lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Mon, 26 Nov 2018 00:29:49 -0500
From:   Kyungtae Kim <kt0755@...il.com>
To:     linux-kernel@...r.kernel.org, linux-input@...r.kernel.org
Subject: Fwd: UBSAN: Undefined behaviour in drivers/input/mousedev.c

---------- Forwarded message ---------
From: Kyungtae Kim <kt0755@...il.com>
Date: Mon, Nov 26, 2018 at 12:26 AM
Subject: UBSAN: Undefined behaviour in drivers/input/mousedev.c
To: <dmitry.torokhov@...il.com>
Cc: Byoungyoung Lee <lifeasageek@...il.com>, DaeRyong Jeong
<threeearcat@...il.com>, <linux-input@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <syzkaller@...glegroups.com>


We report a crash found in v4.20-rc2:

kernel config: https://kt0755.github.io/etc/config_v4.20
repro: https://kt0755.github.io/etc/repro.5266f.c

In mousedev_rel_event(), "mousedev->packet.dx += value"
(driver/input/mousedev.c:212) causes integer overflow
when the result of calculation is larger than the size of dx.
This can arise because "value" originates from user input
(via evdev_write), and there is no sanity check along the path.

It's not for sure this crash would be tolerable despite its occurrence.
But one way to stop it is to use the bounds check before using it.


Crash log:
=======================================
UBSAN: Undefined behaviour in drivers/input/mousedev.c:212:23
signed integer overflow:
1240408832 + 1240408832 cannot be represented in type 'int'
CPU: 0 PID: 10708 Comm: syz-executor3 Not tainted 4.20.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xb1/0x118 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
 handle_overflow+0x2dc/0x327 lib/ubsan.c:190
 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 mousedev_rel_event drivers/input/mousedev.c:212 [inline]
 mousedev_event+0x14ad/0x1830 drivers/input/mousedev.c:370
 input_to_handler+0x414/0x510 drivers/input/input.c:121
 input_pass_values.part.10+0x4ed/0x6c0 drivers/input/input.c:148
 input_pass_values drivers/input/input.c:401 [inline]
 input_handle_event+0x3f0/0x1200 drivers/input/input.c:401
 input_inject_event+0x22f/0x31e drivers/input/input.c:466
 evdev_write+0x483/0x7a0 drivers/input/evdev.c:565
 __vfs_write+0x109/0x6e0 fs/read_write.c:485
 vfs_write+0x1b3/0x520 fs/read_write.c:549
 ksys_write+0xde/0x1c0 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x7e/0xc0 fs/read_write.c:607
 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4497b9
Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4148cd3c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f4148cd46cc RCX: 00000000004497b9
RDX: 00000000000002a6 RSI: 0000000020000080 RDI: 0000000000000014
RBP: 000000000071c010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000b820 R14: 00000000006f48c0 R15: 00007f4148cd4700
======================================

Thanks,
Kyungtae Kim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ