| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH-r-ZE0brfZ_T0tDjV5+D90V9QVLhWUO_-zvPxS7kd=LnDrWg@mail.gmail.com> Date: Wed, 17 Dec 2025 14:47:17 +0800 From: 林妙倩 <linmq006@...il.com> To: Andy Shevchenko <andriy.shevchenko@...el.com> Cc: Nuno Sá <noname.nuno@...il.com>, Markus Burri <markus.burri@...com>, Lars-Peter Clausen <lars@...afoo.de>, Michael Hennerich <Michael.Hennerich@...log.com>, Jonathan Cameron <jic23@...nel.org>, David Lechner <dlechner@...libre.com>, Nuno Sá <nuno.sa@...log.com>, Andy Shevchenko <andy@...nel.org>, Angelo Dureghello <adureghello@...libre.com>, linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source Hi, I don’t have the actual hardware, so I built a similar demo module to mirror the bug and ran it in QEMU. With KASAN enabled, the PoC triggers BUG: KASAN: stack-out-of-bounds. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an out-of-bounds write on the stack. PoC (what it does): - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the stack OOB. If you have the real device, you may run the similar PoC on your driver to validate—just ensure KASAN is enabled to see the report. I also tested the straightforward fix buf[ret] = '\0'; with that change, the issue no longer reproduces. Below are the trace, the demo module, and the PoC for reference. [ 11.824318] overflow_demo: copied 63 bytes (stack buf 64, user count 128) [ 11.825125] ================================================================== [ 11.825806] BUG: KASAN: stack-out-of-bounds in mas_walk+0x466/0x510 [ 11.825806] Write of size 8 at addr ffff888011017e48 by task overflow_demo_p/75 [ 11.825806] [ 11.825806] CPU: 0 PID: 75 Comm: overflow_demo_p Tainted: G O 6.6.9 #4 [ 11.825806] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.825806] Call Trace: [ 11.825806] <TASK> [ 11.825806] dump_stack_lvl+0x36/0x50 [ 11.825806] print_report+0xcf/0x670 [ 11.825806] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 11.825806] kasan_report+0xc7/0x100 [ 11.825806] ? mas_walk+0x466/0x510 [ 11.825806] ? mas_walk+0x466/0x510 [ 11.825806] mas_walk+0x466/0x510 [ 11.825806] ? __pfx_rebalance_domains+0x10/0x10 [ 11.825806] lock_vma_under_rcu+0xbe/0x420 [ 11.825806] ? __pfx_lock_vma_under_rcu+0x10/0x10 [ 11.825806] ? __do_softirq+0x1bf/0x5b2 [ 11.825806] ? hrtimer_interrupt+0x313/0x7c0 [ 11.825806] do_user_addr_fault+0x1c6/0x940 [ 11.825806] exc_page_fault+0x5d/0xd0 [ 11.825806] asm_exc_page_fault+0x26/0x30 [ 11.825806] RIP: 0033:0x43f430 [ 11.825806] Code: Unable to access opcode bytes at 0x43f406. [ 11.825806] RSP: 002b:00007ffe2f3b53b8 EFLAGS: 00000202 [ 11.825806] RAX: 00007ffe2f3b53e0 RBX: 0000000000000003 RCX: 0000000000000002 [ 11.825806] RDX: 00007ffe2f3b53c0 RSI: 0000000000486029 RDI: 00000000004b2320 [ 11.825806] RBP: 00007ffe2f3b5490 R08: 00000000004b2820 R09: 0000000000000110 [ 11.825806] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe2f3b54a0 [ 11.825806] R13: 00007ffe2f3b5668 R14: 00000000004ad868 R15: 0000000000000001 [ 11.825806] </TASK> [ 11.825806] [ 11.825806] The buggy address belongs to stack of task overflow_demo_p/75 [ 11.825806] and is located at offset 56 in frame: [ 11.825806] lock_vma_under_rcu+0x0/0x420 [ 11.825806] [ 11.825806] This frame has 1 object: [ 11.825806] [32, 96) 'mas' [ 11.825806] [ 11.825806] The buggy address belongs to the physical page: [ 11.825806] page:(____ptrval____) refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11017 [ 11.825806] flags: 0x100000000000000(node=0|zone=1) [ 11.825806] page_type: 0xffffffff() [ 11.825806] raw: 0100000000000000 dead000000000100 dead000000000122 0000000000000000 [ 11.825806] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 11.825806] page dumped because: kasan: bad access detected [ 11.825806] [ 11.825806] Memory state around the buggy address: [ 11.825806] ffff888011017d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 11.825806] ffff888011017d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 11.825806] >ffff888011017e00: 00 00 f1 f1 f1 f1 00 00 00 f3 00 00 00 00 f3 f3 [ 11.825806] ^ [ 11.825806] ffff888011017e80: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 11.825806] ffff888011017f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 11.825806] ================================================================== [ 11.858618] Disabling lock debugging due to kernel taint [ 11.892349] overflow_demo_p (75) used greatest stack depth: 27192 bytes left Andy Shevchenko <andriy.shevchenko@...el.com> 于2025年10月28日周二 23:19写道: > > On Tue, Oct 28, 2025 at 03:12:29PM +0000, Nuno Sá wrote: > > On Tue, 2025-10-28 at 16:45 +0200, Andy Shevchenko wrote: > > > On Tue, Oct 28, 2025 at 12:31:04PM +0000, Nuno Sá wrote: > > ... > > > > For the latter I want to see the real traceback and a reproducer. I also > > > wonder why > > > we never had reports from syzkaller on this. It has non-zero chance to stumble > > > over > > > the issue here (if there is an issue to begin with). > > > > If I have the time, I might do it. If my suspicious are correct, it should be > > fairly easy to reproduce. > > My suspicious is also like this, if you have a working setup for one of such > a user (like this chip) already, it's ~15 minutes to get it done without > writing an additional code. > > -- > With Best Regards, > Andy Shevchenko > > Download attachment "overflow_demo_poc.c" of type "application/octet-stream" (798 bytes) Download attachment "overflow_demo.c" of type "application/octet-stream" (2389 bytes)
Powered by blists - more mailing lists