| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 05 Dec 2019 17:21:50 +0000
From: David Howells <dhowells@...hat.com>
To: torvalds@...ux-foundation.org, ebiggers@...nel.org
Cc: dhowells@...hat.com, viro@...iv.linux.org.uk,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 2/2] pipe: Fix missing mask update after pipe_wait()
Fix pipe_write() to regenerate the ring index mask and update max_usage
after calling pipe_wait().
This is necessary as the latter function drops the pipe lock, thereby
allowing F_SETPIPE_SZ change it. Without this, pipe_write() may
subsequently miscalculate the array indices and pipe fullness, leading to
an oops like the following:
BUG: KASAN: slab-out-of-bounds in pipe_write+0xc25/0xe10 fs/pipe.c:481
Write of size 8 at addr ffff8880771167a8 by task syz-executor.3/7987
...
CPU: 1 PID: 7987 Comm: syz-executor.3 Not tainted 5.4.0-rc2-syzkaller #0
...
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x113/0x167 lib/dump_stack.c:113
print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
__kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
pipe_write+0xc25/0xe10 fs/pipe.c:481
call_write_iter include/linux/fs.h:1895 [inline]
new_sync_write+0x3fd/0x7e0 fs/read_write.c:483
__vfs_write+0x94/0x110 fs/read_write.c:496
vfs_write+0x18a/0x520 fs/read_write.c:558
ksys_write+0x105/0x220 fs/read_write.c:611
__do_sys_write fs/read_write.c:623 [inline]
__se_sys_write fs/read_write.c:620 [inline]
__x64_sys_write+0x6e/0xb0 fs/read_write.c:620
do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
Reported-by: syzbot+838eb0878ffd51f27c41@...kaller.appspotmail.com
Signed-off-by: David Howells <dhowells@...hat.com>
cc: Eric Biggers <ebiggers@...nel.org>
---
fs/pipe.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/pipe.c b/fs/pipe.c
index 5f89f73d4366..4d2a7bbc5d31 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -526,6 +526,8 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
}
pipe->waiting_writers++;
pipe_wait(pipe);
+ mask = pipe->ring_size - 1;
+ max_usage = pipe->max_usage;
pipe->waiting_writers--;
}
out:
Powered by blists - more mailing lists