[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG=yYwmTdW0THoVGJc-Le+TyGMaHKZD-NHTRfXczNes65T8qWA@mail.gmail.com>
Date: Tue, 30 Jul 2019 01:04:17 +0530
From: Jeffrin Thalakkottoor <jeffrin@...agiritech.edu.in>
To: Kees Cook <keescook@...omium.org>
Cc: Nick Desaulniers <ndesaulniers@...gle.com>,
Steven Rostedt <rostedt@...dmis.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
tobin@...nel.org, lkml <linux-kernel@...r.kernel.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Alexander Potapenko <glider@...gle.com>, axboe@...nel.dk
Subject: Re: BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
hello Kees Cook,
i tested your fix and i think it worked like a charm !
kasan message related disappeared during boot time and it does not
show in the output of "sudo dmesg -l err"
anyway thanks a lot !
On Fri, Jul 19, 2019 at 3:05 AM Kees Cook <keescook@...omium.org> wrote:
>
> On Tue, Jul 16, 2019 at 11:28:29AM -0700, Nick Desaulniers wrote:
> > On Wed, Jul 10, 2019 at 10:44 AM Jeffrin Thalakkottoor
> > <jeffrin@...agiritech.edu.in> wrote:
> > >
> > > hello all ,
> > >
> > > i encountered a KASAN bug related . here are some related information...
> > >
> > >
> > > -------------------x-----------------------------x------------------
> > > [ 30.037312] BUG: KASAN: global-out-of-bounds in
> > > ata_exec_internal_sg+0x50f/0xc70
> > > [ 30.037447] Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> > >
> > >
> > > [ 30.039935] The buggy address belongs to the variable:
> > > [ 30.040059] cdb.48319+0x0/0x40
> > > (gdb) l *ata_exec_internal_sg+0x50f
> > > 0xffffffff81c7b59f is in ata_exec_internal_sg (./include/linux/string.h:359).
> >
> > So looks like ata_exec_internal_sg() is panic'ing when...
> >
> > > 354 if (q_size < size)
> > > 355 __read_overflow2();
> > > 356 }
> > > 357 if (p_size < size || q_size < size)
> > > 358 fortify_panic(__func__);
> > > 359 return __builtin_memcpy(p, q, size);
>
> ^^^ here, so within memcpy(), but after the "easy" sanity checks.
>
> The only place where I see ata_exec_internal_sg() calling memcpy() is
> here:
>
> /* prepare & issue qc */
> qc->tf = *tf;
> if (cdb)
> memcpy(qc->cdb, cdb, ATAPI_CDB_LEN);
>
> the "16" is consistent with the report:
>
> include/linux/ata.h: ATAPI_CDB_LEN = 16,
>
> which matches the claim about the cdb variable from KASAN. And it's a
> read, so "cdb" is wrong. Do you have a longer back trace? What called
> ata_exec_internal_sg()?
>
> ata_exec_internal() is the only caller of ata_exec_internal_sg(). Nearly
> all callers of ata_exec_internal() pass a NULL cdb. Those that don't
> are:
>
> atapi_eh_tur()
> u8 cdb[ATAPI_CDB_LEN] = ...
> atapi_eh_request_sense()
> u8 cdb[ATAPI_CDB_LEN] = ...
>
> These two are on the static and correctly sized.
>
> eject_tray()
> static const char cdb[ATAPI_CDB_LEN] = ...
> zpodd_get_mech_type()
> static const char cdb[] = ...
>
> These are both in rodata, and only the first is correctly sized. I
> assume the following will fix it:
>
>
> diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
> index 173e6f2dd9af..eefda51f97d3 100644
> --- a/drivers/ata/libata-zpodd.c
> +++ b/drivers/ata/libata-zpodd.c
> @@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
> unsigned int ret;
> struct rm_feature_desc *desc;
> struct ata_taskfile tf;
> - static const char cdb[] = { GPCMD_GET_CONFIGURATION,
> + static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION,
> 2, /* only 1 feature descriptor requested */
> 0, 3, /* 3, removable medium feature */
> 0, 0, 0,/* reserved */
>
>
>
> --
> Kees Cook
--
software engineer
rajagiri school of engineering and technology
Powered by blists - more mailing lists