| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9f0e7048-561d-92d9-0888-4d3fe581674d@quicinc.com>
Date: Wed, 28 Sep 2022 15:35:57 +0800
From: Kassey Li <quic_yingangl@...cinc.com>
To: Steven Rostedt <rostedt@...dmis.org>
CC: <mingo@...hat.com>, <tj@...nel.org>,
<william.kucharski@...cle.com>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] cgroup: align the comm length with TASK_COMM_LEN
On 9/26/2022 10:09 PM, Steven Rostedt wrote:
> On Fri, 23 Sep 2022 15:51:05 +0800
> Kassey Li <quic_yingangl@...cinc.com> wrote:
>
>> __string could get a dst string with length less than
>> TASK_COMM_LEN.
>>
>> A task->comm may change that can cause out of bounds access
>> for the dst string buffer, e.g in the call trace of below:
>>
>> Call trace:
>>
>> dump_backtrace.cfi_jt+0x0/0x4
>> show_stack+0x14/0x1c
>> dump_stack+0xa0/0xd8
>> die_callback+0x248/0x24c
>> notify_die+0x7c/0xf8
>> die+0xac/0x290
>> die_kernel_fault+0x88/0x98
>> die_kernel_fault+0x0/0x98
>> do_page_fault+0xa0/0x544
>> do_mem_abort+0x60/0x10c
>> el1_da+0x1c/0xc4
>
>> trace_event_raw_event_cgroup_migrate+0x124/0x170
>
> You're sure the above is on the strcpy()?
>
> Note, this code has __string() which does a strlen() which appears to be
> working fine.
>
>> cgroup_attach_task+0x2e8/0x41c
>> __cgroup1_procs_write+0x114/0x1ec
>> cgroup1_tasks_write+0x10/0x18
>> cgroup_file_write+0xa4/0x208
>> kernfs_fop_write+0x1f0/0x2f4
>> __vfs_write+0x5c/0x200
>> vfs_write+0xe0/0x1a0
>> ksys_write+0x74/0xdc
>> __arm64_sys_write+0x18/0x20
>> el0_svc_common+0xc0/0x1a4
>> el0_svc_compat_handler+0x18/0x20
>> el0_svc_compat+0x8/0x2c
>
> Can you give the full debug report, that includes the register content and
> everything else.
>
> -- Steve
hiļ¼Steve:
I simulate a what I supposed problem, but it did not panic.
I will use kasan to debug further. thanks for your review and suggest
on this problem. abandon this patch now currently, if there is new
proved problem, I will come again.
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 637d25c31374..d219d9f45529 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1389,6 +1389,7 @@ struct task_struct {
ANDROID_KABI_RESERVE(7);
ANDROID_KABI_RESERVE(8);
+ char comm1[32];
/*
* New fields for task_struct should be added above here, so that
* they are included in the randomized portion of task_struct.
diff --git a/include/trace/events/cgroup.h b/include/trace/events/cgroup.h
index dd7d7c9efecd..da2426c7f99b 100644
--- a/include/trace/events/cgroup.h
+++ b/include/trace/events/cgroup.h
@@ -139,7 +139,7 @@ DECLARE_EVENT_CLASS(cgroup_migrate,
__entry->dst_level = dst_cgrp->level;
__assign_str(dst_path, path);
__entry->pid = task->pid;
- __assign_str(comm, task->comm);
+ __assign_str(comm, task->comm1);
),
TP_printk("dst_root=%d dst_id=%llu dst_level=%d dst_path=%s
pid=%d comm=%s",
diff --git a/kernel/fork.c b/kernel/fork.c
index 58409b7178c2..4e0c564852c6 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1443,6 +1443,7 @@ static int copy_mm(unsigned long clone_flags,
struct task_struct *tsk)
tsk->last_switch_count = tsk->nvcsw + tsk->nivcsw;
tsk->last_switch_time = 0;
#endif
+ strlcpy(tsk->comm1, "012345678901234567890123456789", 30);
tsk->mm = NULL;
tsk->active_mm = NULL;
# cat /sys/kernel/tracing/trace_pipe
sh-874 [007] d..2 142.097349:
cgroup_notify_populated: root=1 id=49 level=1 path=/top-app val=1
sh-874 [007] d..1 142.097405: cgroup_attach_task:
dst_root=1 dst_id=49 dst_level=1 dst_path=/top-app pid=1
comm=01234567890123456789012345678
Powered by blists - more mailing lists