lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 02 Jul 2018 09:10:27 +0800
From:   Ian Kent <raven@...maw.net>
To:     tomas <tomasbortoli@...il.com>, autofs@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, syzkaller@...glegroups.com
Subject: Re: [PATCH upstream] KASAN: slab-out-of-bounds Read in
 getname_kernel

On Mon, 2018-07-02 at 00:04 +0200, tomas wrote:
> Hi,
> 
> I've looked into this issue found by Syzbot and I made a patch:
> 
> https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425b1163

Umm ... oops!

Thanks for looking into this Tomas.

> 
> 
> The autofs subsystem does not check that the "path" parameter is present
> within the "param" struct passed by the userspace in case the
> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a
> path is always provided (though a path is not always present, as per how
> the struct is defined:
> https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_dev-ioct
> l.h#L89).
> Skipping the check provokes an oob read in "strlen", called by
> "getname_kernel", in turn called by the autofs to assess the length of
> the non-existing path.
> 
> To solve it, modify the "validate_dev_ioctl" function to check also that
> a path has been provided if the command is AUTOFS_DEV_IOCTL_OPENMOUNT_CMD.
> 
> 
> --- b/fs/autofs/dev-ioctl.c    2018-07-01 23:10:16.059728621 +0200
> +++ a/fs/autofs/dev-ioctl.c    2018-07-01 23:10:24.311792133 +0200
> @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s
>              goto out;
>          }
>      }
> +    /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */
> +    else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD)
> +        return -EINVAL;

My preference is to put the comment inside the else but ...

There's another question, should the check be done in
autofs_dev_ioctl_openmount() in the same way it's checked in other
ioctls that need a path, such as in autofs_dev_ioctl_requester()
and autofs_dev_ioctl_ismountpoint()?

For consistency I'd say it should.

>  
>      err = 0;
>  out:
> 
> 
> Tested and solves the issue on Linus' main git tree.
> 
> 

Ian

Powered by blists - more mailing lists