| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG_fn=XPGwhaLqJkOycgDA+DsXzFkFZCzOcpL4pC8e7_qY7jCg@mail.gmail.com>
Date: Fri, 29 Dec 2017 17:48:12 +0100
From: Alexander Potapenko <glider@...gle.com>
To: David Miller <davem@...emloft.net>,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>
Cc: Networking <netdev@...r.kernel.org>,
syzkaller <syzkaller@...glegroups.com>,
Dmitriy Vyukov <dvyukov@...gle.com>,
Kostya Serebryany <kcc@...gle.com>
Subject: KMSAN reports use of uninitialized memory in pfkey_sendmsg()
Hi all,
KMSAN reports a use of uninitialized value on the following program:
==========================
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
int main()
{
int sock = socket(PF_KEY, SOCK_RAW, 2);
char buf[24];
memset(buf, 0, 24);
buf[0] = 2;
buf[1] = 4;
buf[4] = 3;
buf[16] = 1;
buf[18] = 0x17; // SADB_X_EXT_NAT_T_OA
struct msghdr hdr;
memset(&hdr, 0, sizeof(struct msghdr));
struct iovec iov;
hdr.msg_iov = &iov;
hdr.msg_iovlen = 1;
iov.iov_base = buf;
iov.iov_len = 0x18;
sendmsg(sock, &hdr, 0);
}
==========================
the report is below:
==================================================================
BUG: KMSAN: use of uninitialized memory in pfkey_sendmsg+0x11ad/0x1900
CPU: 0 PID: 2946 Comm: probe Not tainted 4.13.0+ #3626
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
show_stack+0x12f/0x180 arch/x86/kernel/dumpstack.c:177
__dump_stack lib/dump_stack.c:16
dump_stack+0x185/0x1d0 lib/dump_stack.c:52
kmsan_report+0x137/0x1c0 mm/kmsan/kmsan.c:1066
__msan_warning_32+0x69/0xb0 mm/kmsan/kmsan_instr.c:676
verify_address_len net/key/af_key.c:404
parse_exthdrs net/key/af_key.c:532
pfkey_process net/key/af_key.c:2811
pfkey_sendmsg+0x11ad/0x1900 net/key/af_key.c:3654
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
___sys_sendmsg+0xed5/0x1330 net/socket.c:2035
__sys_sendmsg net/socket.c:2069
SYSC_sendmsg+0x2a6/0x3d0 net/socket.c:2080
SyS_sendmsg+0x54/0x80 net/socket.c:2076
do_syscall_64+0x2f4/0x420 arch/x86/entry/common.c:284
entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:245
RIP: 0033:0x401140
RSP: 002b:00007ffe52abc9e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401140
RDX: 0000000000000000 RSI: 00007ffe52abca10 RDI: 0000000000000003
RBP: 00007ffe52abca80 R08: 0000000000000002 R09: 0000000000000004
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004063e0 R14: 0000000000406470 R15: 0000000000000000
origin:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:63
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:303
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:213
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:339
kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:346
slab_post_alloc_hook mm/slab.h:442
slab_alloc_node mm/slub.c:2724
__kmalloc_node_track_caller+0xa46/0x1230 mm/slub.c:4335
__kmalloc_reserve net/core/skbuff.c:139
__alloc_skb+0x2c6/0x9f0 net/core/skbuff.c:232
alloc_skb ./include/linux/skbuff.h:904
pfkey_sendmsg+0x201/0x1900 net/key/af_key.c:3641
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
___sys_sendmsg+0xed5/0x1330 net/socket.c:2035
__sys_sendmsg net/socket.c:2069
SYSC_sendmsg+0x2a6/0x3d0 net/socket.c:2080
SyS_sendmsg+0x54/0x80 net/socket.c:2076
do_syscall_64+0x2f4/0x420 arch/x86/entry/common.c:284
return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:245
==================================================================
Apparently pfkey_sendmsg reads skb past the end of the buffer copied
from the userspace.
Could someone please take a look?
Thanks,
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Powered by blists - more mailing lists