| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <38c5a8ad-c192-74b9-b2ff-9eb2a3386930@gmail.com> Date: Mon, 2 Jul 2018 00:04:10 +0200 From: tomas <tomasbortoli@...il.com> To: raven@...maw.net, autofs@...r.kernel.org Cc: linux-kernel@...r.kernel.org, syzkaller@...glegroups.com Subject: [PATCH upstream] KASAN: slab-out-of-bounds Read in getname_kernel Hi, I've looked into this issue found by Syzbot and I made a patch: https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425b1163 The autofs subsystem does not check that the "path" parameter is present within the "param" struct passed by the userspace in case the AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a path is always provided (though a path is not always present, as per how the struct is defined: https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_dev-ioctl.h#L89). Skipping the check provokes an oob read in "strlen", called by "getname_kernel", in turn called by the autofs to assess the length of the non-existing path. To solve it, modify the "validate_dev_ioctl" function to check also that a path has been provided if the command is AUTOFS_DEV_IOCTL_OPENMOUNT_CMD. --- b/fs/autofs/dev-ioctl.c 2018-07-01 23:10:16.059728621 +0200 +++ a/fs/autofs/dev-ioctl.c 2018-07-01 23:10:24.311792133 +0200 @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s goto out; } } + /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */ + else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD) + return -EINVAL; err = 0; out: Tested and solves the issue on Linus' main git tree. Tomas
Powered by blists - more mailing lists