| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <abd5921f-a37f-4736-b1b4-920a5c108f71@suse.de>
Date: Tue, 14 Jan 2025 08:21:04 +0100
From: Hannes Reinecke <hare@...e.de>
To: Edward Adam Davis <eadavis@...com>,
syzbot+fcee6b76cf2e261c51a4@...kaller.appspotmail.com
Cc: axboe@...nel.dk, linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] block: no show partitions if partno corrupted
On 1/14/25 03:28, Edward Adam Davis wrote:
> syzbot reported a global-out-of-bounds in number. [1]
>
> Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
> array.
>
> To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.
>
> [1]
> BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
> Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832
>
> CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:489
> kasan_report+0x143/0x180 mm/kasan/report.c:602
> number+0x3be/0xf40 lib/vsprintf.c:494
> pointer+0x764/0x1210 lib/vsprintf.c:2484
> vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
> seq_vprintf fs/seq_file.c:391 [inline]
> seq_printf+0x172/0x270 fs/seq_file.c:406
> show_partition+0x29f/0x3f0 block/genhd.c:905
> seq_read_iter+0x969/0xd70 fs/seq_file.c:272
> proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
> copy_splice_read+0x63a/0xb40 fs/splice.c:365
> do_splice_read fs/splice.c:985 [inline]
> splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
> do_splice_direct_actor fs/splice.c:1207 [inline]
> do_splice_direct+0x289/0x3e0 fs/splice.c:1233
> do_sendfile+0x564/0x8a0 fs/read_write.c:1363
> __do_sys_sendfile64 fs/read_write.c:1424 [inline]
> __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Reported-by: syzbot+fcee6b76cf2e261c51a4@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
> Tested-by: syzbot+fcee6b76cf2e261c51a4@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
> block/genhd.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..8d539a4a3b37 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>
> rcu_read_lock();
> xa_for_each(&sgp->part_tbl, idx, part) {
> - if (!bdev_nr_sectors(part))
> + int partno = bdev_partno(part);
> +
> + if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
> continue;
> seq_printf(seqf, "%4d %7d %10llu %pg\n",
> MAJOR(part->bd_dev), MINOR(part->bd_dev),
Maybe a warning is in order; when we are hitting this issue it means
that linux has a limitation on causing it to ignore the (otherwise
valid) partition entry.
Otherwise looks good.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@...e.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Powered by blists - more mailing lists