lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <e9f30f7d5b7d72a3521da31ab2002b49a26f542e.camel@mediatek.com>
Date:   Mon, 7 Aug 2023 12:31:45 +0000
From:   John Hsu (許永翰) <John.Hsu@...iatek.com>
To:     "catalin.marinas@....com" <catalin.marinas@....com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-mediatek@...ts.infradead.org" 
        <linux-mediatek@...ts.infradead.org>,
        Xiaobing Shi (史小兵) 
        <Xiaobing.Shi@...iatek.com>,
        Chunhui Li (李春辉) 
        <chunhui.li@...iatek.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        Kuan-Ying Lee (李冠穎) 
        <Kuan-Ying.Lee@...iatek.com>,
        Casper Li (李中榮) <casper.li@...iatek.com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>
Subject: [BUG kernel-5.15] aarch64: __pi_strncmp() out-of-bound error

Hi ARM maintainers,
 
We met this issue under our internal test.
It seems that __pi_strncmp() reads out-of-bound.
 
[ 7445.268043][  T382] ueventd: [name:fault&]Unable to handle kernel
paging request at virtual address ffffff803fd3f000
[ 7445.268078][  T382] ueventd: [name:fault&]Mem abort info:
[ 7445.268084][  T382] ueventd: [name:fault&]  ESR = 0x96000007
[ 7445.268089][  T382] ueventd: [name:fault&]  EC = 0x25: DABT (current
EL), IL = 32 bits
[ 7445.268095][  T382] ueventd: [name:fault&]  SET = 0, FnV = 0
[ 7445.268100][  T382] ueventd: [name:fault&]  EA = 0, S1PTW = 0
[ 7445.268105][  T382] ueventd: [name:fault&]  FSC = 0x07: level 3
translation fault
[ 7445.268110][  T382] ueventd: [name:fault&]Data abort info:
[ 7445.268115][  T382] ueventd: [name:fault&]  ISV = 0, ISS =
0x00000007
[ 7445.268120][  T382] ueventd: [name:fault&]  CM = 0, WnR = 0
[ 7445.268126][  T382] ueventd: [name:fault&]swapper pgtable: 4k pages,
39-bit VAs, pgdp=00000000426c6000
[ 7445.268133][  T382] ueventd: [name:fault&][ffffff803fd3f000]
pgd=1800000327ff5003, p4d=1800000327ff5003, pud=1800000327ff5003,
pmd=1800000327fef003, pte=0000000000000000
[ 7445.268154][  T382] ueventd: [name:traps&]Internal error: Oops:
96000007 [#1] PREEMPT SMP
[ 7445.268278][  T382] ueventd: [name:mrdump&]Kernel Offset:
0x2825400000 from 0xffffffc008000000
[ 7445.268286][  T382] ueventd: [name:mrdump&]PHYS_OFFSET: 0x40000000
[ 7445.268294][  T382] ueventd: [name:mrdump&]pstate: 82400005 (Nzcv
daif +PAN -UAO)
[ 7445.268301][  T382] ueventd: [name:mrdump&]pc : [0xffffffe82d420210]
__pi_strncmp+0x1a0/0x1c4
[ 7445.268310][  T382] ueventd: [name:mrdump&]lr : [0xffffffe82dbe12c0]
__security_genfs_sid+0x100/0x168
[ 7445.268319][  T382] ueventd: [name:mrdump&]sp : ffffffc0097cb8b0
…
[ 7445.269337][  T382] ueventd: CPU: 0 PID: 382 Comm: ueventd Tainted:
G S      W  OE     5.15.41-android13-8-gb1f1ad628628 #1
[ 7445.269347][  T382] ueventd: Hardware name: MT6886(ENG) (DT)
[ 7445.269354][  T382] ueventd: Call trace:
[ 7445.269359][  T382] ueventd:  dump_backtrace+0x0/0x2a8
[ 7445.269374][  T382] ueventd:  dump_stack_lvl+0x74/0xa4
[ 7445.269384][  T382] ueventd:  dump_stack+0x14/0x1c
[ 7445.269391][  T382] ueventd:  mrdump_common_die+0x32c/0x5ac [mrdump]
[ 7445.269470][  T382] ueventd:  ipanic_die+0x1c/0x28 [mrdump]
[ 7445.269539][  T382] ueventd:  __die+0xbc/0x308
[ 7445.269548][  T382] ueventd:  die+0xd8/0x500
[ 7445.269556][  T382] ueventd:  die_kernel_fault+0x94/0xa8
[ 7445.269565][  T382] ueventd:  __do_kernel_fault+0x1d8/0x214
[ 7445.269571][  T382] ueventd:  do_bad_area+0x40/0x174
[ 7445.269579][  T382] ueventd:  do_translation_fault+0x48/0x54
[ 7445.269585][  T382] ueventd:  do_mem_abort+0x3c/0x100
[ 7445.269592][  T382] ueventd:  el1_abort+0x38/0x54
[ 7445.269602][  T382] ueventd:  el1h_64_sync_handler+0x54/0x88
[ 7445.269610][  T382] ueventd:  el1h_64_sync+0x78/0x7c
[ 7445.269618][  T382] ueventd:  __pi_strncmp+0x1a0/0x1c4
[ 7445.269626][  T382] ueventd:  selinux_genfs_get_sid+0x114/0x220
[ 7445.269636][  T382] ueventd:  inode_doinit_with_dentry+0x3d0/0x598
[ 7445.269644][  T382] ueventd:  selinux_d_instantiate+0x1c/0x24
[ 7445.269652][  T382] ueventd:  d_splice_alias+0x5c/0x280
[ 7445.269662][  T382] ueventd:  kernfs_iop_lookup+0xec/0x21c
[ 7445.269674][  T382] ueventd:  __lookup_slow+0xc4/0x150
[ 7445.269684][  T382] ueventd:  lookup_slow+0x40/0xf0
[ 7445.269690][  T382] ueventd:  walk_component+0x144/0x160
[ 7445.269696][  T382] ueventd:  link_path_walk+0x25c/0x344
[ 7445.269703][  T382] ueventd:  path_lookupat+0x64/0x120
[ 7445.269710][  T382] ueventd:  filename_lookup+0xc4/0x1b0
[ 7445.269718][  T382] ueventd:  user_path_at_empty+0x48/0xb4
[ 7445.269725][  T382] ueventd:  do_faccessat+0xa8/0x1f0
[ 7445.269732][  T382] ueventd:  __arm64_sys_faccessat+0x20/0x28
[ 7445.269738][  T382] ueventd:  invoke_syscall+0x3c/0xf0
[ 7445.269746][  T382] ueventd:  el0_svc_common+0x84/0xe8
[ 7445.269753][  T382] ueventd:  do_el0_svc+0x20/0x84
[ 7445.269759][  T382] ueventd:  el0_svc+0x1c/0x48
[ 7445.269766][  T382] ueventd:  el0t_64_sync_handler+0x7c/0xd8
[ 7445.269773][  T382] ueventd:  el0t_64_sync+0x15c/0x160
 
We found that we hit this issue when we compare these two strings.
 
________________address|_0__1__2__3__4__5__6__7__8__9__A__B__C__D__E__F
__   0123456789ABCDEF
   NSD:FFFFFF80089EDA00|>2F 64 65 76 69 63 65 73 2F 76 69 72 74 75 61
6C  /devices/virtual
   NSD:FFFFFF80089EDA10| 2F 62 6C 6F 63 6B 2F 00 E0 03 01 AA E1 03 02
AA  /block/.........
 
________________address|_0__1__2__3__4__5__6__7__8__9__A__B__C__D__E__F
__    0123456789ABCDEF
   NSD:FFFFFF803FD3EFE0| 00 00 00 00 00 00 00 00 00 00 2F 64 65 76 69
63    ........../devic
   NSD:FFFFFF803FD3EFF0| 65 73>2F 76 69 72 74 75 61 6C 2F 6D 69 73 63
00  es/virtual/misc.
   NSD:FFFFFF803FD3F000| ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
??
   NSD:FFFFFF803FD3F0E0| ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
??

We observe the second string is put at the tail of the first page and
the next page is unreadable.
Thus, we made a simple test as below and it can reproduce this issue.

static noinline void strncmp_ut(void)
{
    int ret = 0;
    int size = 4096;
    char *src1 = vmalloc(size);
    char *src2 = vmalloc(size);
    char *str1 = "/devices/virtual/block/";
    char *str2 = "/devices/virtual/misc";
    int len1 = strlen(str1);
    int len2 = strlen(str2);
    char *str1_start, *str2_start;

    pr_info("src1: %px\n", src1);
    pr_info("src2: %px\n", src2);
    pr_info("len1 :%d, len2: %d\n", len1, len2);

    memset(src1, 0, size);
    strncpy(&src1[size-len1-1], str1, len1);
    memset(src2, 0, size);
    strncpy(&src2[size-len2-1], str2, len2);

    str1_start = src1 + size - len1 - 1;
    pr_info("str1_start: %px", str1_start);
    str2_start = src2 + size - len2 - 1;
    pr_info("str2_start: %px", str2_start);
    ret = strncmp(str1_start, str2_start, len1);
    pr_info("ret: %d\n", ret);
}


Does any issue exist in __pi_strncmp in kernel-5.15?

Any suggestion is appreciated.

Thanks,
John Hsu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ