lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <s5hlfrskuul.wl-tiwai@suse.de>
Date:   Wed, 04 Dec 2019 15:50:58 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     syzbot <syzbot+f153bde47a62e0b05f83@...kaller.appspotmail.com>
Cc:     alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
        perex@...ex.cz, syzkaller-bugs@...glegroups.com, tiwai@...e.com
Subject: Re: KASAN: slab-out-of-bounds Read in linear_transfer (3)

On Wed, 04 Dec 2019 09:25:09 +0100,
syzbot wrote:
> 
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1416a90ee00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b
> dashboard link: https://syzkaller.appspot.com/bug?extid=f153bde47a62e0b05f83
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10fe9e41e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1522042ae00000
> 
> The bug was bisected to:
> 
> commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476
> Author: Takashi Iwai <tiwai@...e.de>
> Date:   Fri Nov 9 10:59:45 2018 +0000
> 
>     ALSA: oss: Use kvzalloc() for local buffer allocations

FYI, this bisection result is bogus; before this commit, the buffer
was allocated via vmalloc and KASAN check was skipped.  Now with
kvmalloc(), it goes with kmalloc which has a proper check, and the
problem surfaced since this commit.

The real culprit is a potential buffer overflow in the OSS plugin
chain.  I submitted the fix patch now.


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ