| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jun 2021 15:35:14 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Qian Cai <quic_qiancai@...cinc.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
David Sterba <dsterba@...e.com>,
Miklos Szeredi <miklos@...redi.hu>,
Anton Altaparmakov <anton@...era.com>,
David Howells <dhowells@...hat.com>,
Matthew Wilcox <willy@...radead.org>,
Pavel Begunkov <asml.silence@...il.com>
Subject: Re: [RFC][PATCHSET] iov_iter work
On Thu, Jun 10, 2021 at 10:29:59AM -0400, Qian Cai wrote:
> Al, a quick fuzzing on today's linux-next triggered this. I never saw this before, so I am wondering if this is anything to do with this series. I could try to narrow it down and bisect if necessary. Any thoughts?
Do you have a reproducer?
> [ 1904.633865][T14444] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x65c/0x760
> [ 1904.641445][T14444] Read of size 8 at addr ffff80002692faf8 by task trinity-c30/14444
> [ 1904.649275][T14444]
> [ 1904.651461][T14444] CPU: 28 PID: 14444 Comm: trinity-c30 Not tainted 5.13.0-rc5-next-20210610+ #24
> [ 1904.660419][T14444] Hardware name: MiTAC RAPTOR EV-883832-X3-0001/RAPTOR, BIOS 1.6 06/28/2020
> [ 1904.668944][T14444] Call trace:
> [ 1904.672084][T14444] dump_backtrace+0x0/0x3b8
> [ 1904.676445][T14444] show_stack+0x20/0x30
> [ 1904.680454][T14444] dump_stack_lvl+0x144/0x190
> [ 1904.684987][T14444] print_address_description.constprop.0+0xd0/0x3c8
> [ 1904.691432][T14444] kasan_report+0x1f0/0x208
> [ 1904.695787][T14444] __asan_report_load8_noabort+0x34/0x60
> [ 1904.701274][T14444] iov_iter_revert+0x65c/0x760
> iov_iter_revert at /usr/src/linux-next/lib/iov_iter.c:1118
*blink*
<checks -next>
Ah, the line numbers are shifted by gfs2 stuff.
> (inlined by) iov_iter_revert at /usr/src/linux-next/lib/iov_iter.c:1058
> [ 1904.705891][T14444] netlink_sendmsg+0x870/0xa18
> netlink_sendmsg at /usr/src/linux-next/net/netlink/af_netlink.c:1913
call of memcpy_from_skb(), calling copy_from_iter_full(), which
calls iov_iter_revert() on failure now...
Bloody hell. Incremental, to be folded in:
diff --git a/include/linux/uio.h b/include/linux/uio.h
index fd88d9911dad..82c3c3e819e0 100644
--- a/include/linux/uio.h
+++ b/include/linux/uio.h
@@ -154,7 +154,7 @@ bool copy_from_iter_full(void *addr, size_t bytes, struct iov_iter *i)
size_t copied = copy_from_iter(addr, bytes, i);
if (likely(copied == bytes))
return true;
- iov_iter_revert(i, bytes - copied);
+ iov_iter_revert(i, copied);
return false;
}
@@ -173,7 +173,7 @@ bool copy_from_iter_full_nocache(void *addr, size_t bytes, struct iov_iter *i)
size_t copied = copy_from_iter_nocache(addr, bytes, i);
if (likely(copied == bytes))
return true;
- iov_iter_revert(i, bytes - copied);
+ iov_iter_revert(i, copied);
return false;
}
@@ -282,7 +282,7 @@ bool csum_and_copy_from_iter_full(void *addr, size_t bytes,
size_t copied = csum_and_copy_from_iter(addr, bytes, csum, i);
if (likely(copied == bytes))
return true;
- iov_iter_revert(i, bytes - copied);
+ iov_iter_revert(i, copied);
return false;
}
size_t hash_and_copy_to_iter(const void *addr, size_t bytes, void *hashp,
Powered by blists - more mailing lists