lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAG_fn=VZZ7yUxtOGzuTLkr7wmfXWtKK9BHHYawj=rt9XWnCYvg@mail.gmail.com>
Date:   Tue, 21 Apr 2020 10:14:25 +0200
From:   Alexander Potapenko <glider@...gle.com>
To:     Al Viro <viro@...iv.linux.org.uk>
Cc:     Kees Cook <keescook@...omium.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Alexey Dobriyan <adobriyan@...il.com>,
        LKML <linux-kernel@...r.kernel.org>, sunhaoyl@...look.com
Subject: Re: [PATCH] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()

> Not lately and I would also like to hear the details; which regset it is?
> Should be reasonably easy to find - just memset() the damn thing to something
> recognizable, do whatever triggers that KMSAN report and look at that
> resulting coredump.

The bug is easily triggerable by the following program:

================================================
int main() {
  volatile char *c = 0;
  (void)*c;
  return 0;
}
================================================

in my QEMU after I do `ulimit -c 10000`.

I use the following patch:

================================================
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index f4713ea76e827..570193a1b291d 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1734,6 +1734,7 @@ static int fill_thread_core_info(struct
elf_thread_core_info *t,
                        int ret;
                        size_t size = regset_size(t->task, regset);
                        void *data = kmalloc(size, GFP_KERNEL);
+                       memset(data, 0xae, size);
                        if (unlikely(!data))
                                return 0;
                        ret = regset->get(t->task, regset,
================================================

to find uninitialized bytes in the core file using hexdump.
Those are:

0x96c--0x984 (24 bytes)
0x98c--0xa0c (128 bytes)
0xb0c--0xb3c (48 bytes)
0xbac--0x13ec (2112 bytes)

I added kmsan_check_memory(addr, nr) to dump_emit() and got the
following reports when calling dump_emit(cprm, men->data, men->datasz)
in writenote():

BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10
mm/kmsan/kmsan_hooks.c:428
Bytes 0-23 of 2696 are uninitialized
BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10
mm/kmsan/kmsan_hooks.c:428
Bytes 32-159 of 2696 are uninitialized
BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10
mm/kmsan/kmsan_hooks.c:428
Bytes 416-463 of 2696 are uninitialized
BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10
mm/kmsan/kmsan_hooks.c:428
Bytes 576-2687 of 2696 are uninitialized

FWIW one of such reports looks as follows:

=====================================================
BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10
mm/kmsan/kmsan_hooks.c:428
CPU: 0 PID: 1503 Comm: probe Not tainted 5.6.0-rc7+ #4105
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77
 dump_stack+0x16f/0x208 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 kmsan_internal_check_memory+0x22e/0x3c0 mm/kmsan/kmsan.c:423
 kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428
 dump_emit+0x1ab/0x580 fs/coredump.c:824
 writenote+0x30a/0x4b0 fs/binfmt_elf.c:1420
 free_note_info fs/binfmt_elf.c:1910
 elf_core_dump+0x644c/0x6e60 fs/binfmt_elf.c:2377
 do_coredump+0x488d/0x5400 fs/coredump.c:790
 get_signal+0x147f/0x2d50 kernel/signal.c:2733
 do_signal+0x6d/0xda0 arch/x86/kernel/signal.c:813
 exit_to_usermode_loop arch/x86/entry/common.c:160
...
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144
 kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:127
 kmsan_poison_shadow+0x5f/0xa0 mm/kmsan/kmsan_hooks.c:405
 kmalloc ./include/linux/slab.h:560
 fill_thread_core_info fs/binfmt_elf.c:1736
 fill_note_info fs/binfmt_elf.c:1838
 elf_core_dump+0x2f8c/0x6e60 fs/binfmt_elf.c:2239
 do_coredump+0x488d/0x5400 fs/coredump.c:790
 get_signal+0x147f/0x2d50 kernel/signal.c:2733
 do_signal+0x6d/0xda0 arch/x86/kernel/signal.c:813
 exit_to_usermode_loop arch/x86/entry/common.c:160
 prepare_exit_to_usermode+0x337/0x480 arch/x86/entry/common.c:195
 swapgs_restore_regs_and_return_to_usermode+0x0/0x80
arch/x86/entry/entry_64.S:625

Bytes 0-23 of 2696 are uninitialized
Memory access of size 2696 starts at ffff9e85a7115000
=====================================================


-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ