lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 19 Feb 2021 10:17:55 +0100
From:   Jiri Slaby <jirislaby@...nel.org>
To:     Sabyrzhan Tasbolatov <snovitoll@...il.com>,
        gregkh@...uxfoundation.org
Cc:     linux-kernel@...r.kernel.org,
        syzbot+3d2c27c2b7dc2a94814d@...kaller.appspotmail.com
Subject: Re: [PATCH v2] tty: fix when iov_iter_count() returns 0 in
 tty_write()

On 17. 02. 21, 16:55, Sabyrzhan Tasbolatov wrote:
> syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0,
> therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT
> warning.
> 
> static inline ssize_t do_tty_write()
> {
> ..
> 	size_t count = iov_iter_count(from);
> ..
> 		size_t size = count;
> 		if (ret != size)
> 			iov_iter_revert(from, size-ret);
> 
> [1] WARNING: lib/iov_iter.c:1090
> Call Trace:
>   do_tty_write drivers/tty/tty_io.c:967 [inline]
>   file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048
>   call_write_iter include/linux/fs.h:1901 [inline]
>   new_sync_write+0x426/0x650 fs/read_write.c:518
>   vfs_write+0x791/0xa30 fs/read_write.c:605
>   ksys_write+0x12d/0x250 fs/read_write.c:658
> 
> Fixes: 9bb48c82aced ("tty: implement write_iter")
> Reported-by: syzbot+3d2c27c2b7dc2a94814d@...kaller.appspotmail.com
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@...il.com>
> ---
> 
> v2: Fixed "Fixed" tag to proper commit and changed write return to -EFAULT
> as this statement is valid, tested via strace:
> 
> write(3, NULL, 0)                       = -1 EFAULT (Bad address)
> 
> Updated to -EFAULT, should be a valid exit code as
> copy_from_iter(.., .., from) returns -EFAULT as well if *from is invalid
> address.

Exactly, EFAULT is for invalid memory accesses. But this should be IMO 
EINVAL as it's an invalid argument.

BTW what's the reason vfs calls ->write with zero count of iter?

>> Nit, you need a ' ' before your '(' character here, otherwise the
>> linux-next scripts will complain.
> 
>> Also, you got the git commit id wrong, so this needs to be fixed up
>> anyway.  You are pointing to a merge point, I doubt that's what you want
>> to point to here, right?
> 
> Thanks!
> ---
>   drivers/tty/tty_io.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
> index 816e709afa56..e1460cad8b7d 100644
> --- a/drivers/tty/tty_io.c
> +++ b/drivers/tty/tty_io.c
> @@ -905,6 +905,9 @@ static inline ssize_t do_tty_write(
>   	ssize_t ret, written = 0;
>   	unsigned int chunk;
>   
> +	if (!count)
> +		return -EFAULT;
> +
>   	ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
>   	if (ret < 0)
>   		return ret;
> 


-- 
js

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ