lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200823045559.GA25758@1wt.eu>
Date:   Sun, 23 Aug 2020 06:55:59 +0200
From:   Willy Tarreau <w@....eu>
To:     richard clark <richard.xnu.clark@...il.com>
Cc:     linux-kernel@...r.kernel.org, andreyknvl@...gle.com
Subject: Re: Why KASAN doesn't detect this stack oob fault?

On Sun, Aug 23, 2020 at 11:04:34AM +0800, richard clark wrote:
> Hi guys,
> 
> I ins a kmod with below code in a KASAN enabled kernel (
> 5.7.0,
> CONFIG_KASAN=y
> CONFIG_KASAN_GENERIC=y
> CONFIG_KASAN_OUTLINE=y):
> 
> static int kmod_init(void)
> {
>     int i;
>     int arr[4];
> 
>     for (i = 0; i < 20; i++) {
>         arr[i] = i;
>         printk("arr[%d] = %d\n", i, arr[i]);
>     }
>     return 0;
> }
> 
> The output is after insmod:
> 
> [ 1511.800683] arr[0] = 0
> [ 1511.800685] arr[1] = 1
> [ 1511.800686] arr[2] = 2
> [ 1511.800687] arr[3] = 3
> [ 1511.800688] arr[4] = 4
> [ 1511.800690] arr[5] = 5
> [ 1511.800691] arr[6] = 6
> [ 1511.800692] arr[7] = 7
> [ 1511.800693] arr[8] = 8
> [ 1511.800694] arr[9] = 9
> [ 1511.800695] arr[10] = 10
> [ 1511.800696] arr[11] = 11
> [ 1511.800697] arr[12] = 12
> [ 1511.800699] arr[13] = 13
> [ 1511.800700] arr[14] = 14
> [ 1511.800701] arr[15] = 15
> [ 1511.800702] arr[16] = 16
> [ 1511.800704] arr[17] = 17
> [ 1511.800705] arr[18] = 18
> [ 1511.800706] arr[19] = 19
> 
> The kernel is not tainted and the gcc version is 7.5 used to build the kernel.
> The question is:
> 1. Why the stack out-of-bound can work?
> 2. Why the KASAN doesn't detect this?

Have you verified in the output code that the compiler didn't optimize
the stack access away since it doesn't need it ?

Just to make sure, do it in two distinct loops so that there are more
chances for the stack to be really used:

 static int kmod_init(void)
 {
     int i;
     int arr[4];
 
     for (i = 0; i < 20; i++)
         arr[i] = i;

     for (i = 0; i < 20; i++)
         printk("arr[%d] = %d\n", i, arr[i]);

     return 0;
 }

Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ