| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Oct 2022 16:39:07 +0500
From: Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
To: Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
johannes@...solutions.net, linville@...driver.com,
Kees Cook <keescook@...omium.org>,
Linux List Kernel Mailing <linux-wireless@...r.kernel.org>
Subject: [bug][6.1] Enable run-time checking of dynamic memcpy() and memmove()
lengths causes warning on every boot at net/wireless/wext-core.c:623 (size 4)
Hi!
Enable run-time checking of dynamic memcpy() and memmove() lengths
causes warning on every boot:
[ 19.544552] ------------[ cut here ]------------
[ 19.545634] memcpy: detected field-spanning write (size 16) of
single field "&compat_event->pointer" at net/wireless/wext-core.c:623
(size 4)
[ 19.546503] WARNING: CPU: 14 PID: 9 at net/wireless/wext-core.c:623
wireless_send_event+0x482/0x490
[ 19.547052] Modules linked in: nft_objref nf_conntrack_netbios_ns
nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct
nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set
nf_tables nfnetlink qrtr bnep intel_rapl_msr intel_rapl_common
snd_sof_amd_renoir sunrpc snd_sof_amd_acp mt7921e mt7921_common
snd_sof_pci mt76_connac_lib snd_hda_codec_realtek snd_sof
snd_hda_codec_generic snd_hda_codec_hdmi snd_sof_utils mt76
snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi edac_mce_amd
binfmt_misc snd_hda_codec mac80211 snd_soc_core kvm_amd snd_hda_core
vfat btusb fat btrtl btbcm snd_hwdep snd_compress snd_seq ac97_bus
btintel snd_seq_device snd_pcm_dmaengine btmtk libarc4 snd_pci_acp6x
kvm snd_pcm snd_pci_acp5x irqbypass bluetooth snd_timer
snd_rn_pci_acp3x cfg80211 rapl pcspkr snd_acp_config snd joydev
snd_soc_acpi asus_nb_wmi wmi_bmof soundcore snd_pci_acp3x i2c_piix4
k10temp asus_wireless amd_pmc
[ 19.547126] zram amdgpu drm_ttm_helper ttm hid_asus asus_wmi
ledtrig_audio iommu_v2 sparse_keymap gpu_sched platform_profile
drm_buddy hid_multitouch crct10dif_pclmul crc32_pclmul rfkill
drm_display_helper ucsi_acpi crc32c_intel nvme serio_raw
ghash_clmulni_intel typec_ucsi video ccp nvme_core sp5100_tco cec
r8169 typec wmi i2c_hid_acpi i2c_hid ip6_tables ip_tables fuse
[ 19.551473] CPU: 14 PID: 9 Comm: kworker/u32:0 Tainted: G W
L 6.0.0-latest-a6afa4199d3d038fbfdff5511f7523b0e30cb774+ #117
[ 19.552099] Hardware name: ASUSTeK COMPUTER INC. ROG Strix
G513QY_G513QY/G513QY, BIOS G513QY.318 03/29/2022
[ 19.552732] Workqueue: phy0 ieee80211_iface_work [mac80211]
[ 19.553387] RIP: 0010:wireless_send_event+0x482/0x490
[ 19.553999] Code: cf fd ff ff b9 04 00 00 00 48 89 ee 48 89 04 24
48 c7 c2 10 17 9a 96 48 c7 c7 00 3d 84 96 c6 05 e1 00 14 01 01 e8 c3
ab 04 00 <0f> 0b 48 8b 04 24 e9 9e fd ff ff 0f 1f 00 0f 1f 44 00 00 41
56 49
[ 19.554664] RSP: 0018:ffffb7ec40147798 EFLAGS: 00010292
[ 19.555543] RAX: 0000000000000081 RBX: ffff92d213144e00 RCX: 0000000000000000
[ 19.556804] RDX: 0000000000000001 RSI: ffffffff968d45b5 RDI: 00000000ffffffff
[ 19.557495] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffb7ec40147648
[ 19.558135] R10: 0000000000000003 R11: ffff92e11d2fffe8 R12: ffffffff965b695c
[ 19.558792] R13: ffff92d23678e000 R14: 0000000000000014 R15: ffff92d213145b00
[ 19.559448] FS: 0000000000000000(0000) GS:ffff92e0d9a00000(0000)
knlGS:0000000000000000
[ 19.560081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 19.560727] CR2: 00007f0d080323e8 CR3: 000000013ee88000 CR4: 0000000000750ee0
[ 19.561594] PKRU: 55555554
[ 19.562579] Call Trace:
[ 19.563288] <TASK>
[ 19.563944] __cfg80211_connect_result+0x3cb/0x7c0 [cfg80211]
[ 19.564613] ? cfg80211_rx_assoc_resp+0x1df/0x2f0 [cfg80211]
[ 19.565248] cfg80211_rx_assoc_resp+0x1df/0x2f0 [cfg80211]
[ 19.565922] ieee80211_rx_mgmt_assoc_resp.cold+0x2b3/0x1cbe [mac80211]
[ 19.566622] ieee80211_sta_rx_queued_mgmt+0x15c/0x920 [mac80211]
[ 19.567413] ? mark_held_locks+0x50/0x80
[ 19.568357] ? _raw_spin_unlock_irqrestore+0x30/0x60
[ 19.569161] ? _raw_spin_unlock_irqrestore+0x30/0x60
[ 19.569789] ? lockdep_hardirqs_on+0x7d/0x100
[ 19.570412] ? _raw_spin_unlock_irqrestore+0x40/0x60
[ 19.571022] ieee80211_iface_work+0x32c/0x450 [mac80211]
[ 19.571681] process_one_work+0x2a0/0x600
[ 19.572296] worker_thread+0x4f/0x3a0
[ 19.572923] ? process_one_work+0x600/0x600
[ 19.573777] kthread+0xf5/0x120
[ 19.574737] ? kthread_complete_and_exit+0x20/0x20
[ 19.575439] ret_from_fork+0x22/0x30
[ 19.576052] </TASK>
[ 19.576668] irq event stamp: 225109
[ 19.577260] hardirqs last enabled at (225117):
[<ffffffff9518c2be>] __up_console_sem+0x5e/0x70
[ 19.577886] hardirqs last disabled at (225126):
[<ffffffff9518c2a3>] __up_console_sem+0x43/0x70
[ 19.578508] softirqs last enabled at (225088):
[<ffffffff950fe9d9>] __irq_exit_rcu+0xf9/0x170
[ 19.579113] softirqs last disabled at (225077):
[<ffffffff950fe9d9>] __irq_exit_rcu+0xf9/0x170
[ 19.580092] ---[ end trace 0000000000000000 ]---
Related code was added back in 2009.
$ git blame net/wireless/wext-core.c -L 613,633
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 613)
compat_wrqu.length = wrqu->data.length;
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 614)
compat_wrqu.flags = wrqu->data.flags;
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 615)
memcpy(&compat_event->pointer,
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 616)
((char *) &compat_wrqu) + IW_EV_COMPAT_POINT_OFF,
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 617)
hdr_len - IW_EV_COMPAT_LCP_LEN);
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 618)
if (extra_len)
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 619)
memcpy(((char *) compat_event) + hdr_len,
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 620)
extra, extra_len);
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 621) } else {
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 622)
/* extra_len must be zero, so no if (extra) needed */
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 623)
memcpy(&compat_event->pointer, wrqu,
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 624)
hdr_len - IW_EV_COMPAT_LCP_LEN);
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 625) }
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 626)
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 627)
nlmsg_end(compskb, nlh);
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 628)
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 629)
skb_shinfo(skb)->frag_list = compskb;
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 630) #endif
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 631)
skb_queue_tail(&dev_net(dev)->wext_nlevents, skb);
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 632)
schedule_work(&wireless_nlevent_work);
3d23e349d8071 (Johannes Berg 2009-09-29 23:27:28 +0200 633) }
I suppose this code should be fixed instead of fixing
54d9469bc515dc5fcbc20eecbe19cea868b70d68 commit which I fing by
bisecting this issue.
Full kernel log: https://pastebin.com/sQVzYgAb
--
Best Regards,
Mike Gavrilov.
Powered by blists - more mailing lists