lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Jul 2022 14:40:48 -0700 From: Dipanjan Das <mail.dipanjan.das@...il.com> To: Takashi Iwai <tiwai@...e.de> Cc: Greg KH <gregkh@...uxfoundation.org>, perex@...ex.cz, tiwai@...e.com, consult.awy@...il.com, alsa-devel@...a-project.org, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com, fleischermarius@...glemail.com, its.priyanka.bose@...il.com Subject: Re: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params On Sat, Jul 23, 2022 at 3:17 AM Takashi Iwai <tiwai@...e.de> wrote: > > On Sat, 23 Jul 2022 09:00:08 +0200, > Greg KH wrote: > > > > Wondeful, do you have a fix for this that solves the reported problem > > that you have tested with the reproducer? > > ... or at least more detailed information. Here is our analysis of the bug in the kernel v5.10.131. During allocation, the `size` of the DMA buffer is not page-aligned: https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/memalloc.c#L149. However, in sound/core/pcm_native.c:798 (https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/pcm_native.c#L798), the `size` variable is page-aligned before memset-ing the `dma_area`. >From the other BUG_ON assertions in other parts of the code, it looks like the DMA area is not supposed to be equal to or greater than 0x200000 bytes. However, due to page-alignment, the `size` can indeed get rounded up to 0x200000 which causes the out of bound access. > Last but not least, you should check whether it's specific to your > 5.10.x kernel or it's also seen with the latest upstream, too. The bug is not reproducible on the latest mainline, because in sound/core/memalloc.c:66 (https://github.com/torvalds/linux/blob/5de64d44968e4ae66ebdb0a2d08b443f189d3651/sound/core/memalloc.c#L66) the allocation function `snd_dma_alloc_dir_pages()` now page-aligns the `size` right before allocating the DMA buffer. Therefore, any subsequent page-alignment, like the one in `snd_pcm_hw_params()` does not cause an out of bound access. -- Thanks and Regards, Dipanjan
Powered by blists - more mailing lists