lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Jul 2018 13:35:17 +0100 From: Mark Rutland <mark.rutland@....com> To: linux-kernel@...r.kernel.org, netdev@...r.kernel.org Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, "David S. Miller" <davem@...emloft.net> Subject: v4.18-rc4: slab-out-of-bounds in ___bpf_prog_run Hi, While fuzzing v4.18-rc4 with Syzkaller, I hit a KASAN slab-out-of-bounds warning at ___bpf_prog_run+0x1f20 (splat at the end of this mail), which faddr2line tells me is kernel/bpf/core.c:1303. I can reliably trigger this with the below C program, which I minimized from Syzkaller's auto-generated C reproducer. Thanks, Mark. ---- #include <stddef.h> #include <sys/mman.h> #include <sys/socket.h> #include <sys/syscall.h> #include <sys/types.h> #include <linux/filter.h> #define BUF_SIZE 0x30000 int sv[2] = {-1, -1}; struct sock_filter code[] = { { .code = BPF_LD | BPF_ABS, .k = 0x8001, }, { .code = BPF_RET, } }; struct sock_fprog fprog = { 2, code }; static char buf[BUF_SIZE]; int main(int argc, char *argv) { socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sv); setsockopt(sv[0], SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)); send(sv[1], buf, BUF_SIZE, 0); return 0; } ---- ---- [ 25.753052] ================================================================== [ 25.756573] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1f20/0x26d0 [ 25.760372] Read of size 4 at addr ffff80000bb18001 by task repro/1516 [ 25.764033] [ 25.764891] CPU: 0 PID: 1516 Comm: repro Not tainted 4.18.0-rc4 #30 [ 25.768216] Hardware name: linux,dummy-virt (DT) [ 25.770727] Call trace: [ 25.772182] dump_backtrace+0x0/0x238 [ 25.774484] show_stack+0x14/0x20 [ 25.776285] dump_stack+0xa0/0xc4 [ 25.778219] print_address_description+0x60/0x270 [ 25.780176] kasan_report+0x248/0x348 [ 25.781726] __asan_load4+0x84/0xa8 [ 25.783656] ___bpf_prog_run+0x1f20/0x26d0 [ 25.785662] __bpf_prog_run32+0x88/0xb0 [ 25.787551] sk_filter_trim_cap+0xf0/0x310 [ 25.789560] unix_dgram_sendmsg+0x3a4/0x858 [ 25.791339] unix_seqpacket_sendmsg+0x70/0xb8 [ 25.793457] sock_sendmsg+0x4c/0x68 [ 25.795213] __sys_sendto+0x1c4/0x208 [ 25.796804] sys_sendto+0xc/0x18 [ 25.798262] el0_svc_naked+0x30/0x34 [ 25.799906] [ 25.800583] Allocated by task 1: [ 25.801990] kasan_kmalloc+0xd0/0x180 [ 25.803185] kasan_slab_alloc+0x14/0x20 [ 25.804518] __kmalloc_track_caller+0x174/0x260 [ 25.805834] kstrdup+0x3c/0x88 [ 25.806814] kstrdup_const+0x38/0x48 [ 25.807913] kvasprintf_const+0xe0/0xf8 [ 25.808985] kobject_set_name_vargs+0x58/0xe0 [ 25.810219] dev_set_name+0xac/0xd8 [ 25.811185] tty_register_device_attr+0x1f8/0x368 [ 25.812629] tty_register_driver+0x1c0/0x358 [ 25.814341] pty_init+0x26c/0x5cc [ 25.815818] do_one_initcall+0xb4/0x218 [ 25.817661] kernel_init_freeable+0x230/0x2e0 [ 25.819784] kernel_init+0x10/0x120 [ 25.821132] ret_from_fork+0x10/0x18 [ 25.822269] [ 25.822778] Freed by task 0: [ 25.823865] (stack is not available) [ 25.825145] [ 25.825766] The buggy address belongs to the object at ffff80000bb18080 [ 25.825766] which belongs to the cache kmalloc-128 of size 128 [ 25.829823] The buggy address is located 127 bytes to the left of [ 25.829823] 128-byte region [ffff80000bb18080, ffff80000bb18100) [ 25.833461] The buggy address belongs to the page: [ 25.835264] page:ffff7e00002ec600 count:1 mapcount:0 mapping:ffff80000c40c400 index:0xffff80000bb1ad80 compound_mapcount: 0 [ 25.839164] flags: 0xfffc00000008100(slab|head) [ 25.841096] raw: 0fffc00000008100 ffff7e00002ef308 ffff7e00002ec708 ffff80000c40c400 [ 25.845046] raw: ffff80000bb1ad80 0000000000190017 00000001ffffffff 0000000000000000 [ 25.848789] page dumped because: kasan: bad access detected [ 25.851242] [ 25.852023] Memory state around the buggy address: [ 25.853853] ffff80000bb17f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.857089] ffff80000bb17f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.860771] >ffff80000bb18000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.863457] ^ [ 25.864527] ffff80000bb18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.866623] ffff80000bb18100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.870453] ================================================================== [ 25.874417] Disabling lock debugging due to kernel taint [ 25.877652] Kernel panic - not syncing: panic_on_warn set ... [ 25.877652] [ 25.881311] CPU: 0 PID: 1516 Comm: repro Tainted: G B 4.18.0-rc4 #30 [ 25.884659] Hardware name: linux,dummy-virt (DT) [ 25.886917] Call trace: [ 25.888229] dump_backtrace+0x0/0x238 [ 25.890160] show_stack+0x14/0x20 [ 25.891838] dump_stack+0xa0/0xc4 [ 25.893734] panic+0x184/0x2f8 [ 25.895180] kasan_save_enable_multi_shot+0x0/0x30 [ 25.897465] kasan_report+0x110/0x348 [ 25.899327] __asan_load4+0x84/0xa8 [ 25.901243] ___bpf_prog_run+0x1f20/0x26d0 [ 25.903234] __bpf_prog_run32+0x88/0xb0 [ 25.904636] sk_filter_trim_cap+0xf0/0x310 [ 25.906491] unix_dgram_sendmsg+0x3a4/0x858 [ 25.907810] unix_seqpacket_sendmsg+0x70/0xb8 [ 25.909628] sock_sendmsg+0x4c/0x68 [ 25.911349] __sys_sendto+0x1c4/0x208 [ 25.912254] sys_sendto+0xc/0x18 [ 25.912981] el0_svc_naked+0x30/0x34 [ 25.913858] SMP: stopping secondary CPUs [ 25.914913] Kernel Offset: disabled [ 25.915821] CPU features: 0x23000438 [ 25.916722] Memory Limit: none [ 25.917400] Rebooting in 86400 seconds..
Powered by blists - more mailing lists