lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200313164511.GB907@sol.localdomain>
Date:   Fri, 13 Mar 2020 09:45:11 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     linux-fsdevel@...r.kernel.org, viro@...iv.linux.org.uk
Cc:     glider@...gle.com, arnd@...db.de, gregkh@...uxfoundation.org,
        linux-kernel@...r.kernel.org, rafael@...nel.org,
        syzbot+fcab69d1ada3e8d6f06b@...kaller.appspotmail.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] libfs: fix infoleak in simple_attr_read()

On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> Reading from a debugfs file at a nonzero position, without first reading
> at position 0, leaks uninitialized memory to userspace.
> 
> It's a bit tricky to do this, since lseek() and pread() aren't allowed
> on these files, and write() doesn't update the position on them.  But
> writing to them with splice() *does* update the position:
> 
> 	#define _GNU_SOURCE 1
> 	#include <fcntl.h>
> 	#include <stdio.h>
> 	#include <unistd.h>
> 	int main()
> 	{
> 		int pipes[2], fd, n, i;
> 		char buf[32];
> 
> 		pipe(pipes);
> 		write(pipes[1], "0", 1);
> 		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> 		splice(pipes[0], NULL, fd, NULL, 1, 0);
> 		n = read(fd, buf, sizeof(buf));
> 		for (i = 0; i < n; i++)
> 			printf("%02x", buf[i]);
> 		printf("\n");
> 	}
> 
> Output:
> 	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> 
> Fix the infoleak by making simple_attr_read() always fill
> simple_attr::get_buf if it hasn't been filled yet.
> 
> Reported-by: syzbot+fcab69d1ada3e8d6f06b@...kaller.appspotmail.com
> Reported-by: Alexander Potapenko <glider@...gle.com>
> Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> Cc: stable@...r.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> ---
>  fs/libfs.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/libfs.c b/fs/libfs.c
> index c686bd9caac6..3759fbacf522 100644
> --- a/fs/libfs.c
> +++ b/fs/libfs.c
> @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
>  {
>  	struct simple_attr *attr;
>  
> -	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> +	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
>  	if (!attr)
>  		return -ENOMEM;
>  
> @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
>  	if (ret)
>  		return ret;
>  
> -	if (*ppos) {		/* continued read */
> +	if (*ppos && attr->get_buf[0]) {
> +		/* continued read */
>  		size = strlen(attr->get_buf);
> -	} else {		/* first read */
> +	} else {
> +		/* first read */
>  		u64 val;
>  		ret = attr->get(attr->data, &val);
>  		if (ret)
> -- 
> 2.25.1

Any comments on this?  Al, seems this is something you should pick up?

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ