lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 7 Aug 2019 12:58:21 -0700
From:   Matthew Wilcox <willy@...radead.org>
To:     syzbot <syzbot+3de312463756f656b47d@...kaller.appspotmail.com>
Cc:     allison@...utok.net, andreyknvl@...gle.com, cai@....pw,
        gregkh@...uxfoundation.org, keescook@...omium.org,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        tglx@...utronix.de, Jiri Kosina <jkosina@...e.cz>
Subject: Re: BUG: bad usercopy in hidraw_ioctl

On Wed, Aug 07, 2019 at 12:28:06PM -0700, syzbot wrote:
> usercopy: Kernel memory exposure attempt detected from wrapped address
> (offset 0, size 0)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:98!

This report is confusing because the arguments to usercopy_abort() are wrong.

        /* Reject if object wraps past end of memory. */
        if (ptr + n < ptr)
                usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);

ptr + n is not 'size', it's what wrapped.  I don't know what 'offset'
should be set to, but 'size' should be 'n'.  Presumably we don't want to
report 'ptr' because it'll leak a kernel address ... reporting 'n' will
leak a range for a kernel address, but I think that's OK?  Admittedly an
attacker can pass in various values for 'n', but it'll be quite noisy
and leave a trace in the kernel logs for forensics to find afterwards.

> Call Trace:
>  check_bogus_address mm/usercopy.c:151 [inline]
>  __check_object_size mm/usercopy.c:260 [inline]
>  __check_object_size.cold+0xb2/0xba mm/usercopy.c:250
>  check_object_size include/linux/thread_info.h:119 [inline]
>  check_copy_size include/linux/thread_info.h:150 [inline]
>  copy_to_user include/linux/uaccess.h:151 [inline]
>  hidraw_ioctl+0x38c/0xae0 drivers/hid/hidraw.c:392

The root problem would appear to be:

                                else if (copy_to_user(user_arg + offsetof(
                                        struct hidraw_report_descriptor,
                                        value[0]),
                                        dev->hid->rdesc,
                                        min(dev->hid->rsize, len)))

That 'min' should surely be a 'max'?

Jiri, this looks like it was your code back in 2007.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ