| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241217124602.2d498c3f@gandalf.local.home> Date: Tue, 17 Dec 2024 12:46:02 -0500 From: Steven Rostedt <rostedt@...dmis.org> To: Edward Adam Davis <eadavis@...com> Cc: syzbot+345e4443a21200874b18@...kaller.appspotmail.com, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, mathieu.desnoyers@...icios.com, mhiramat@...nel.org, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] ring-buffer: Fix a oob in __rb_map_vma On Mon, 16 Dec 2024 22:07:57 +0800 Edward Adam Davis <eadavis@...com> wrote: > syzbot report a slab-out-of-bounds in __rb_map_vma. [1] > > Overflow occurred when performing the following calculation: > nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; > > Add a check before the calculation to avoid this problem. > > [1] > BUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 > Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836 > > CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0xc3/0x620 mm/kasan/report.c:489 > kasan_report+0xd9/0x110 mm/kasan/report.c:602 > __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 > ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138 > tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482 > call_mmap include/linux/fs.h:2183 [inline] > mmap_file mm/internal.h:124 [inline] > __mmap_new_file_vma mm/vma.c:2291 [inline] > __mmap_new_vma mm/vma.c:2355 [inline] > __mmap_region+0x1786/0x2670 mm/vma.c:2456 > mmap_region+0x127/0x320 mm/mmap.c:1348 > do_mmap+0xc00/0xfc0 mm/mmap.c:496 > vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580 > ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542 > __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] > __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] > __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Reported-by: syzbot+345e4443a21200874b18@...kaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=345e4443a21200874b18 > Tested-by: syzbot+345e4443a21200874b18@...kaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@...com> > --- > kernel/trace/ring_buffer.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c > index 7e257e855dd1..15c43d7415d5 100644 > --- a/kernel/trace/ring_buffer.c > +++ b/kernel/trace/ring_buffer.c > @@ -7019,6 +7019,9 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *cpu_buffer, > lockdep_assert_held(&cpu_buffer->mapping_lock); > > nr_subbufs = cpu_buffer->nr_pages + 1; /* + reader-subbuf */ > + if (((nr_subbufs + 1) << subbuf_order) < pgoff) > + return -EINVAL; > + A proper fix is being discussed here: https://lore.kernel.org/linux-trace-kernel/20241216164931.57323-1-aha310510@gmail.com/ Thank you, -- Steve > nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */ > > nr_vma_pages = vma_pages(vma);
Powered by blists - more mailing lists