lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAF=yD-L0G2VC2-sCgsUmX=qmj5ukq6HS7Td1LDWitJkEUYdkHA@mail.gmail.com>
Date:   Tue, 17 Jul 2018 10:32:53 -0700
From:   Willem de Bruijn <willemdebruijn.kernel@...il.com>
To:     syzbot+9adb4b567003cac781f0@...kaller.appspotmail.com
Cc:     David Miller <davem@...emloft.net>,
        LKML <linux-kernel@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com
Subject: Re: KMSAN: kernel-infoleak in put_cmsg

On Tue, Jul 17, 2018 at 6:25 AM syzbot
<syzbot+9adb4b567003cac781f0@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    123906095e30 kmsan: introduce kmsan_interrupt_enter()/kmsa..
> git tree:       https://github.com/google/kmsan.git/master
> console output: https://syzkaller.appspot.com/x/log.txt?x=166dafa0400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
> dashboard link: https://syzkaller.appspot.com/bug?extid=9adb4b567003cac781f0
> compiler:       clang version 7.0.0 (trunk 334104)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=164e4ab0400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15a41e40400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9adb4b567003cac781f0@...kaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> ==================================================================
> BUG: KMSAN: kernel-infoleak in copy_to_user include/linux/uaccess.h:184
> [inline]
> BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
> CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x185/0x1d0 lib/dump_stack.c:113
>   kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
>   kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
>   kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
>   copy_to_user include/linux/uaccess.h:184 [inline]
>   put_cmsg+0x5ef/0x860 net/core/scm.c:242
>   ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719

> Bytes 2-3 of 24 are uninitialized
> Memory access starts at ffff8801bde1f8a8

This socket requests IPV6_ORIGDSTADDR.

According to

  > Uninit was stored to memory at:
  >   ip6_datagram_recv_specific_ctl+0x1c3e/0x1eb0 net/ipv6/datagram.c:713
  >   ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733

It is reading two uninitialized bytes at line

                        sin6.sin6_port = ports[1];

But this access is after the check

                __be16 *ports = (__be16 *) skb_transport_header(skb);

                if (skb_transport_offset(skb) + 4 <= (int)skb->len) {

and the sent packet is 725B.

The socket was opened with SOCK_RAW and protocol NEXTHDR_DEST.

  r0 = socket$inet6(0xa, 0x3, 0x3c)

so this is not a normal packet. Need to take a look at the contents.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ