lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 22 Jul 2020 16:02:50 -0300
From:   Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To:     syzbot <syzbot+0e4699d000d8b874d8dc@...kaller.appspotmail.com>
Cc:     davem@...emloft.net, kuba@...nel.org, linux-kernel@...r.kernel.org,
        linux-sctp@...r.kernel.org, netdev@...r.kernel.org,
        nhorman@...driver.com, syzkaller-bugs@...glegroups.com,
        vyasevich@...il.com, hch@....de
Subject: Re: KASAN: slab-out-of-bounds Write in sctp_setsockopt

On Wed, Jul 22, 2020 at 11:22:23AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4f1b4da5 Merge branch 'net-atlantic-various-features'
> git tree:       net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=14b3a040900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2b7b67c0c1819c87
> dashboard link: https://syzkaller.appspot.com/bug?extid=0e4699d000d8b874d8dc
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14c93358900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ab61f0900000

The syz repo has:
setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x10, &(0x7f0000000100)=@...oc_value, 0x8)
                      ^^^^^^^^^^^^^^           ^^^^

#define SCTP_DELAYED_ACK_TIME   16
#define SCTP_DELAYED_ACK SCTP_DELAYED_ACK_TIME
#define SCTP_DELAYED_SACK SCTP_DELAYED_ACK_TIME
#define SCTP_MAX_BURST  20              /* Set/Get max burst */

C repro has:
  syscall(__NR_setsockopt, r[0], 0x84, 0x10, 0x20000100ul, 8ul);
                                       ^^^^

So I'm wondering, what was the real intention of the call?


Anyhow, the issue is real, introduced by ebb25defdc17 ("sctp: pass a
kernel pointer to sctp_setsockopt_delayed_ack"). It used to use a
local storage bigger than the data provided by the user and used
one struct to read another's content on top of it. Quite masked.
I'll cook a fix.

  Marcelo

Powered by blists - more mailing lists