| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201002134944.GA8205@PWN>
Date: Fri, 2 Oct 2020 09:49:44 -0400
From: Peilin Ye <yepeilin.cs@...il.com>
To: syzbot <syzbot+85433a479a646a064ab3@...kaller.appspotmail.com>
Cc: axboe@...nel.dk, glider@...gle.com, linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
Anant Thazhemadam <anant.thazhemadam@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: KMSAN: kernel-infoleak in scsi_cmd_ioctl
On Mon, Aug 31, 2020 at 03:28:22AM -0700, syzbot wrote:
> BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
> CPU: 1 PID: 12272 Comm: syz-executor.3 Not tainted 5.8.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x21c/0x280 lib/dump_stack.c:118
> kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
> kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
> kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
> instrument_copy_to_user include/linux/instrumented.h:91 [inline]
> _copy_to_user+0x18e/0x260 lib/usercopy.c:33
> scsi_put_cdrom_generic_arg include/linux/uaccess.h:170 [inline]
+ Cc: Greg Kroah-Hartman
+ Cc: Anant Thazhemadam
Hi all,
In looking at the report, I guess this patch should fix the issue, there's
a 3-byte hole in `struct compat_cdrom_generic_command`:
[PATCH v3] block/scsi-ioctl: Prevent kernel-infoleak in scsi_put_cdrom_generic_arg()
https://lore.kernel.org/lkml/20200909095057.1214104-1-yepeilin.cs@gmail.com/
But I cannot verify it, since syzbot doesn't have a reproducer for it.
The patch adds a 3-byte padding field to `struct
compat_cdrom_generic_command`. It hasn't been accepted yet.
> Local variable ----cgc32.i42.i@...i_cmd_ioctl created at:
> scsi_put_cdrom_generic_arg block/scsi_ioctl.c:695 [inline]
#ifdef CONFIG_COMPAT
if (in_compat_syscall()) {
struct compat_cdrom_generic_command
[...]
$ # before
$ pahole -C "compat_cdrom_generic_command" !$
pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o
struct compat_cdrom_generic_command {
unsigned char cmd[12]; /* 0 12 */
compat_caddr_t buffer; /* 12 4 */
compat_uint_t buflen; /* 16 4 */
compat_int_t stat; /* 20 4 */
compat_caddr_t sense; /* 24 4 */
unsigned char data_direction; /* 28 1 */
/* XXX 3 bytes hole, try to pack */
compat_int_t quiet; /* 32 4 */
compat_int_t timeout; /* 36 4 */
compat_caddr_t reserved[1]; /* 40 4 */
/* size: 44, cachelines: 1, members: 9 */
/* sum members: 41, holes: 1, sum holes: 3 */
/* last cacheline: 44 bytes */
};
$ # after
$ pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o
struct compat_cdrom_generic_command {
unsigned char cmd[12]; /* 0 12 */
compat_caddr_t buffer; /* 12 4 */
compat_uint_t buflen; /* 16 4 */
compat_int_t stat; /* 20 4 */
compat_caddr_t sense; /* 24 4 */
unsigned char data_direction; /* 28 1 */
unsigned char pad[3]; /* 29 3 */
compat_int_t quiet; /* 32 4 */
compat_int_t timeout; /* 36 4 */
compat_caddr_t reserved[1]; /* 40 4 */
/* size: 44, cachelines: 1, members: 10 */
/* last cacheline: 44 bytes */
};
$ _
Thank you,
Peilin Ye
Powered by blists - more mailing lists