lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 29 Dec 2017 17:48:12 +0100
From:   Alexander Potapenko <glider@...gle.com>
To:     David Miller <davem@...emloft.net>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>
Cc:     Networking <netdev@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        Dmitriy Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>
Subject: KMSAN reports use of uninitialized memory in pfkey_sendmsg()

Hi all,

KMSAN reports a use of uninitialized value on the following program:

==========================
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>

int main()
{
  int sock = socket(PF_KEY, SOCK_RAW, 2);
  char buf[24];
  memset(buf, 0, 24);
  buf[0] = 2;
  buf[1] = 4;
  buf[4] = 3;
  buf[16] = 1;
  buf[18] = 0x17;  // SADB_X_EXT_NAT_T_OA
  struct msghdr hdr;
  memset(&hdr, 0, sizeof(struct msghdr));
  struct iovec iov;
  hdr.msg_iov = &iov;
  hdr.msg_iovlen = 1;
  iov.iov_base = buf;
  iov.iov_len = 0x18;
  sendmsg(sock, &hdr, 0);
}
==========================

the report is below:

==================================================================
BUG: KMSAN: use of uninitialized memory in pfkey_sendmsg+0x11ad/0x1900
CPU: 0 PID: 2946 Comm: probe Not tainted 4.13.0+ #3626
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 show_stack+0x12f/0x180 arch/x86/kernel/dumpstack.c:177
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x185/0x1d0 lib/dump_stack.c:52
 kmsan_report+0x137/0x1c0 mm/kmsan/kmsan.c:1066
 __msan_warning_32+0x69/0xb0 mm/kmsan/kmsan_instr.c:676
 verify_address_len net/key/af_key.c:404
 parse_exthdrs net/key/af_key.c:532
 pfkey_process net/key/af_key.c:2811
 pfkey_sendmsg+0x11ad/0x1900 net/key/af_key.c:3654
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg net/socket.c:643
 ___sys_sendmsg+0xed5/0x1330 net/socket.c:2035
 __sys_sendmsg net/socket.c:2069
 SYSC_sendmsg+0x2a6/0x3d0 net/socket.c:2080
 SyS_sendmsg+0x54/0x80 net/socket.c:2076
 do_syscall_64+0x2f4/0x420 arch/x86/entry/common.c:284
 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:245
RIP: 0033:0x401140
RSP: 002b:00007ffe52abc9e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401140
RDX: 0000000000000000 RSI: 00007ffe52abca10 RDI: 0000000000000003
RBP: 00007ffe52abca80 R08: 0000000000000002 R09: 0000000000000004
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004063e0 R14: 0000000000406470 R15: 0000000000000000
origin:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:63
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:303
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:213
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:339
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:346
 slab_post_alloc_hook mm/slab.h:442
 slab_alloc_node mm/slub.c:2724
 __kmalloc_node_track_caller+0xa46/0x1230 mm/slub.c:4335
 __kmalloc_reserve net/core/skbuff.c:139
 __alloc_skb+0x2c6/0x9f0 net/core/skbuff.c:232
 alloc_skb ./include/linux/skbuff.h:904
 pfkey_sendmsg+0x201/0x1900 net/key/af_key.c:3641
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg net/socket.c:643
 ___sys_sendmsg+0xed5/0x1330 net/socket.c:2035
 __sys_sendmsg net/socket.c:2069
 SYSC_sendmsg+0x2a6/0x3d0 net/socket.c:2080
 SyS_sendmsg+0x54/0x80 net/socket.c:2076
 do_syscall_64+0x2f4/0x420 arch/x86/entry/common.c:284
 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:245
==================================================================

Apparently pfkey_sendmsg reads skb past the end of the buffer copied
from the userspace.
Could someone please take a look?

Thanks,
-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ