lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Jul 2020 16:02:50 -0300 From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> To: syzbot <syzbot+0e4699d000d8b874d8dc@...kaller.appspotmail.com> Cc: davem@...emloft.net, kuba@...nel.org, linux-kernel@...r.kernel.org, linux-sctp@...r.kernel.org, netdev@...r.kernel.org, nhorman@...driver.com, syzkaller-bugs@...glegroups.com, vyasevich@...il.com, hch@....de Subject: Re: KASAN: slab-out-of-bounds Write in sctp_setsockopt On Wed, Jul 22, 2020 at 11:22:23AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 4f1b4da5 Merge branch 'net-atlantic-various-features' > git tree: net-next > console output: https://syzkaller.appspot.com/x/log.txt?x=14b3a040900000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2b7b67c0c1819c87 > dashboard link: https://syzkaller.appspot.com/bug?extid=0e4699d000d8b874d8dc > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c93358900000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ab61f0900000 The syz repo has: setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x10, &(0x7f0000000100)=@...oc_value, 0x8) ^^^^^^^^^^^^^^ ^^^^ #define SCTP_DELAYED_ACK_TIME 16 #define SCTP_DELAYED_ACK SCTP_DELAYED_ACK_TIME #define SCTP_DELAYED_SACK SCTP_DELAYED_ACK_TIME #define SCTP_MAX_BURST 20 /* Set/Get max burst */ C repro has: syscall(__NR_setsockopt, r[0], 0x84, 0x10, 0x20000100ul, 8ul); ^^^^ So I'm wondering, what was the real intention of the call? Anyhow, the issue is real, introduced by ebb25defdc17 ("sctp: pass a kernel pointer to sctp_setsockopt_delayed_ack"). It used to use a local storage bigger than the data provided by the user and used one struct to read another's content on top of it. Quite masked. I'll cook a fix. Marcelo
Powered by blists - more mailing lists