lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y8F/1w1AZTvLglFX@x1-carbon>
Date:   Fri, 13 Jan 2023 15:59:21 +0000
From:   Niklas Cassel <Niklas.Cassel@....com>
To:     Kees Cook <keescook@...omium.org>
CC:     "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
        Miguel Ojeda <ojeda@...nel.org>,
        Siddhesh Poyarekar <siddhesh@...plt.org>,
        Arnd Bergmann <arnd@...db.de>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Nathan Chancellor <nathan@...nel.org>,
        Tom Rix <trix@...hat.com>,
        "llvm@...ts.linux.dev" <llvm@...ts.linux.dev>,
        Juergen Gross <jgross@...e.com>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
        "linux-next@...r.kernel.org" <linux-next@...r.kernel.org>
Subject: linux-next - bxnt buffer overflow in strnlen

On Tue, Sep 20, 2022 at 12:22:02PM -0700, Kees Cook wrote:
> Since the commits starting with c37495d6254c ("slab: add __alloc_size
> attributes for better bounds checking"), the compilers have runtime
> allocation size hints available in some places. This was immediately
> available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
> updating to explicitly make use the hints via the associated
> __builtin_dynamic_object_size() helper. Detect and use the builtin when
> it is available, increasing the accuracy of the mitigation. When runtime
> sizes are not available, __builtin_dynamic_object_size() falls back to
> __builtin_object_size(), leaving the existing bounds checking unchanged.
> 
> Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
> hint invisible, otherwise the architectural defense is not exercised
> (the buffer overflow is detected in the memset() rather than when it
> crosses the edge of the allocation).
> 
> Cc: Miguel Ojeda <ojeda@...nel.org>
> Cc: Siddhesh Poyarekar <siddhesh@...plt.org>
> Cc: Arnd Bergmann <arnd@...db.de>
> Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> Cc: Nathan Chancellor <nathan@...nel.org>
> Cc: Tom Rix <trix@...hat.com>
> Cc: linux-hardening@...r.kernel.org
> Cc: llvm@...ts.linux.dev
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---

Hello Kees,

Unfortunately, this commit introduces a crash in the bxnt
ethernet driver when booting linux-next.

I haven't looked at the code in the bxnt ethernet driver,
I simply know that machine boots fine on v6.2.0-rc3,
but fails to boot with linux-next.

So I started an automatic git bisect, which returned:
439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available")

$ grep CC_VERSION .config
CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.1 20221121 (Red Hat 12.2.1-4)"
CONFIG_GCC_VERSION=120201

$ grep FORTIFY .config
CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
CONFIG_FORTIFY_SOURCE=y


dmesg output:

<0>[   10.805253] detected buffer overflow in strnlen
<4>[   10.810683] ------------[ cut here ]------------
<2>[   10.816035] kernel BUG at lib/string_helpers.c:1027!
<4>[   10.821753] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[   10.822737] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc3-next-20230112+ #4
<4>[   10.834787] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.4 04/14/2022
<4>[   10.839875] RIP: 0010:fortify_panic+0xf/0x11
<4>[   10.844962] Code: e0 e8 da 83 0a ff e9 31 45 6d ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 fe 48 c7 c7 78 69 d6 9f e8 01 ea fc ff <0f> 0b 48 8b 4c 24 18 48 8b 54 24 10 4c 8d 44 24 25 48 c7 c7 b6 69
<4>[   10.865321] RSP: 0018:ffffb547c005bb98 EFLAGS: 00010246
<4>[   10.870406] RAX: 0000000000000023 RBX: ffff94f0582bc400 RCX: 0000000000000000
<4>[   10.880584] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff
<4>[   10.885672] RBP: ffff94f0582bc424 R08: 0000000000000000 R09: ffffb547c005ba60
<4>[   10.895849] R10: 0000000000000003 R11: ffffffffa0182448 R12: 696c66666f282074
<4>[   10.900937] R13: 736574206b636162 R14: 0000000000000001 R15: ffff94f0545f8b40
<4>[   10.911113] FS:  0000000000000000(0000) GS:ffff950f07380000(0000) knlGS:0000000000000000
<4>[   10.916201] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[   10.926382] CR2: 0000000000000000 CR3: 000000204c05a000 CR4: 0000000000350ee0
<4>[   10.931470] Call Trace:
<6>[   10.936317] ata9: SATA link down (SStatus 0 SControl 300)
<4>[   10.936745]  <TASK>
<4>[   10.936745]  bnxt_ethtool_init.cold+0x18/0x18
<4>[   10.936745]  ? dma_pool_free+0x14d/0x160
<6>[   10.942591] ata10: SATA link down (SStatus 0 SControl 300)
<4>[   10.942663]  bnxt_fw_init_one_p2+0x18d/0x5e0
<6>[   10.949046] ata4: SATA link down (SStatus 0 SControl 300)
<4>[   10.949841]  bnxt_init_one+0x401/0xf10
<6>[   10.958451] ata6: SATA link down (SStatus 0 SControl 300)
<4>[   10.958854]  local_pci_probe+0x41/0x80
<6>[   10.968114] ata3: SATA link down (SStatus 0 SControl 300)
<4>[   10.968892]  pci_device_probe+0x1e2/0x210
<6>[   10.977259] ata8: SATA link down (SStatus 0 SControl 300)
<4>[   10.977657]  really_probe+0xde/0x380
<6>[   10.986406] ata5: SATA link down (SStatus 0 SControl 300)
<4>[   10.986817]  ? pm_runtime_barrier+0x50/0x90
<4>[   10.986817]  __driver_probe_device+0x78/0x170
<6>[   10.996042] ata7: SATA link down (SStatus 0 SControl 300)
<4>[   10.996978]  driver_probe_device+0x1f/0x90
<4>[   10.996978]  __driver_attach+0xd2/0x1c0
<4>[   10.996978]  ? __pfx___driver_attach+0x10/0x10
<4>[   10.996978]  bus_for_each_dev+0x65/0x90
<4>[   11.047368]  bus_add_driver+0x1b1/0x200
<4>[   11.052640]  driver_register+0x89/0xe0
<4>[   11.057487]  ? __pfx_bnxt_init+0x10/0x10
<4>[   11.061634]  bnxt_init+0x20/0x33
<4>[   11.065015]  do_one_initcall+0x5b/0x340
<4>[   11.070105]  ? rcu_read_lock_sched_held+0x3f/0x80
<4>[   11.075198]  kernel_init_freeable+0x29e/0x2ee
<4>[   11.080635]  ? __pfx_kernel_init+0x10/0x10
<4>[   11.085379]  kernel_init+0x16/0x140
<6>[   11.087743] ata16: SATA link down (SStatus 0 SControl 300)
<4>[   11.086528]  ret_from_fork+0x2c/0x50
<4>[   11.086528]  </TASK>
<6>[   11.094437] ata17: SATA link down (SStatus 0 SControl 300)
<4>[   11.094645] Modules linked in:
<4>[   11.097999] ---[ end trace 0000000000000000 ]---
<6>[   11.100194] ata18: SATA link down (SStatus 0 SControl 300)


Kind regards,
Niklas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ