| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87frm8nr20.wl-tiwai@suse.de>
Date: Sat, 28 Dec 2024 09:35:19 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Kun Hu <huk23@...udan.edu.cn>
Cc: perex@...ex.cz,
tiwai@...e.com,
vkoul@...nel.org,
lars@...afoo.de,
broonie@...nel.org,
Liam Girdwood <lgirdwood@...il.com>,
masahiroy@...nel.org,
andriy.shevchenko@...ux.intel.com,
arnd@...db.de,
yuehaibing@...wei.com,
viro@...iv.linux.org.uk,
dmantipov@...dex.ru,
linux-sound@...r.kernel.org,
linux-kernel@...r.kernel.org,
"jjtan24@...udan.edu.cn" <jjtan24@...udan.edu.cn>,
stable@...r.kernel.org
Subject: Re: Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex
On Sat, 28 Dec 2024 09:07:16 +0100,
Kun Hu wrote:
>
> >
> >
> >> 2024年12月25日 13:37,Kun Hu <huk23@...udan.edu.cn> 写道:
> >>
> >> Hello,
> >>
> >>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
> >>
> >> We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c.
> >> The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte).
> >> To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
> >>
> >> if (sysex->len >= MAX_SYSEX_BUFLEN) {
> >> sysex->len = 0;
> >> sysex->skip = 1;
> >> return -EINVAL; /* Exit early if sysex->len is out of bounds */
> >> }
> >>
> >> If you fix this issue, please add the following tag to the commit:
> >> Reported-by: Kun Hu <huk23@...udan.edu.cn>
> >>
> >> ―――――
> >> Thanks,
> >> Kun Hu
> >>
> >>> 2024年12月24日 19:16,Kun Hu <huk23@...udan.edu.cn> 写道:
> >>>
> >>> Hello,
> >>>
> >>> When using fuzzer tool to fuzz the latest Linux kernel, the following crash
> >>> was triggered.
> >>>
> >>> HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
> >>> git tree: upstream
> >>> Console output:https://drive.google.com/file/d/17oCyKDW_kNhSW5Bbvm23vnpD1eo0MHFi/view?usp=sharing
> >>> Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing
> >>> C reproducer: https://drive.google.com/file/d/177HJht6a7-6F3YLudKb_d4kiPGd1VA_i/view?usp=sharing
> >>> Syzlang reproducer: https://drive.google.com/file/d/1AuP5UGGc47rEXXPuvjmCKgJ3d0U1P84j/view?usp=sharing
> >>>
> >>>
> >>> If you fix this issue, please add the following tag to the commit:
> >>> Reported-by: Kun Hu <huk23@...udan.edu.cn>
> >>>
> >>> ==================================================================
> >>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
> >>> Write of size 1 at addr ff1100000588e288 by task syz-executor411/824
> >>>
> >>> CPU: 2 UID: 0 PID: 824 Comm: syz-executor411 Not tainted 6.13.0-rc3 #5
> >>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> >>> Call Trace:
> >>> <TASK>
> >>> __dump_stack lib/dump_stack.c:94 [inline]
> >>> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
> >>> print_address_description mm/kasan/report.c:378 [inline]
> >>> print_report+0xcf/0x5f0 mm/kasan/report.c:489
> >>> kasan_report+0x93/0xc0 mm/kasan/report.c:602
> >>> snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
> >>> snd_seq_oss_process_event+0x46a/0x2620 sound/core/seq/oss/seq_oss_event.c:61
> >>> insert_queue sound/core/seq/oss/seq_oss_rw.c:167 [inline]
> >>> snd_seq_oss_write+0x261/0x7f0 sound/core/seq/oss/seq_oss_rw.c:135
> >>> odev_write+0x53/0xa0 sound/core/seq/oss/seq_oss.c:168
> >>> vfs_write fs/read_write.c:677 [inline]
> >>> vfs_write+0x2e3/0x10f0 fs/read_write.c:659
> >>> ksys_write+0x122/0x240 fs/read_write.c:731
> >>> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >>> do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
> >>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >>
> >
>
> Hello,
>
> Is this issue being considered and is it possible that the value of sysex->len in line 509 of the snd_seq_oss_synth_sysex function could exceed 127 and thus be out of bounds?
Sorry for the late reaction, as I've been (still) off since the last
week. Will check in details later.
But, through a quick glance, it's likely the racy access, and your
suggested fix won't suffice, I'm afraid.
thanks,
Takashi
Powered by blists - more mailing lists