lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+bw_fuhC0q2Wb0K=+z9p_E+apZr9h7_+HWOhAe6_g7KgQ@mail.gmail.com>
Date:   Tue, 5 Nov 2019 11:53:18 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Jiri Slaby <jslaby@...e.com>
Cc:     Nicolas Pitre <nico@...xnic.net>,
        Or Cohen <orcohen@...oaltonetworks.com>,
        Greg KH <gregkh@...uxfoundation.org>, textshell@...uujin.de,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        Sam Ravnborg <sam@...nborg.org>, mpatocka@...hat.com,
        ghalat@...hat.com, LKML <linux-kernel@...r.kernel.org>,
        jwilk@...lk.net, Nadav Markus <nmarkus@...oaltonetworks.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw

On Tue, Nov 5, 2019 at 11:29 AM Jiri Slaby <jslaby@...e.com> wrote:
>
> On 05. 11. 19, 10:33, Nicolas Pitre wrote:
> > Subject: [PATCH] vcs: prevent write access to vcsu devices
> >
> > Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded
> > against using devices containing attributes as this is not yet
> > implemented. It however failed to guard against writes to any devices
> > as this is also unimplemented.
> >
> > Signed-off-by: Nicolas Pitre <npitre@...libre.com>
> > Cc: <stable@...r.kernel.org> # v4.19+
> >
> > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
> > index fa07d79027..ef19b95b73 100644
> > --- a/drivers/tty/vt/vc_screen.c
> > +++ b/drivers/tty/vt/vc_screen.c
> > @@ -456,6 +456,9 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
> >       size_t ret;
> >       char *con_buf;
> >
> > +     if (use_unicode(inode))
> > +             return -EOPNOTSUPP;
>
> Looks good to me. I am also thinking about a ban directly in open:
>
> if (use_unicode(inode) && (filp->f_flags & O_ACCMODE) != O_RDONLY)
>   return -EOPNOTSUPP;
>
> Would that break the unicode users?


On a related note, syzbot seems to get very similar bug reports on
some downstream kernels (4.15):
KASAN: use-after-free Read in vcs_scr_readw
KASAN: use-after-free Write in vcs_scr_writew

but not on upstream. I wonder why. And if we are missing some good
config in upstream kernel or something. This all fuzzing is somewhat
random, so it might have just happened without particular reasons
(maybe it will discover it later). But wanted to check if there are
some low hanging fruits. Anything obviously missing in:
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config
?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ