| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200902085513.748149-2-leon@kernel.org>
Date: Wed, 2 Sep 2020 11:55:10 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Peter Oberparleiter <oberpar@...ux.ibm.com>
Cc: Leon Romanovsky <leonro@...dia.com>, linux-kernel@...r.kernel.org,
Colin Ian King <colin.king@...onical.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH rdma-next 1/4] gcov: Open-code kmemdup() to work correctly with kernel and user space pointers
From: Leon Romanovsky <leonro@...dia.com>
The kernel with KASAN and GCOV enabled generates the following splat
due to the situation that gcov_info can be both user and kernel pointer.
It is triggered by the memcpy() inside kmemdup(), so as a possible solution
let's copy fields manually.
==================================================================
BUG: KASAN: global-out-of-bounds in kmemdup+0x43/0x70
Read of size 120 at addr ffffffffa0d2c780 by task modprobe/296
CPU: 0 PID: 296 Comm: modprobe Not tainted 5.9.0-rc1+ #1860
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04 /01/2014
Call Trace:
dump_stack+0x128/0x1af
print_address_description.constprop.0+0x2c/0x3f0
_raw_spin_lock_irqsave+0x34/0xa0
__kasan_check_read+0x1d/0x30
kmemdup+0x43/0x70
kmemdup+0x43/0x70
gcov_info_dup+0x2d/0x730
__kasan_check_write+0x20/0x30
__mutex_unlock_slowpath+0x10d/0x740
gcov_event+0x88d/0xd30
gcov_module_notifier+0xe9/0x100
notifier_call_chain+0xeb/0x170
blocking_notifier_call_chain+0x75/0xc0
__x64_sys_delete_module+0x326/0x5a0
do_init_module+0x810/0x810
syscall_enter_from_user_mode+0x40/0x420
trace_hardirqs_on+0x45/0xb0
syscall_enter_from_user_mode+0x40/0x420
do_syscall_64+0x45/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the variable:
__gcov_.uverbs_attr_get_obj+0x60/0xfffffffffff778e0 [mlx5_ib]
Memory state around the buggy address:
ffffffffa0d2c680: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
ffffffffa0d2c700: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
>ffffffffa0d2c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
^
ffffffffa0d2c800: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
ffffffffa0d2c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Disabling lock debugging due to kernel taint
---[ end trace 065ea9cc2ba144a6 ]---
Cc: Colin Ian King <colin.king@...onical.com>
Signed-off-by: Leon Romanovsky <leonro@...dia.com>
---
kernel/gcov/gcc_4_7.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/gcov/gcc_4_7.c b/kernel/gcov/gcc_4_7.c
index 908fdf5098c3..6d706c5eed5c 100644
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -275,13 +275,13 @@ struct gcov_info *gcov_info_dup(struct gcov_info *info)
size_t fi_size; /* function info size */
size_t cv_size; /* counter values size */
- dup = kmemdup(info, sizeof(*dup), GFP_KERNEL);
+ dup = kzalloc(sizeof(*dup), GFP_KERNEL);
if (!dup)
return NULL;
- dup->next = NULL;
- dup->filename = NULL;
- dup->functions = NULL;
+ for (fi_idx = 0; fi_idx < GCOV_COUNTERS; fi_idx++)
+ dup->merge[fi_idx] = info->merge[fi_idx];
+ dup->n_functions = info->n_functions;
dup->filename = kstrdup(info->filename, GFP_KERNEL);
if (!dup->filename)
--
2.26.2
Powered by blists - more mailing lists