lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200207050706.GC23230@ZenIV.linux.org.uk>
Date:   Fri, 7 Feb 2020 05:07:06 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     syzbot <syzbot+c23efa0cc68e79d551fc@...kaller.appspotmail.com>
Cc:     axboe@...nel.dk, ceph-devel@...r.kernel.org,
        darrick.wong@...cle.com, dhowells@...hat.com,
        dongsheng.yang@...ystack.cn, gregkh@...uxfoundation.org,
        idryomov@...il.com, kstewart@...uxfoundation.org,
        linux-block@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-xfs@...r.kernel.org,
        sage@...hat.com, syzkaller-bugs@...glegroups.com,
        tglx@...utronix.de
Subject: Re: KASAN: slab-out-of-bounds Read in suffix_kstrtoint

On Thu, Feb 06, 2020 at 07:48:17PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    a0c61bf1 Add linux-next specific files for 20200206
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13925e6ee00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7d320d6d9afdaecd
> dashboard link: https://syzkaller.appspot.com/bug?extid=c23efa0cc68e79d551fc
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1725bad9e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15ac3c5ee00000
> 
> The bug was bisected to:
> 
> commit 61dff92158775e70c0183f4f52c3a5a071dbc24b
> Author: Al Viro <viro@...iv.linux.org.uk>
> Date:   Tue Dec 17 19:15:04 2019 +0000
> 
>     Pass consistent param->type to fs_parse()
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11fa020de00000
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=13fa020de00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=15fa020de00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+c23efa0cc68e79d551fc@...kaller.appspotmail.com
> Fixes: 61dff9215877 ("Pass consistent param->type to fs_parse()")

Argh...  OK, I see what's going on.

commit 296713d91a7df022b0edf20d55f83554b4f95ba1
Author: Al Viro <viro@...iv.linux.org.uk>
Date:   Fri Feb 7 00:02:11 2020 -0500

    do not accept empty strings for fsparam_string()
    
    Reported-by: syzbot+c23efa0cc68e79d551fc@...kaller.appspotmail.com
    Fixes: 61dff9215877 ("Pass consistent param->type to fs_parse()")

diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index fdc047b804b2..7e6fb43f9541 100644
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -256,7 +256,7 @@ EXPORT_SYMBOL(fs_param_is_enum);
 int fs_param_is_string(struct p_log *log, const struct fs_parameter_spec *p,
 		       struct fs_parameter *param, struct fs_parse_result *result)
 {
-	if (param->type != fs_value_is_string)
+	if (param->type != fs_value_is_string || !*param->string)
 		return fs_param_bad_value(log, param);
 	return 0;
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ