lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Jan 2020 13:03:58 +0100
From:   Alexander Potapenko <glider@...gle.com>
To:     Walter Wu <walter-zh.wu@...iatek.com>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org,
        wsd_upstream <wsd_upstream@...iatek.com>
Subject: Re: [PATCH v3] lib/stackdepot: Fix global out-of-bounds in stackdepot

On Thu, Jan 30, 2020 at 7:44 AM Walter Wu <walter-zh.wu@...iatek.com> wrote:

Hi Walter,

> If the depot_index = STACK_ALLOC_MAX_SLABS - 2 and next_slab_inited = 0,
> then it will cause array out-of-bounds access, so that we should modify
> the detection to avoid this array out-of-bounds bug.
>
> Assume depot_index = STACK_ALLOC_MAX_SLABS - 3
> Consider following call flow sequence:
>
> stack_depot_save()
>    depot_alloc_stack()
>       if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass
>       depot_index++  //depot_index = STACK_ALLOC_MAX_SLABS - 2
>       if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) //enter
>          smp_store_release(&next_slab_inited, 0); //next_slab_inited = 0
>       init_stack_slab()
>          if (stack_slabs[depot_index] == NULL) //enter and exit
>
> stack_depot_save()
>    depot_alloc_stack()
>       if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass
>       depot_index++  //depot_index = STACK_ALLOC_MAX_SLABS - 1
>       init_stack_slab(&prealloc)
>          stack_slabs[depot_index + 1]  //here get global out-of-bounds
>
> Cc: Dmitry Vyukov <dvyukov@...gle.com>
> Cc: Matthias Brugger <matthias.bgg@...il.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Alexander Potapenko <glider@...gle.com>
> Cc: Josh Poimboeuf <jpoimboe@...hat.com>
> Cc: Kate Stewart <kstewart@...uxfoundation.org>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: Kate Stewart <kstewart@...uxfoundation.org>
> Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
> ---
> changes in v2:
> modify call flow sequence and preconditon
>
> changes in v3:
> add some reviewers
> ---
>  lib/stackdepot.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/stackdepot.c b/lib/stackdepot.c
> index ed717dd08ff3..7e8a15e41600 100644
> --- a/lib/stackdepot.c
> +++ b/lib/stackdepot.c
> @@ -106,7 +106,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size,
>         required_size = ALIGN(required_size, 1 << STACK_ALLOC_ALIGN);
>
>         if (unlikely(depot_offset + required_size > STACK_ALLOC_SIZE)) {
> -               if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) {
> +               if (unlikely(depot_index + 2 >= STACK_ALLOC_MAX_SLABS)) {

I don't think this is the right way to fix the problem.
You're basically throwing away the last element of stack_slabs[], as
we won't allocate anything from it.

How about we set |next_slab_inited| to 1 here:

diff --git a/lib/stackdepot.c b/lib/stackdepot.c
index 2e7d2232ed3c..943a51eb746d 100644
--- a/lib/stackdepot.c
+++ b/lib/stackdepot.c
@@ -105,6 +105,8 @@ static bool init_stack_slab(void **prealloc)
                return true;
        if (stack_slabs[depot_index] == NULL) {
                stack_slabs[depot_index] = *prealloc;
+               if (depot_index + 1 == STACK_ALLOC_MAX_SLABS)
+                       smp_store_release(&next_slab_inited, 1);
        } else {
                stack_slabs[depot_index + 1] = *prealloc;
                /*

This will ensure we won't be preallocating pages once |depot_index|
reaches the last element, and we won't attempt to write those pages
anywhere either.

Could you please check if this fixes the problem for you?

>                         WARN_ONCE(1, "Stack depot reached limit capacity");
>                         return NULL;
>                 }
> --
> 2.18.0



-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ