| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKHoSAv+gLUmYioCQjKU46pEba6udNOLgTFxQ0MDVTKy_ehd=g@mail.gmail.com> Date: Mon, 2 Dec 2024 12:31:13 +0800 From: cheung wall <zzqq0103.hey@...il.com> To: Alexander Viro <viro@...iv.linux.org.uk> Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: "KASAN: slab-out-of-bounds Read in load_misc_binary" in Linux Kernel Version 4.9 Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 4.9 This issue was discovered using our custom vulnerability discovery tool. Affected File: fs/binfmt_misc.c File: fs/binfmt_misc.c Function: load_misc_binary Detailed call trace: BUG: KASAN: slab-out-of-bounds in check_file fs/binfmt_misc.c:118 [inline] at addr ffff88006a77bb00 BUG: KASAN: slab-out-of-bounds in load_misc_binary+0xe16/0xf90 fs/binfmt_misc.c:145 at addr ffff88006a77bb00 Read of size 1 by task udevd/5098 CPU: 1 PID: 5098 Comm: udevd Not tainted 4.9.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 ffff880060147b20 ffffffff81a9fc59 ffff88006cc013c0 ffff88006a77ba00 ffff88006a77bb00 dffffc0000000000 ffff880060147b48 ffffffff814a67ac ffff880060147bd8 ffff88006a77ba00 ffff88006cc013c0 ffff880060147bc8 Call Trace: [<ffffffff81a9fc59>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81a9fc59>] dump_stack+0x83/0xba lib/dump_stack.c:51 [<ffffffff814a67ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159 [<ffffffff814a6a40>] print_address_description mm/kasan/report.c:197 [inline] [<ffffffff814a6a40>] kasan_report_error+0x1f0/0x4f0 mm/kasan/report.c:286 [<ffffffff814a6d7e>] kasan_report mm/kasan/report.c:306 [inline] [<ffffffff814a6d7e>] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:324 [<ffffffff815bc916>] check_file fs/binfmt_misc.c:118 [inline] [<ffffffff815bc916>] load_misc_binary+0xe16/0xf90 fs/binfmt_misc.c:145 [<ffffffff814ccf1d>] search_binary_handler+0x16d/0x480 fs/exec.c:1582 [<ffffffff814d161b>] exec_binprm fs/exec.c:1624 [inline] [<ffffffff814d161b>] do_execveat_common.isra.41+0x124b/0x1b20 fs/exec.c:1744 [<ffffffff814d28f2>] do_execve fs/exec.c:1788 [inline] [<ffffffff814d28f2>] SYSC_execve fs/exec.c:1869 [inline] [<ffffffff814d28f2>] SyS_execve+0x42/0x50 fs/exec.c:1864 [<ffffffff81005fea>] do_syscall_64+0x18a/0x3b0 arch/x86/entry/common.c:280 [<ffffffff82f8f9eb>] entry_SYSCALL64_slow_path+0x25/0x25 Object at ffff88006a77ba00, in cache kmalloc-256 size: 256 Allocated: PID = 5093 [ 55.023115] [<ffffffff810794e6>] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 55.023748] [<ffffffff814a5b06>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 55.024324] [<ffffffff814a5d8d>] set_track mm/kasan/kasan.c:507 [inline] [ 55.024324] [<ffffffff814a5d8d>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 55.024940] [<ffffffff814a1c7d>] kmem_cache_alloc_trace+0xcd/0x180 mm/slub.c:2735 [ 55.025623] [<ffffffff814d0676>] kmalloc include/linux/slab.h:490 [inline] [ 55.025623] [<ffffffff814d0676>] kzalloc include/linux/slab.h:636 [inline] [ 55.025623] [<ffffffff814d0676>] do_execveat_common.isra.41+0x2a6/0x1b20 fs/exec.c:1673 [ 55.026362] [<ffffffff814d28f2>] do_execve fs/exec.c:1788 [inline] [ 55.026362] [<ffffffff814d28f2>] SYSC_execve fs/exec.c:1869 [inline] [ 55.026362] [<ffffffff814d28f2>] SyS_execve+0x42/0x50 fs/exec.c:1864 [ 55.026964] [<ffffffff81005fea>] do_syscall_64+0x18a/0x3b0 arch/x86/entry/common.c:280 [ 55.027579] [<ffffffff82f8f9eb>] return_from_SYSCALL_64+0x0/0x6a Freed: PID = 5093 [ 55.028625] [<ffffffff810794e6>] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 55.029239] [<ffffffff814a5b06>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 55.029823] [<ffffffff814a6373>] set_track mm/kasan/kasan.c:507 [inline] [ 55.029823] [<ffffffff814a6373>] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 [ 55.030437] [<ffffffff814a2fb0>] slab_free_hook mm/slub.c:1352 [inline] [ 55.030437] [<ffffffff814a2fb0>] slab_free_freelist_hook mm/slub.c:1374 [inline] [ 55.030437] [<ffffffff814a2fb0>] slab_free mm/slub.c:2951 [inline] [ 55.030437] [<ffffffff814a2fb0>] kfree+0x90/0x190 mm/slub.c:3871 [ 55.030995] [<ffffffff814cb92d>] free_bprm+0x19d/0x200 fs/exec.c:1355 [ 55.031589] [<ffffffff814d180c>] do_execveat_common.isra.41+0x143c/0x1b20 fs/exec.c:1753 [ 55.032311] [<ffffffff814d28f2>] do_execve fs/exec.c:1788 [inline] [ 55.032311] [<ffffffff814d28f2>] SYSC_execve fs/exec.c:1869 [inline] [ 55.032311] [<ffffffff814d28f2>] SyS_execve+0x42/0x50 fs/exec.c:1864 [ 55.032891] [<ffffffff81005fea>] do_syscall_64+0x18a/0x3b0 arch/x86/entry/common.c:280 [ 55.033512] [<ffffffff82f8f9eb>] return_from_SYSCALL_64+0x0/0x6a Memory state around the buggy address: ffff88006a77ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88006a77ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88006a77bb00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff88006a77bb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88006a77bc00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== Root Cause: The root cause appears to be improper memory handling when processing file structures in the binfmt_misc module. Specifically, the system is attempting to read beyond the allocated memory for the binary file structure, leading to a slab-out-of-bounds error. This could be caused by invalid pointer dereferencing, incorrect bounds checking, or memory corruption. We would appreciate it if the kernel maintainers could investigate this issue further and suggest potential fixes. Please let us know if you need any additional information or if further steps are required to reproduce or analyze the issue. Thank you for your time and attention. Best regards Wall
Powered by blists - more mailing lists