lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 9 Jul 2018 13:35:17 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Cc:     Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        "David S. Miller" <davem@...emloft.net>
Subject: v4.18-rc4: slab-out-of-bounds in ___bpf_prog_run

Hi,

While fuzzing v4.18-rc4 with Syzkaller, I hit a KASAN slab-out-of-bounds
warning at ___bpf_prog_run+0x1f20 (splat at the end of this mail), which
faddr2line tells me is kernel/bpf/core.c:1303.

I can reliably trigger this with the below C program, which I minimized from
Syzkaller's auto-generated C reproducer.

Thanks,
Mark.

----
#include <stddef.h>

#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>

#include <linux/filter.h>

#define BUF_SIZE 0x30000

int sv[2] = {-1, -1};

struct sock_filter code[] = {
	{
		.code = BPF_LD | BPF_ABS,
		.k = 0x8001,
	},
	{
		.code = BPF_RET,
	}
};

struct sock_fprog fprog = { 2, code };

static char buf[BUF_SIZE];

int main(int argc, char *argv)
{
	socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sv);
	setsockopt(sv[0], SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog));
	send(sv[1], buf, BUF_SIZE, 0);

	return 0;
}

----

----
[   25.753052] ==================================================================
[   25.756573] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1f20/0x26d0
[   25.760372] Read of size 4 at addr ffff80000bb18001 by task repro/1516
[   25.764033] 
[   25.764891] CPU: 0 PID: 1516 Comm: repro Not tainted 4.18.0-rc4 #30
[   25.768216] Hardware name: linux,dummy-virt (DT)
[   25.770727] Call trace:
[   25.772182]  dump_backtrace+0x0/0x238
[   25.774484]  show_stack+0x14/0x20
[   25.776285]  dump_stack+0xa0/0xc4
[   25.778219]  print_address_description+0x60/0x270
[   25.780176]  kasan_report+0x248/0x348
[   25.781726]  __asan_load4+0x84/0xa8
[   25.783656]  ___bpf_prog_run+0x1f20/0x26d0
[   25.785662]  __bpf_prog_run32+0x88/0xb0
[   25.787551]  sk_filter_trim_cap+0xf0/0x310
[   25.789560]  unix_dgram_sendmsg+0x3a4/0x858
[   25.791339]  unix_seqpacket_sendmsg+0x70/0xb8
[   25.793457]  sock_sendmsg+0x4c/0x68
[   25.795213]  __sys_sendto+0x1c4/0x208
[   25.796804]  sys_sendto+0xc/0x18
[   25.798262]  el0_svc_naked+0x30/0x34
[   25.799906] 
[   25.800583] Allocated by task 1:
[   25.801990]  kasan_kmalloc+0xd0/0x180
[   25.803185]  kasan_slab_alloc+0x14/0x20
[   25.804518]  __kmalloc_track_caller+0x174/0x260
[   25.805834]  kstrdup+0x3c/0x88
[   25.806814]  kstrdup_const+0x38/0x48
[   25.807913]  kvasprintf_const+0xe0/0xf8
[   25.808985]  kobject_set_name_vargs+0x58/0xe0
[   25.810219]  dev_set_name+0xac/0xd8
[   25.811185]  tty_register_device_attr+0x1f8/0x368
[   25.812629]  tty_register_driver+0x1c0/0x358
[   25.814341]  pty_init+0x26c/0x5cc
[   25.815818]  do_one_initcall+0xb4/0x218
[   25.817661]  kernel_init_freeable+0x230/0x2e0
[   25.819784]  kernel_init+0x10/0x120
[   25.821132]  ret_from_fork+0x10/0x18
[   25.822269] 
[   25.822778] Freed by task 0:
[   25.823865] (stack is not available)
[   25.825145] 
[   25.825766] The buggy address belongs to the object at ffff80000bb18080
[   25.825766]  which belongs to the cache kmalloc-128 of size 128
[   25.829823] The buggy address is located 127 bytes to the left of
[   25.829823]  128-byte region [ffff80000bb18080, ffff80000bb18100)
[   25.833461] The buggy address belongs to the page:
[   25.835264] page:ffff7e00002ec600 count:1 mapcount:0 mapping:ffff80000c40c400 index:0xffff80000bb1ad80 compound_mapcount: 0
[   25.839164] flags: 0xfffc00000008100(slab|head)
[   25.841096] raw: 0fffc00000008100 ffff7e00002ef308 ffff7e00002ec708 ffff80000c40c400
[   25.845046] raw: ffff80000bb1ad80 0000000000190017 00000001ffffffff 0000000000000000
[   25.848789] page dumped because: kasan: bad access detected
[   25.851242] 
[   25.852023] Memory state around the buggy address:
[   25.853853]  ffff80000bb17f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.857089]  ffff80000bb17f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.860771] >ffff80000bb18000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.863457]                    ^
[   25.864527]  ffff80000bb18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.866623]  ffff80000bb18100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.870453] ==================================================================
[   25.874417] Disabling lock debugging due to kernel taint
[   25.877652] Kernel panic - not syncing: panic_on_warn set ...
[   25.877652] 
[   25.881311] CPU: 0 PID: 1516 Comm: repro Tainted: G    B             4.18.0-rc4 #30
[   25.884659] Hardware name: linux,dummy-virt (DT)
[   25.886917] Call trace:
[   25.888229]  dump_backtrace+0x0/0x238
[   25.890160]  show_stack+0x14/0x20
[   25.891838]  dump_stack+0xa0/0xc4
[   25.893734]  panic+0x184/0x2f8
[   25.895180]  kasan_save_enable_multi_shot+0x0/0x30
[   25.897465]  kasan_report+0x110/0x348
[   25.899327]  __asan_load4+0x84/0xa8
[   25.901243]  ___bpf_prog_run+0x1f20/0x26d0
[   25.903234]  __bpf_prog_run32+0x88/0xb0
[   25.904636]  sk_filter_trim_cap+0xf0/0x310
[   25.906491]  unix_dgram_sendmsg+0x3a4/0x858
[   25.907810]  unix_seqpacket_sendmsg+0x70/0xb8
[   25.909628]  sock_sendmsg+0x4c/0x68
[   25.911349]  __sys_sendto+0x1c4/0x208
[   25.912254]  sys_sendto+0xc/0x18
[   25.912981]  el0_svc_naked+0x30/0x34
[   25.913858] SMP: stopping secondary CPUs
[   25.914913] Kernel Offset: disabled
[   25.915821] CPU features: 0x23000438
[   25.916722] Memory Limit: none
[   25.917400] Rebooting in 86400 seconds..

Powered by blists - more mailing lists