lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+xm5_n-Ep2d4YEq=Yx=f5M2NpV-So0o7811LUk+pLr+rg@mail.gmail.com>
Date:   Thu, 3 Nov 2016 01:25:22 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     "David S. Miller" <davem@...emloft.net>,
        Nicolas Dichtel <nicolas.dichtel@...nd.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Matti Vaittinen <matti.vaittinen@...ia.com>,
        Tycho Andersen <tycho.andersen@...onical.com>,
        stephen hemminger <stephen@...workplumber.org>,
        Tom Herbert <tom@...bertland.com>,
        Florian Westphal <fw@...len.de>,
        netdev <netdev@...r.kernel.org>
Subject: net/netlink: global-out-of-bounds in genl_family_rcv_msg/validate_nla

Hi,

I've got the following error report while running the syzkaller fuzzer:

==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr
ffffffff8407e3ac
Read of size 2 by task a.out/3877
Address belongs to variable[<        none        >]
cgroupstats_cmd_get_policy+0xc/0x40 ??:?
CPU: 1 PID: 3877 Comm: a.out Not tainted 4.9.0-rc3+ #336
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff880063077690 ffffffff81b46934 ffff880063077720 ffffffff847a369f
 ffffffff8407e3a0 ffffffff8407e3ac ffff880063077710 ffffffff8150ac7c
 ffffffff85f44280 ffff88006aec1de8 ffff88006aec1e38 0000000000000286
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b46934>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
 [<     inline     >] print_address_description mm/kasan/report.c:204
 [<ffffffff8150ac7c>] kasan_report_error+0x49c/0x4d0 mm/kasan/report.c:283
 [<     inline     >] kasan_report mm/kasan/report.c:303
 [<ffffffff8150ad2e>] __asan_report_load2_noabort+0x3e/0x40
mm/kasan/report.c:322
 [<ffffffff81be27eb>] validate_nla+0x49b/0x4e0 lib/nlattr.c:41
 [<ffffffff81be2ab5>] nla_parse+0x115/0x280 lib/nlattr.c:195
 [<     inline     >] nlmsg_parse ./include/net/netlink.h:386
 [<ffffffff82dc2723>] genl_family_rcv_msg+0x543/0xc80
net/netlink/genetlink.c:613
 [<ffffffff82dc3016>] genl_rcv_msg+0x1b6/0x270 net/netlink/genetlink.c:658
 [<ffffffff82dc10a0>] netlink_rcv_skb+0x2c0/0x3b0 net/netlink/af_netlink.c:2281
 [<ffffffff82dc21c8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669
 [<     inline     >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
 [<ffffffff82dbf959>] netlink_unicast+0x5a9/0x880 net/netlink/af_netlink.c:1240
 [<ffffffff82dc05e7>] netlink_sendmsg+0x9b7/0xce0 net/netlink/af_netlink.c:1786
 [<     inline     >] sock_sendmsg_nosec net/socket.c:606
 [<ffffffff82b6f75c>] sock_sendmsg+0xcc/0x110 net/socket.c:616
 [<ffffffff82b6f9c1>] sock_write_iter+0x221/0x3b0 net/socket.c:814
 [<     inline     >] new_sync_write fs/read_write.c:499
 [<ffffffff8151bd44>] __vfs_write+0x334/0x570 fs/read_write.c:512
 [<ffffffff8151f85b>] vfs_write+0x17b/0x500 fs/read_write.c:560
 [<     inline     >] SYSC_write fs/read_write.c:607
 [<ffffffff81523184>] SyS_write+0xd4/0x1a0 fs/read_write.c:599
 [<ffffffff83fc0401>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
Memory state around the buggy address:
 ffffffff8407e280: 00 02 fa fa fa fa fa fa 00 00 00 00 02 fa fa fa
 ffffffff8407e300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff8407e380: fa fa fa fa 00 fa fa fa fa fa fa fa 00 00 04 fa
                                  ^
 ffffffff8407e400: fa fa fa fa 00 00 00 00 00 02 fa fa fa fa fa fa
 ffffffff8407e480: 00 00 00 03 fa fa fa fa 00 00 00 00 00 01 fa fa
==================================================================

A reproducer is attached.

On commit 0c183d92b20b5c84ca655b45ef57b3318b83eb9e (Oct 31).

Thanks!

Download attachment "netlink-validate-oob-poc.c" of type "application/octet-stream" (6353 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ