lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZiGYbJezGZg6tGgq@dread.disaster.area>
Date: Fri, 19 Apr 2024 08:02:20 +1000
From: Dave Chinner <david@...morbit.com>
To: Marius Fleischer <fleischermarius@...il.com>
Cc: Leah Rumancik <leah.rumancik@...il.com>,
	"Darrick J. Wong" <djwong@...nel.org>, linux-xfs@...r.kernel.org,
	linux-kernel@...r.kernel.org, harrisonmichaelgreen@...il.com,
	syzkaller@...glegroups.com
Subject: Re: KASAN: null-ptr-deref Write in xlog_cil_commit

On Thu, Apr 18, 2024 at 11:03:30AM -0700, Marius Fleischer wrote:
> Hi,
> 
> 
> We would like to report the following bug which has been found by our
> modified version of syzkaller.
> 
> ======================================================
> 
> description: KASAN: null-ptr-deref Write in xlog_cil_commit
> 
> affected file: fs/xfs/xfs_log_cil.c
> 
> kernel version: 5.15.156

Really old kernel.

> We took a very brief look at the code. Is it possible that there is a check
> missing for the return value of kvmalloc at fs/xfs/xfs_log_cil.c:224?
> 
> lv = kvmalloc(buf_size, GFP_KERNEL);
> memset(lv, 0, xlog_cil_iovec_space(niovecs));

I've never seen that memory allocation fail there, and that code has
been using an unchecked, open coded kvmalloc() for well over a
decade. We replaced it with a direct call to kvmalloc() in 5.15,
but the failure semantics here never changed.

But I guess it could fail if error injection is enabled,
and because we used to call __vmalloc() directly it may never have
had errors injected?

But, regardless, that's completely irrelevant.

We replaced the kvmalloc() call there with a guaranteed "no fail"
open coded loop in 5.17 for performance reasons, so this open coded
kvmalloc() call only existed in 5.15 and 5.16. See commit
8dc9384b7d75 ("xfs: reduce kvmalloc overhead for CIL shadow
buffers").

-Dave.
-- 
Dave Chinner
david@...morbit.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ