lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 27 Jul 2022 07:25:33 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     Dipanjan Das <mail.dipanjan.das@...il.com>
Cc:     Greg KH <gregkh@...uxfoundation.org>, perex@...ex.cz,
        tiwai@...e.com, consult.awy@...il.com, alsa-devel@...a-project.org,
        linux-kernel@...r.kernel.org, syzkaller@...glegroups.com,
        fleischermarius@...glemail.com, its.priyanka.bose@...il.com
Subject: Re: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params

On Tue, 26 Jul 2022 23:40:48 +0200,
Dipanjan Das wrote:
> 
> On Sat, Jul 23, 2022 at 3:17 AM Takashi Iwai <tiwai@...e.de> wrote:
> >
> > On Sat, 23 Jul 2022 09:00:08 +0200,
> > Greg KH wrote:
> > >
> > > Wondeful, do you have a fix for this that solves the reported problem
> > > that you have tested with the reproducer?
> >
> > ... or at least more detailed information.
> 
> Here is our analysis of the bug in the kernel v5.10.131.
> 
> During allocation, the `size` of the DMA buffer is not page-aligned:
> https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/memalloc.c#L149.
> However, in sound/core/pcm_native.c:798
> (https://elixir.bootlin.com/linux/v5.10.131/source/sound/core/pcm_native.c#L798),
> the `size` variable is page-aligned before memset-ing the `dma_area`.
> >From the other BUG_ON assertions in other parts of the code, it looks
> like the DMA area is not supposed to be equal to or greater than
> 0x200000 bytes. However, due to page-alignment, the `size` can indeed
> get rounded up to 0x200000 which causes the out of bound access.
> 
> > Last but not least, you should check whether it's specific to your
> > 5.10.x kernel or it's also seen with the latest upstream, too.
> 
> The bug is not reproducible on the latest mainline, because in
> sound/core/memalloc.c:66
> (https://github.com/torvalds/linux/blob/5de64d44968e4ae66ebdb0a2d08b443f189d3651/sound/core/memalloc.c#L66)
> the allocation function `snd_dma_alloc_dir_pages()` now page-aligns
> the `size` right before allocating the DMA buffer. Therefore, any
> subsequent page-alignment, like the one in `snd_pcm_hw_params()` does
> not cause an out of bound access.

Thanks for the analysis.  A good news is that, at least for the
vmalloc() case, it's a kind of false-positive; vmalloc() always takes
the full pages, so practically seen, the size is page-aligned.  It's
fooling the memory checker, though.

But the similar problem could be seen with genalloc calls, and this
was fixed by the upstream commit
5c1733e33c888a3cb7f576564d8ad543d5ad4a9e
    ALSA: memalloc: Align buffer allocations in page size

I suppose you can simply backport this commit to 5.10.y.  Could you
confirm that this fixes your problem?


thanks,

Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ