lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 10 Jul 2018 21:56:56 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com,
        Eric Van Hensbergen <ericvh@...il.com>,
        Ron Minnich <rminnich@...dia.gov>,
        Latchesar Ionkov <lucho@...kov.net>,
        Jens Axboe <axboe@...nel.dk>,
        Bart Van Assche <bart.vanassche@....com>,
        David Miller <davem@...emloft.net>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>,
        Sagi Grimberg <sagi@...mberg.me>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        kasan-dev <kasan-dev@...glegroups.com>
Subject: Re: general protection fault in in_aton

On Tue, Jul 10, 2018 at 9:44 PM, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
> On Tue, Jul 10, 2018 at 12:19 PM syzbot
> <syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com> wrote:
>> RIP: 0010:in_aton+0x3e/0x180 net/core/utils.c:63
>
> That's
>
>                 if (*str != '\0') {
>
> in in_aton().
>
> The code disassembles to
>
>         movzbl (%rax,%r15,1),%eax
>
> which is a bit odd, because
>
>> RAX: 0000000000000000
>
> Ok, NULL pointer, looks sane, but:
>
>> R15: dffffc0000000000
>
> Yeah, that's unusual. But I'm guessing it's some KASAN artifact. One
> of the big problemns with KASAN is that it makes the generated code
> completely illegible because 90% of the code is just KASAN overhead.


Yes, there is a problem with paging faults under KASAN.
For more complex bugs like use-after-frees and out-of-bounds there is
usually no need to look at disasm at all because KASAN provides all
relevant info in the report (actual access address, object start,
object size, where is was allocated/freed). But for paging faults
(notably NULL derefs), that's handled by the standard handler which
does not know about KASAN (except for printing "kasan: GPF could be
caused by NULL-ptr deref or user memory access"). Long time ago I
asked if it's possible to get the fault address in the handler, but I
got reply that it's close to impossible.

What KASAN does is reasonably simple: before each access to address
ADDR it inserts:

if (*(0xdffffc0000000000 + ADDR/8))
        report_error();
... *ADDR ... // original access

So if we would have the fault address, and we see that it's
[0xdffffc0000000000; 0xdffffc0000000000+PAGE_SIZE/8), then we could
simply say that it's NULL deref.

Is it really hard to get fault address? I know that userspace
generally receives fault address in siginfo.


>> Call Trace:
>>   rdma_create_trans+0xdbe/0x1ed0 net/9p/trans_rdma.c:678
>
> Well, rdma_create_trans() certainly doesn't verify 'addr' before using it.
>
>>   p9_client_create+0x915/0x16c9 net/9p/client.c:1062
>
> p9_client_create() just blindly passes on "dev_name"
>
>>   v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
>>   v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
>
> .. as does v9fs_session_init() and v9fs_mount()
>
>>   mount_fs+0xae/0x328 fs/super.c:1277
>>   vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
>>   vfs_kern_mount fs/namespace.c:1027 [inline]
>>   do_new_mount fs/namespace.c:2518 [inline]
>>   do_mount+0x581/0x30e0 fs/namespace.c:2848
>
> This is "name" in mount_fs(), vfs_kern_mount(), do_new_mount() and
> do_mount(), also just passed through.
>
>>   __do_compat_sys_mount fs/compat.c:125 [inline]
>>   __se_compat_sys_mount fs/compat.c:92 [inline]
>>   __ia32_compat_sys_mount+0x5d5/0x860 fs/compat.c:92
>
> And here we have the source:
>
>         kernel_dev = copy_mount_string(dev_name);
>
> Note that copy_mount_string() just passes a NULL user space pointer
> through as a NULL kernel pointer (otherwise it does a
> "strndup_user()".
>
> And no, this is not a compat issue. The native mount does the same thing.
>
> So yes. The device name can trivially be NULL, and either rdma or the
> p9 code should check for NULL.
>
> Adding in the 9p people, because I think it's for them. Note the
> syzbot info below.
>
>                Linus
>
> --
>
> syzbot found the following crash on:
>
> HEAD commit:    092150a25cb7 Merge branch 'for-linus' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1687b168400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
> dashboard link: https://syzkaller.appspot.com/bug?extid=2a831e062bb4aebd8755
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> userspace arch: i386
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158cc2c2400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16e7ef48400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CA%2B55aFyEZR%3Dv2GySzWWF3uh9ZB53CFFv460Wzg4n8DGze8GFfw%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ