lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 13 Nov 2018 08:33:18 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     cai@....us
Cc:     linux-kernel@...r.kernel.org, selinux@...r.kernel.org,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Eric Paris <eparis@...isplace.org>
Subject: Re: BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x60/0x150

On Mon, Nov 12, 2018 at 10:11 PM Qian Cai <cai@....us> wrote:
> > On Nov 12, 2018, at 10:09 PM, Paul Moore <paul@...l-moore.com> wrote:
> >
> > On Mon, Nov 12, 2018 at 7:59 PM Qian Cai <cai@....us> wrote:
> >>> On Nov 12, 2018, at 7:41 PM, Paul Moore <paul@...l-moore.com> wrote:
> >>> On Mon, Nov 12, 2018 at 2:39 PM Qian Cai <cai@....us> wrote:
> >>>>
> >>>> Running the trinity fuzzer on the latest mainline (rc2) generates this,
> >>>>
> >>>> [15029.879626] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x60/0x150
> >>>> [15029.887275] Read of size 2 at addr ffff801ec53c5080 by task trinity-main/18081
> >>>> [15029.887294]
> >>>> [15029.887304] CPU: 28 PID: 18081 Comm: trinity-main Tainted: G        W  OE     4.20.0-rc2+ #15
> >>>> [15029.887311] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.50 06/01/2018
> >>>> [15000.084786] [15029.887320] Call trace:
> >>>> [15029.915511]  dump_backtrace+0x0/0x2c8
> >>>> [15029.920046]  show_stack+0x24/0x30
> >>>> [15029.923367]  dump_stack+0x118/0x19c
> >>>> [15029.927539]  print_address_description+0x68/0x2a0
> >>>> [15029.932245]  kasan_report+0x1b4/0x348
> >>>> [15029.938760]  __asan_load2+0x7c/0xa0
> >>>> [15029.945098]  selinux_sctp_bind_connect+0x60/0x150
> >>>>
> >>>> [15029.950571]  security_sctp_bind_connect+0x58/0x90
> >>>> [15029.955493]  __sctp_setsockopt_connectx+0x68/0x128 [sctp]
> >>>> [15029.960943]  sctp_setsockopt+0x764/0x2928 [sctp]
> >>>> [15029.965564]  sock_common_setsockopt+0x6c/0x80
> >>>> [15029.969923]  __arm64_sys_setsockopt+0x13c/0x1f0
> >>>> [15029.974456]  el0_svc_handler+0xd4/0x198
> >>>> [15029.978293]  el0_svc+0x8/0xc
> >>>> [15029.981174]
> >>>> [15029.982667] Allocated by task 18081:
> >>>> [15029.986245]  kasan_kmalloc.part.1+0x40/0x108
> >>>> [15029.990517]  kasan_kmalloc+0xb4/0xc8
> >>>> [15029.994094]  __kmalloc_node+0x1c4/0x638
> >>>> [15029.997933]  kvmalloc_node+0x98/0xa8
> >>>> [15030.001511]  vmemdup_user+0x34/0x128
> >>>> [15030.005137]  __sctp_setsockopt_connectx+0x44/0x128 [sctp]
> >>>> [15030.010586]  sctp_setsockopt+0x764/0x2928 [sctp]
> >>>> [15030.015205]  sock_common_setsockopt+0x6c/0x80
> >>>> [15030.019564]  __arm64_sys_setsockopt+0x13c/0x1f0
> >>>> [15030.024096]  el0_svc_handler+0xd4/0x198
> >>>> [15030.027933]  el0_svc+0x8/0xc
> >>>> [15030.030814]
> >>>> [15030.032306] Freed by task 3025:
> >>>> [15030.035451]  __kasan_slab_free+0x114/0x228
> >>>> [15030.039548]  kasan_slab_free+0x10/0x18
> >>>> [15030.043299]  kfree+0x114/0x408
> >>>> [15030.046357]  selinux_sk_free_security+0x38/0x48
> >>>> [15030.050888]  security_sk_free+0x3c/0x58
> >>>> [15030.054727]  __sk_destruct+0x3e8/0x570
> >>>> [15030.058478]  sk_destruct+0x4c/0x58
> >>>> [15030.061881]  __sk_free+0x68/0x138
> >>>> [15030.065197]  sk_free+0x3c/0x48
> >>>> [15030.068255]  unix_release_sock+0x4a8/0x550
> >>>> [15030.072353]  unix_release+0x34/0x50
> >>>> [15030.075843]  __sock_release+0x74/0x110
> >>>> [15030.079593]  sock_close+0x24/0x38
> >>>> [15030.082913]  __fput+0x1b8/0x368
> >>>> [15030.086055]  ____fput+0x20/0x30
> >>>> [15030.089199]  task_work_run+0x14c/0x1a8
> >>>> [15030.092951]  do_notify_resume+0x1e4/0x200
> >>>> [15030.096961]  work_pending+0x8/0x14
> >>>
> >>> Any chance you have a reproducer for this?  Or at the very least a
> >>> line number inside selinux_sctp_bind_connect()?
> >>>
> >> Yes, running trinity as non-root will trigger it all the time on this
> >> aarch64 server so far.
> >
> > Is it just aarch64, or are you seeing it on other arches as well?
>
> I only have an aarch64 server to test so far.

Did you see similar problems with 4.20-rc1?

> >> $ trinity
> >>
> >> https://github.com/kernelslacker/trinity.git
> >>
> >> If you have a debug patch I am happy to try that as well if you
> >> need to gather more information.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ