lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 26 Jul 2022 14:40:48 -0700
From:   Dipanjan Das <mail.dipanjan.das@...il.com>
To:     Takashi Iwai <tiwai@...e.de>
Cc:     Greg KH <gregkh@...uxfoundation.org>, perex@...ex.cz,
        tiwai@...e.com, consult.awy@...il.com, alsa-devel@...a-project.org,
        linux-kernel@...r.kernel.org, syzkaller@...glegroups.com,
        fleischermarius@...glemail.com, its.priyanka.bose@...il.com
Subject: Re: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params

On Sat, Jul 23, 2022 at 3:17 AM Takashi Iwai <tiwai@...e.de> wrote:
>
> On Sat, 23 Jul 2022 09:00:08 +0200,
> Greg KH wrote:
> >
> > Wondeful, do you have a fix for this that solves the reported problem
> > that you have tested with the reproducer?
>
> ... or at least more detailed information.

Here is our analysis of the bug in the kernel v5.10.131.

During allocation, the `size` of the DMA buffer is not page-aligned:
https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/memalloc.c#L149.
However, in sound/core/pcm_native.c:798
(https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/pcm_native.c#L798),
the `size` variable is page-aligned before memset-ing the `dma_area`.
>From the other BUG_ON assertions in other parts of the code, it looks
like the DMA area is not supposed to be equal to or greater than
0x200000 bytes. However, due to page-alignment, the `size` can indeed
get rounded up to 0x200000 which causes the out of bound access.

> Last but not least, you should check whether it's specific to your
> 5.10.x kernel or it's also seen with the latest upstream, too.

The bug is not reproducible on the latest mainline, because in
sound/core/memalloc.c:66
(https://github.com/torvalds/linux/blob/5de64d44968e4ae66ebdb0a2d08b443f189d3651/sound/core/memalloc.c#L66)
the allocation function `snd_dma_alloc_dir_pages()` now page-aligns
the `size` right before allocating the DMA buffer. Therefore, any
subsequent page-alignment, like the one in `snd_pcm_hw_params()` does
not cause an out of bound access.

-- 
Thanks and Regards,

Dipanjan

Powered by blists - more mailing lists