lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20231113.141706.1726048567891462701.syoshida@redhat.com>
Date:   Mon, 13 Nov 2023 14:17:06 +0900 (JST)
From:   Shigeru Yoshida <syoshida@...hat.com>
To:     horms@...nel.org
Cc:     jmaloy@...hat.com, ying.xue@...driver.com, davem@...emloft.net,
        edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
        netdev@...r.kernel.org, tipc-discussion@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] tipc: Fix kernel-infoleak due to uninitialized TLV
 value

On Sun, 12 Nov 2023 10:25:13 +0000, Simon Horman wrote:
> On Sat, Nov 11, 2023 at 01:39:47AM +0900, Shigeru Yoshida wrote:
>> KMSAN reported the following kernel-infoleak issue:
>> 
>> =====================================================
>> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
>> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
>> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
>> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
>> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>>  instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>>  copy_to_user_iter lib/iov_iter.c:24 [inline]
>>  iterate_ubuf include/linux/iov_iter.h:29 [inline]
>>  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
>>  iterate_and_advance include/linux/iov_iter.h:271 [inline]
>>  _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>>  copy_to_iter include/linux/uio.h:197 [inline]
>>  simple_copy_to_iter net/core/datagram.c:532 [inline]
>>  __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
>>  skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
>>  skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>>  netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
>>  sock_recvmsg_nosec net/socket.c:1044 [inline]
>>  sock_recvmsg net/socket.c:1066 [inline]
>>  __sys_recvfrom+0x476/0x860 net/socket.c:2246
>>  __do_sys_recvfrom net/socket.c:2264 [inline]
>>  __se_sys_recvfrom net/socket.c:2260 [inline]
>>  __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
>>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
>> 
>> Uninit was created at:
>>  slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
>>  slab_alloc_node mm/slub.c:3478 [inline]
>>  kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
>>  kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
>>  __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
>>  alloc_skb include/linux/skbuff.h:1286 [inline]
>>  tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
>>  tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
>>  tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
>>  genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
>>  genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
>>  genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
>>  netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
>>  genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
>>  netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
>>  netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
>>  netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
>>  sock_sendmsg_nosec net/socket.c:730 [inline]
>>  __sock_sendmsg net/socket.c:745 [inline]
>>  ____sys_sendmsg+0x997/0xd60 net/socket.c:2588
>>  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
>>  __sys_sendmsg net/socket.c:2671 [inline]
>>  __do_sys_sendmsg net/socket.c:2680 [inline]
>>  __se_sys_sendmsg net/socket.c:2678 [inline]
>>  __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
>>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
>> 
>> Bytes 34-35 of 36 are uninitialized
>> Memory access of size 36 starts at ffff88802d464a00
>> Data copied to user address 00007ff55033c0a0
>> 
>> CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
>> =====================================================
>> 
>> tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
>> calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
>> the length of TLV value passed as an argument, and aligns the result to a
>> multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
>> 
>> If the size of struct tlv_desc plus the length of TLV value is not aligned,
>> the current implementation leaves the remaining bytes uninitialized. This
>> is the cause of the above kernel-infoleak issue.
>> 
>> This patch resolves this issue by clearing data up to an aligned size.
>> 
>> Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
>> Signed-off-by: Shigeru Yoshida <syoshida@...hat.com>
> 
> Thanks Yoshida-san,
> 
> I agree with both your analysis and that the fix is correct.
> I also agree that the problem was introduced by the cited commit.
> 
> I did wonder if there would be an advantage to only zeroing the
> otherwise uninitialised portion of tlv, but I guess that the complexity
> isn't worth any gain: all of TLV likely fits into a single cacheline
> anyway.
> 
> Reviewed-by: Simon Horman <horms@...nel.org>

Hi Simon,

Thank you so much for always reviewing my work :)

Shigeru

> 
>> ---
>>  net/tipc/netlink_compat.c | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
>> index 5bc076f2fa74..c763008a8adb 100644
>> --- a/net/tipc/netlink_compat.c
>> +++ b/net/tipc/netlink_compat.c
>> @@ -102,6 +102,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
>>  		return -EMSGSIZE;
>>  
>>  	skb_put(skb, TLV_SPACE(len));
>> +	memset(tlv, 0, TLV_SPACE(len));
>>  	tlv->tlv_type = htons(type);
>>  	tlv->tlv_len = htons(TLV_LENGTH(len));
>>  	if (len && data)
>> -- 
>> 2.41.0
>> 
>> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ