lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALGdzuqqU1PJ3BZ2PRtCHXyrsZ2xtzk38abB0=K7V-kOCYgHfA@mail.gmail.com>
Date: Fri, 26 Jan 2024 11:04:53 -0600
From: Chenyuan Yang <chenyuan0y@...il.com>
To: akpm@...ux-foundation.org, linux-mm@...ck.org
Cc: linux-kernel@...r.kernel.org, syzkaller@...glegroups.com, 
	Zijie Zhao <zzjas98@...il.com>
Subject: [Linux Kernel Bug][mm/gup] 3 Warning Crashes: kmalloc bug in
 gup_test_ioctl, is_valid_gup_args, pin_user_pages_fast

Dear Developers for Linux Memory Management,

We encountered 3 warning crashes when testing the memory management
with Syzkaller and our generated specifications:

1. WARNING: kmalloc bug in gup_test_ioctl
2. WARNING in is_valid_gup_args
3. WARNING in pin_user_pages_fast

The C and syz reproducers and config for the kernel are attached.

For the first one "WARNING: kmalloc bug in gup_test_ioctl", it seems
that the check `if (gup->size > ULONG_MAX)`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup_test.c#L111)
is not accurate, which should be INT_MAX * PAGE_SIZE / sizeof(void *),
based o `pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup_test.c#L115).

For the second one "WARNING in is_valid_gup_args" and "WARNING in
pin_user_pages_fast“, the root causes are kind of similar. They both
fail to check the `gup_flags` in `is_valid_gup_args`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup.c#L2245) and
`internal_get_user_pages_fast`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup.c#L3185)
respectively. `gup_flags` is provided by user, thus, it could be
arbitrary value. I think it would be better not to use `WARN_ON_ONCE`
to check the validity of this flag.

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@...il.com>

Best,
Chenyuan

Download attachment "gup_test_ioctl.report" of type "application/octet-stream" (4617 bytes)

Download attachment "config" of type "application/octet-stream" (246224 bytes)

Download attachment "pin_user_pages_fast.report" of type "application/octet-stream" (4500 bytes)

Download attachment "is_valid_gup_args.report" of type "application/octet-stream" (4504 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ