lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <edcf6946-1c47-c01a-e795-e874f42b2e2d@intel.com>
Date:   Mon, 11 Jul 2022 10:48:16 +0300
From:   Adrian Hunter <adrian.hunter@...el.com>
To:     Luis Chamberlain <mcgrof@...nel.org>
Cc:     Aaron Tomlin <atomlin@...hat.com>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Jiri Olsa <jolsa@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] modules: Fix corruption of /proc/kallsyms

On 2/07/22 00:40, Luis Chamberlain wrote:
> On Fri, Jul 01, 2022 at 12:44:03PM +0300, Adrian Hunter wrote:
>> The commit 91fb02f31505 ("module: Move kallsyms support into a separate
>> file") changed from using strlcpy() to using strscpy() which created a
>> buffer overflow. That happened because:
>>  1) an incorrect value was passed as the buffer length
>>  2) strscpy() (unlike strlcpy()) may copy beyond the length of the
>>     input string when copying word-by-word.
>> The assumption was that because it was already known that the strings
>> being copied would fit in the space available, it was not necessary
>> to correctly set the buffer length.  strscpy() breaks that assumption
>> because although it will not touch bytes beyond the given buffer length
>> it may write bytes beyond the input string length when writing
>> word-by-word.
>>
>> The result of the buffer overflow is to corrupt the symbol type
>> information that follows. e.g.
>>
>>  $ sudo cat -v /proc/kallsyms | grep '\^' | head
>>  ffffffffc0615000 ^@ rfcomm_session_get  [rfcomm]
>>  ffffffffc061c060 ^@ session_list        [rfcomm]
>>  ffffffffc06150d0 ^@ rfcomm_send_frame   [rfcomm]
>>  ffffffffc0615130 ^@ rfcomm_make_uih     [rfcomm]
>>  ffffffffc07ed58d ^@ bnep_exit   [bnep]
>>  ffffffffc07ec000 ^@ bnep_rx_control     [bnep]
>>  ffffffffc07ec1a0 ^@ bnep_session        [bnep]
>>  ffffffffc07e7000 ^@ input_leds_event    [input_leds]
>>  ffffffffc07e9000 ^@ input_leds_handler  [input_leds]
>>  ffffffffc07e7010 ^@ input_leds_disconnect       [input_leds]
>>
>> Notably, the null bytes (represented above by ^@) can confuse tools.
>>
>> Fix by correcting the buffer length.
>>
>> Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file")
>> Signed-off-by: Adrian Hunter <adrian.hunter@...el.com>
> 
> Queued up thanks!
> 
>   Luis

Thanks for processing this.

I notice it is -rc6 and I do not see it in Linus' tree. This is a fix
for a regression, shouldn't it be included in 5.19?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ