lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1580695544.17006.7.camel@mtksdccf07>
Date:   Mon, 3 Feb 2020 10:05:44 +0800
From:   Walter Wu <walter-zh.wu@...iatek.com>
To:     Alexander Potapenko <glider@...gle.com>
CC:     Dmitry Vyukov <dvyukov@...gle.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "Josh Poimboeuf" <jpoimboe@...hat.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-mediatek@...ts.infradead.org>,
        wsd_upstream <wsd_upstream@...iatek.com>
Subject: Re: [PATCH v3] lib/stackdepot: Fix global out-of-bounds in
 stackdepot

On Fri, 2020-01-31 at 19:11 +0100, Alexander Potapenko wrote:
> On Fri, Jan 31, 2020 at 3:05 AM Walter Wu <walter-zh.wu@...iatek.com> wrote:
> >
> > On Thu, 2020-01-30 at 13:03 +0100, Alexander Potapenko wrote:
> > > On Thu, Jan 30, 2020 at 7:44 AM Walter Wu <walter-zh.wu@...iatek.com> wrote:
> > >
> > > Hi Walter,
> > >
> > > > If the depot_index = STACK_ALLOC_MAX_SLABS - 2 and next_slab_inited = 0,
> > > > then it will cause array out-of-bounds access, so that we should modify
> > > > the detection to avoid this array out-of-bounds bug.
> > > >
> > > > Assume depot_index = STACK_ALLOC_MAX_SLABS - 3
> > > > Consider following call flow sequence:
> > > >
> > > > stack_depot_save()
> > > >    depot_alloc_stack()
> > > >       if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass
> > > >       depot_index++  //depot_index = STACK_ALLOC_MAX_SLABS - 2
> > > >       if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) //enter
> > > >          smp_store_release(&next_slab_inited, 0); //next_slab_inited = 0
> > > >       init_stack_slab()
> > > >          if (stack_slabs[depot_index] == NULL) //enter and exit
> > > >
> > > > stack_depot_save()
> > > >    depot_alloc_stack()
> > > >       if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass
> > > >       depot_index++  //depot_index = STACK_ALLOC_MAX_SLABS - 1
> > > >       init_stack_slab(&prealloc)
> > > >          stack_slabs[depot_index + 1]  //here get global out-of-bounds
> > > >
> > > > Cc: Dmitry Vyukov <dvyukov@...gle.com>
> > > > Cc: Matthias Brugger <matthias.bgg@...il.com>
> > > > Cc: Thomas Gleixner <tglx@...utronix.de>
> > > > Cc: Alexander Potapenko <glider@...gle.com>
> > > > Cc: Josh Poimboeuf <jpoimboe@...hat.com>
> > > > Cc: Kate Stewart <kstewart@...uxfoundation.org>
> > > > Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > > > Cc: Kate Stewart <kstewart@...uxfoundation.org>
> > > > Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
> > > > ---
> > > > changes in v2:
> > > > modify call flow sequence and preconditon
> > > >
> > > > changes in v3:
> > > > add some reviewers
> > > > ---
> > > >  lib/stackdepot.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/lib/stackdepot.c b/lib/stackdepot.c
> > > > index ed717dd08ff3..7e8a15e41600 100644
> > > > --- a/lib/stackdepot.c
> > > > +++ b/lib/stackdepot.c
> > > > @@ -106,7 +106,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size,
> > > >         required_size = ALIGN(required_size, 1 << STACK_ALLOC_ALIGN);
> > > >
> > > >         if (unlikely(depot_offset + required_size > STACK_ALLOC_SIZE)) {
> > > > -               if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) {
> > > > +               if (unlikely(depot_index + 2 >= STACK_ALLOC_MAX_SLABS)) {
> 
> This again means stack_slabs[STACK_ALLOC_MAX_SLABS - 2] gets
> initialized, but stack_slabs[STACK_ALLOC_MAX_SLABS - 1] doesn't,
> because we'll be bailing out from init_stack_slab() from now on.
> Does this patch actually fix the problem (do you have a reliable reproducer?)
We get it by reviewing code, because Kasan doesn't scan it and we catch
another bug internally, we found it unintentionally.

> This addition of 2 is also counterintuitive, I don't think further
> readers will understand the logic behind it.
> 
Yes

> What if we just check that depot_index + 1 is a valid index before accessing it?
> 
It should fix the problem, do you want to send this patch?

> diff --git a/lib/stackdepot.c b/lib/stackdepot.c
> index 2e7d2232ed3c..c2e6ff18d716 100644
> --- a/lib/stackdepot.c
> +++ b/lib/stackdepot.c
> @@ -106,7 +106,9 @@ static bool init_stack_slab(void **prealloc)
>         if (stack_slabs[depot_index] == NULL) {
>                 stack_slabs[depot_index] = *prealloc;
>         } else {
> -               stack_slabs[depot_index + 1] = *prealloc;
> +               /* If this is the last depot slab, do not touch the next one. */
> +               if (depot_index + 1 < STACK_ALLOC_MAX_SLABS)
> +                       stack_slabs[depot_index + 1] = *prealloc;
>                 /*
>                  * This smp_store_release pairs with smp_load_acquire() from
>                  * |next_slab_inited| above and in stack_depot_save().

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ