lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Mar 2020 09:16:29 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Hillf Danton <hdanton@...a.com>, syzbot <syzbot+bfdd4a2f07be52351350@...kaller.appspotmail.com> Cc: jmorris@...ei.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, serge@...lyn.com, syzkaller-bugs@...glegroups.com, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: KASAN: slab-out-of-bounds Read in vsscanf On 3/27/2020 1:27 AM, Hillf Danton wrote: > On Thu, 26 Mar 2020 18:20:14 -0700 >> syzbot found the following crash on: >> >> HEAD commit: 1b649e0b Merge git://git.kernel.org/pub/scm/linux/kernel/g.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=11044405e00000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9 >> dashboard link: https://syzkaller.appspot.com/bug?extid=bfdd4a2f07be52351350 >> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13819303e00000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eaed4be00000 >> >> Bisection is inconclusive: the bug happens on the oldest tested release. >> >> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=150e6ac5e00000 >> final crash: https://syzkaller.appspot.com/x/report.txt?x=170e6ac5e00000 >> console output: https://syzkaller.appspot.com/x/log.txt?x=130e6ac5e00000 >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+bfdd4a2f07be52351350@...kaller.appspotmail.com >> >> ================================================================== >> BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275 >> Read of size 1 at addr ffff888093622f42 by task syz-executor055/7117 >> >> CPU: 1 PID: 7117 Comm: syz-executor055 Not tainted 5.6.0-rc7-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:77 [inline] >> dump_stack+0x1e9/0x30e lib/dump_stack.c:118 >> print_address_description+0x74/0x5c0 mm/kasan/report.c:374 >> __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 >> kasan_report+0x25/0x50 mm/kasan/common.c:641 >> vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275 >> sscanf+0x6c/0x90 lib/vsprintf.c:3481 >> smk_set_cipso+0x1ac/0x6a0 security/smack/smackfs.c:881 >> __vfs_write+0xa7/0x710 fs/read_write.c:494 >> vfs_write+0x271/0x570 fs/read_write.c:558 >> ksys_write+0x115/0x220 fs/read_write.c:611 >> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> RIP: 0033:0x4401b9 >> Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 >> RSP: 002b:00007ffd20456888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 >> RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9 >> RDX: 0000000000000001 RSI: 00000000200005c0 RDI: 0000000000000003 >> RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 >> R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a40 >> R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000 >> >> Allocated by task 7117: >> save_stack mm/kasan/common.c:72 [inline] >> set_track mm/kasan/common.c:80 [inline] >> __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 >> __do_kmalloc mm/slab.c:3656 [inline] >> __kmalloc_track_caller+0x249/0x320 mm/slab.c:3671 >> memdup_user_nul+0x26/0xf0 mm/util.c:259 >> smk_set_cipso+0xff/0x6a0 security/smack/smackfs.c:859 >> __vfs_write+0xa7/0x710 fs/read_write.c:494 >> vfs_write+0x271/0x570 fs/read_write.c:558 >> ksys_write+0x115/0x220 fs/read_write.c:611 >> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> Freed by task 1: >> save_stack mm/kasan/common.c:72 [inline] >> set_track mm/kasan/common.c:80 [inline] >> kasan_set_free_info mm/kasan/common.c:337 [inline] >> __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 >> __cache_free mm/slab.c:3426 [inline] >> kfree+0x10a/0x220 mm/slab.c:3757 >> tomoyo_path_perm+0x59b/0x740 security/tomoyo/file.c:842 >> security_inode_getattr+0xc0/0x140 security/security.c:1254 >> vfs_getattr+0x27/0x6e0 fs/stat.c:117 >> vfs_statx fs/stat.c:201 [inline] >> vfs_lstat include/linux/fs.h:3277 [inline] >> __do_sys_newlstat fs/stat.c:364 [inline] >> __se_sys_newlstat+0x85/0x140 fs/stat.c:358 >> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> The buggy address belongs to the object at ffff888093622f40 >> which belongs to the cache kmalloc-32 of size 32 >> The buggy address is located 2 bytes inside of >> 32-byte region [ffff888093622f40, ffff888093622f60) >> The buggy address belongs to the page: >> page:ffffea00024d8880 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888093622fc1 >> flags: 0xfffe0000000200(slab) >> raw: 00fffe0000000200 ffffea000271b988 ffffea00028ae488 ffff8880aa4001c0 >> raw: ffff888093622fc1 ffff888093622000 0000000100000039 0000000000000000 >> page dumped because: kasan: bad access detected >> >> Memory state around the buggy address: >> ffff888093622e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >> ffff888093622e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc >>> ffff888093622f00: fb fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc >> ^ >> ffff888093622f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc >> ffff888093623000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> ================================================================== > > Add barrier to soob. > > --- a/security/smack/smackfs.c > +++ b/security/smack/smackfs.c > @@ -878,11 +878,21 @@ static ssize_t smk_set_cipso(struct file > else > rule += strlen(skp->smk_known) + 1; > > + if (rule > data + count) { > + rc = -EOVERFLOW; > + goto out; > + } > + > ret = sscanf(rule, "%d", &maplevel); > if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) > goto out; > > rule += SMK_DIGITLEN; > + if (rule > data + count) { > + rc = -EOVERFLOW; > + goto out; > + } > + > ret = sscanf(rule, "%d", &catlen); > if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) > goto out; Thank you.
Powered by blists - more mailing lists