lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKXUXMz6EmQJqKg6UNC+qD8GLUpmHfhS7OH9X6tWKpLjFpKfSg@mail.gmail.com>
Date:   Wed, 27 Jul 2022 06:06:45 +0200
From:   Lukas Bulwahn <lukas.bulwahn@...il.com>
To:     Dipanjan Das <mail.dipanjan.das@...il.com>
Cc:     Takashi Iwai <tiwai@...e.de>, Greg KH <gregkh@...uxfoundation.org>,
        Jaroslav Kysela <perex@...ex.cz>,
        Takashi Iwai <tiwai@...e.com>, consult.awy@...il.com,
        alsa-devel@...a-project.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        fleischermarius@...glemail.com, its.priyanka.bose@...il.com
Subject: Re: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params

On Tue, Jul 26, 2022 at 11:41 PM Dipanjan Das
<mail.dipanjan.das@...il.com> wrote:
>
> On Sat, Jul 23, 2022 at 3:17 AM Takashi Iwai <tiwai@...e.de> wrote:
> >
> > On Sat, 23 Jul 2022 09:00:08 +0200,
> > Greg KH wrote:
> > >
> > > Wondeful, do you have a fix for this that solves the reported problem
> > > that you have tested with the reproducer?
> >
> > ... or at least more detailed information.
>
> Here is our analysis of the bug in the kernel v5.10.131.
>
> During allocation, the `size` of the DMA buffer is not page-aligned:
> https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/memalloc.c#L149.
> However, in sound/core/pcm_native.c:798
> (https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/pcm_native.c#L798),
> the `size` variable is page-aligned before memset-ing the `dma_area`.
> From the other BUG_ON assertions in other parts of the code, it looks
> like the DMA area is not supposed to be equal to or greater than
> 0x200000 bytes. However, due to page-alignment, the `size` can indeed
> get rounded up to 0x200000 which causes the out of bound access.
>
> > Last but not least, you should check whether it's specific to your
> > 5.10.x kernel or it's also seen with the latest upstream, too.
>
> The bug is not reproducible on the latest mainline, because in
> sound/core/memalloc.c:66
> (https://github.com/torvalds/linux/blob/5de64d44968e4ae66ebdb0a2d08b443f189d3651/sound/core/memalloc.c#L66)
> the allocation function `snd_dma_alloc_dir_pages()` now page-aligns
> the `size` right before allocating the DMA buffer. Therefore, any
> subsequent page-alignment, like the one in `snd_pcm_hw_params()` does
> not cause an out of bound access.
>

Great analysis!

Now, you would just need to identify the specific commit in the
mainline repository, where 'function `snd_dma_alloc_dir_pages()` now
page-aligns the `size` right before allocating the DMA buffer.', and
then ask for applying that commit to the v5.10 stable branch,
following the guide from
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html.
Greg KH and Sasha Levin are then going to let you know if that works
or needs rework to backport.


Lukas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ