
David Rientjes <rientjes@...gle.com>
Subject: Re: WARNING: kmalloc bug in relay_open_buf
On Wed, Feb 7, 2018 at 12:21 AM, Andrew Morton
<akpm@...ux-foundation.org> wrote:
> On Tue, 06 Feb 2018 14:58:02 -0800 syzbot <syzbot+7525b19f9531f76b8b1e@...kaller.appspotmail.com> wrote:
>
>> Hello,
>>
>> syzbot hit the following crash on upstream commit
>> e237f98a9c134c3d600353f21e07db915516875b (Mon Feb 5 21:35:56 2018 +0000)
>> Merge tag 'xfs-4.16-merge-5' of
>> git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
>>
>> C reproducer is attached.
>> syzkaller reproducer is attached.
>> Raw console output is attached.
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+7525b19f9531f76b8b1e@...kaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>> audit: type=1400 audit(1517939984.452:7): avc: denied { map } for
>> pid=4159 comm="syzkaller032522" path="/root/syzkaller032522586" dev="sda1"
>> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>> WARNING: CPU: 0 PID: 4159 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70
>> mm/slab_common.c:1012
>> Kernel panic - not syncing: panic_on_warn set ...
>
>
> David sent a fix today which I believe will address this.
Thanks
Let's tell syzbot about the fix:
#syz fix: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
> From: David Rientjes <rientjes@...gle.com>
> Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
>
> chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
> of chan->n_subbufs * sizeof(size_t *).
>
> kmalloc_slab() will generate a warning when this fails if
> chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.
>
> Limit chan->n_subbufs to the maximum allowed kmalloc() size.
>
> Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com
> Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()")
> Signed-off-by: David Rientjes <rientjes@...gle.com>
> Reviewed-by: Andrew Morton <akpm@...ux-foundation.org>
> Cc: Jens Axboe <axboe@...nel.dk>
> Cc: Dave Jiang <dave.jiang@...el.com>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: Dan Carpenter <dan.carpenter@...cle.com>
> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> ---
>
> kernel/relay.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff -puN kernel/relay.c~kernel-relay-limit-kmalloc-size-to-kmalloc_max_size kernel/relay.c
> --- a/kernel/relay.c~kernel-relay-limit-kmalloc-size-to-kmalloc_max_size
> +++ a/kernel/relay.c
> @@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu
> {
> struct rchan_buf *buf;
>
> - if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
> + if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
> return NULL;
>
> buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
Powered by blists - more mailing lists