lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 4 Jun 2018 13:22:37 -0700
From:   shankarapailoor <shankarapailoor@...il.com>
To:     Dave Kleikamp <dave.kleikamp@...cle.com>
Cc:     jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: Slab out of bounds in setxattr

Hi Dave,

I've updated the patch accordingly.

Regards,
Shankara

On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp <dave.kleikamp@...cle.com> wrote:
> On 06/04/2018 01:30 PM, shankarapailoor wrote:
>> Hi Dave,
>>
>> Attached is my proposed patch. It solves the problem as you suggest
>> and I don't see the KASAN complaint.
>
> That looks good to me. Add a description and a Signed-off-by: and I'll
> get it pushed upstream.
>
> Thanks for finding this.
>
> Shaggy
>
>>
>> Regards,
>> Shankara
>>
>> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp <dave.kleikamp@...cle.com> wrote:
>>> On 06/01/2018 11:06 PM, shankarapailoor wrote:
>>>> Hi,
>>>>
>>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE
>>>> then e_buf->max_size is rounded up nearest page size [1]. If a new
>>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then
>>>> no new space is allocated for the attiribute list [2] and this
>>>> triggers the KASAN slab out of bounds error. This is the case in the C
>>>> repro I provided.
>>>
>>> I see the problem. It looks like we should be calculating max_size
>>> earlier and using that to call kmalloc(). (xattr.c#496)
>>>
>>> Shaggy
>>>>
>>>>
>>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501
>>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723
>>>>
>>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor
>>>> <shankarapailoor@...il.com> wrote:
>>>>> Hi Dave et al,
>>>>>
>>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller  KASAN:
>>>>> slab-out-of-bounds in jfs_xattr.
>>>>>
>>>>> Attached are my kernel configs and a C reproducer. In the first
>>>>> setxattr call it appears that length is much larger than the name. In
>>>>> __jfs_setxattr, I don't see where the length is checked against the
>>>>> actual value length.
>>>>>
>>>>> Regards,
>>>>> Shankara Pailoor



-- 
Regards,
Shankara Pailoor

Download attachment "jfspatch" of type "application/octet-stream" (905 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ