| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220926100933.4532f987@gandalf.local.home>
Date: Mon, 26 Sep 2022 10:09:33 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Kassey Li <quic_yingangl@...cinc.com>
Cc: mingo@...hat.com, tj@...nel.org, william.kucharski@...cle.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] cgroup: align the comm length with TASK_COMM_LEN
On Fri, 23 Sep 2022 15:51:05 +0800
Kassey Li <quic_yingangl@...cinc.com> wrote:
> __string could get a dst string with length less than
> TASK_COMM_LEN.
>
> A task->comm may change that can cause out of bounds access
> for the dst string buffer, e.g in the call trace of below:
>
> Call trace:
>
> dump_backtrace.cfi_jt+0x0/0x4
> show_stack+0x14/0x1c
> dump_stack+0xa0/0xd8
> die_callback+0x248/0x24c
> notify_die+0x7c/0xf8
> die+0xac/0x290
> die_kernel_fault+0x88/0x98
> die_kernel_fault+0x0/0x98
> do_page_fault+0xa0/0x544
> do_mem_abort+0x60/0x10c
> el1_da+0x1c/0xc4
> trace_event_raw_event_cgroup_migrate+0x124/0x170
You're sure the above is on the strcpy()?
Note, this code has __string() which does a strlen() which appears to be
working fine.
> cgroup_attach_task+0x2e8/0x41c
> __cgroup1_procs_write+0x114/0x1ec
> cgroup1_tasks_write+0x10/0x18
> cgroup_file_write+0xa4/0x208
> kernfs_fop_write+0x1f0/0x2f4
> __vfs_write+0x5c/0x200
> vfs_write+0xe0/0x1a0
> ksys_write+0x74/0xdc
> __arm64_sys_write+0x18/0x20
> el0_svc_common+0xc0/0x1a4
> el0_svc_compat_handler+0x18/0x20
> el0_svc_compat+0x8/0x2c
Can you give the full debug report, that includes the register content and
everything else.
-- Steve
Powered by blists - more mailing lists