lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20210217155536.2986178-1-snovitoll@gmail.com>
Date:   Wed, 17 Feb 2021 21:55:36 +0600
From:   Sabyrzhan Tasbolatov <snovitoll@...il.com>
To:     gregkh@...uxfoundation.org
Cc:     jirislaby@...nel.org, linux-kernel@...r.kernel.org,
        snovitoll@...il.com,
        syzbot+3d2c27c2b7dc2a94814d@...kaller.appspotmail.com
Subject: [PATCH v2] tty: fix when iov_iter_count() returns 0 in tty_write()

syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0,
therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT
warning.

static inline ssize_t do_tty_write()
{
..
	size_t count = iov_iter_count(from);
..
		size_t size = count;
		if (ret != size)
			iov_iter_revert(from, size-ret);

[1] WARNING: lib/iov_iter.c:1090
Call Trace:
 do_tty_write drivers/tty/tty_io.c:967 [inline]
 file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x791/0xa30 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658

Fixes: 9bb48c82aced ("tty: implement write_iter")
Reported-by: syzbot+3d2c27c2b7dc2a94814d@...kaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@...il.com>
---

v2: Fixed "Fixed" tag to proper commit and changed write return to -EFAULT
as this statement is valid, tested via strace:

write(3, NULL, 0)                       = -1 EFAULT (Bad address)

Updated to -EFAULT, should be a valid exit code as
copy_from_iter(.., .., from) returns -EFAULT as well if *from is invalid
address.

>
> Nit, you need a ' ' before your '(' character here, otherwise the
> linux-next scripts will complain.

> Also, you got the git commit id wrong, so this needs to be fixed up
> anyway.  You are pointing to a merge point, I doubt that's what you want
> to point to here, right?

Thanks!
---
 drivers/tty/tty_io.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 816e709afa56..e1460cad8b7d 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -905,6 +905,9 @@ static inline ssize_t do_tty_write(
 	ssize_t ret, written = 0;
 	unsigned int chunk;
 
+	if (!count)
+		return -EFAULT;
+
 	ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
 	if (ret < 0)
 		return ret;
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ