lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKMK7uEuJ3Huq9HxV+FTqmgito6273_8oytdjADZP2-HXYw+CA@mail.gmail.com>
Date:   Wed, 6 Nov 2019 16:56:50 +0100
From:   Daniel Vetter <daniel@...ll.ch>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     syzbot <syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com>,
        Dave Airlie <airlied@...ux.ie>,
        Andrew Morton <akpm@...ux-foundation.org>,
        dri-devel <dri-devel@...ts.freedesktop.org>,
        Kees Cook <keescook@...omium.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
        Maxime Ripard <mripard@...nel.org>,
        Sean Paul <sean@...rly.run>,
        Stephen Rothwell <sfr@...b.auug.org.au>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Al Viro <viro@...iv.linux.org.uk>
Subject: Re: WARNING in drm_mode_createblob_ioctl

On Wed, Nov 6, 2019 at 4:33 PM Dmitry Vyukov <dvyukov@...gle.com> wrote:
>
> On Wed, Nov 6, 2019 at 4:28 PM Daniel Vetter <daniel@...ll.ch> wrote:
> >
> > On Wed, Nov 6, 2019 at 4:23 PM Daniel Vetter <daniel@...ll.ch> wrote:
> > >
> > > On Wed, Nov 6, 2019 at 4:20 PM syzbot
> > > <syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com> wrote:
> > > >
> > > > syzbot has bisected this bug to:
> > > >
> > > > commit 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba
> > > > Author: Kees Cook <keescook@...omium.org>
> > > > Date:   Mon Nov 4 22:57:23 2019 +0000
> > > >
> > > >      uaccess: disallow > INT_MAX copy sizes
> > >
> > > Ah cool, this explains it.
> > >
> > > fwiw I never managed to get the WARNING in the backtrace to lign up
> > > with any code. No idea what's been going on.
> >
> > Ok I think I have an idea, the above commit isn't in the linux-next I
> > have here. Where is this from?
> > -Daniel
>
> You need to fetch tags to linux-next. syzbot started bisecting from
> the commit where the crash happened, and it is now probably not the
> current tag.

Indeed it's an -mm patch so rebases every day. I tried looking for it,
but found nothing, not sure what exactly I screwed up. Patch on the
way.
-Daniel

>
> linux$ git show 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba
> commit 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba
> Author: Kees Cook <keescook@...omium.org>
> Date:   Tue Nov 5 09:57:23 2019 +1100
>
>     uaccess: disallow > INT_MAX copy sizes
>
>     As we've done with VFS, string operations, etc, reject usercopy sizes
>     larger than INT_MAX, which would be nice to have for catching bugs related
>     to size calculation overflows[1].
>
>     This adds 10 bytes to x86_64 defconfig text and 1980 bytes to the data
>     section:
>
>        text    data     bss     dec     hex filename
>     19691167        5134320 1646664 26472151        193eed7 vmlinux.before
>     19691177        5136300 1646664 26474141        193f69d vmlinux.after
>
>     [1] https://marc.info/?l=linux-s390&m=156631939010493&w=2
>
>     Link: http://lkml.kernel.org/r/201908251612.F9902D7A@keescook
>     Signed-off-by: Kees Cook <keescook@...omium.org>
>     Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
>     Cc: Alexander Viro <viro@...iv.linux.org.uk>
>     Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
>     Signed-off-by: Stephen Rothwell <sfr@...b.auug.org.au>
>
> diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
> index 659a4400517b2..e93e249a4e9bf 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -147,6 +147,8 @@ check_copy_size(const void *addr, size_t bytes,
> bool is_source)
>                         __bad_copy_to();
>                 return false;
>         }
> +       if (WARN_ON_ONCE(bytes > INT_MAX))
> +               return false;
>         check_object_size(addr, bytes, is_source);
>         return true;
>  }
>
>
> > > I'll type a patch to paper over this.
> > > -Daniel
> > >
> > > >
> > > > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=125fe6dce00000
> > > > start commit:   51309b9d Add linux-next specific files for 20191105
> > > > git tree:       linux-next
> > > > final crash:    https://syzkaller.appspot.com/x/report.txt?x=115fe6dce00000
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=165fe6dce00000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a9b1a641c1f1fc52
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=fb77e97ebf0612ee6914
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1212dc3ae00000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145f604ae00000
> > > >
> > > > Reported-by: syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com
> > > > Fixes: 9e5a64c71b2f ("uaccess: disallow > INT_MAX copy sizes")
> > > >
> > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> > >
> > >
> > >
> > > --
> > > Daniel Vetter
> > > Software Engineer, Intel Corporation
> > > +41 (0) 79 365 57 48 - http://blog.ffwll.ch
> >
> >
> >
> > --
> > Daniel Vetter
> > Software Engineer, Intel Corporation
> > +41 (0) 79 365 57 48 - http://blog.ffwll.ch



-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ