lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230307100231.227738-1-edumazet@google.com>
Date:   Tue,  7 Mar 2023 10:02:31 +0000
From:   Eric Dumazet <edumazet@...gle.com>
To:     "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Sabrina Dubroca <sd@...asysnail.net>
Cc:     netdev@...r.kernel.org, eric.dumazet@...il.com,
        Eric Dumazet <edumazet@...gle.com>,
        syzbot <syzkaller@...glegroups.com>
Subject: [PATCH net] af_key: fix kernel-infoleak vs XFRMA_ALG_COMP

When copy_to_user_state_extra() copies to netlink skb
x->calg content, it expects calg was fully initialized.

We must make sure all unused bytes are cleared at
allocation side.

syzbot reported:

BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:169 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x870/0x1fd0 lib/iov_iter.c:529
instrument_copy_to_user include/linux/instrumented.h:121 [inline]
copyout lib/iov_iter.c:169 [inline]
_copy_to_iter+0x870/0x1fd0 lib/iov_iter.c:529
copy_to_iter include/linux/uio.h:179 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
skb_copy_datagram_msg include/linux/skbuff.h:3908 [inline]
netlink_recvmsg+0x4f4/0x15f0 net/netlink/af_netlink.c:1998
sock_recvmsg_nosec net/socket.c:998 [inline]
sock_recvmsg net/socket.c:1016 [inline]
sock_read_iter+0x4bc/0x560 net/socket.c:1089
call_read_iter include/linux/fs.h:2183 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x8cd/0xf40 fs/read_write.c:470
ksys_read+0x21f/0x4f0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x93/0xd0 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was stored to memory at:
__nla_put lib/nlattr.c:1009 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1067
copy_to_user_state_extra+0x1175/0x1ac0 net/xfrm/xfrm_user.c:1101
dump_one_state+0x2cc/0x7c0 net/xfrm/xfrm_user.c:1169
xfrm_state_walk+0x721/0x1300 net/xfrm/xfrm_state.c:2308
xfrm_dump_sa+0x1ea/0x6b0 net/xfrm/xfrm_user.c:1240
netlink_dump+0xb1a/0x1560 net/netlink/af_netlink.c:2296
__netlink_dump_start+0xa75/0xc40 net/netlink/af_netlink.c:2401
netlink_dump_start include/linux/netlink.h:294 [inline]
xfrm_user_rcv_msg+0x82c/0xf80 net/xfrm/xfrm_user.c:3091
netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2574
xfrm_netlink_rcv+0x76/0xb0 net/xfrm/xfrm_user.c:3128
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0xa8f/0xe70 net/socket.c:2479
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2533
__sys_sendmsg net/socket.c:2562 [inline]
__do_sys_sendmsg net/socket.c:2571 [inline]
__se_sys_sendmsg net/socket.c:2569 [inline]
__x64_sys_sendmsg+0x36b/0x540 net/socket.c:2569
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:766
slab_alloc_node mm/slub.c:3452 [inline]
__kmem_cache_alloc_node+0x518/0x920 mm/slub.c:3491
kmalloc_trace+0x51/0x200 mm/slab_common.c:1062
kmalloc include/linux/slab.h:580 [inline]
pfkey_msg2xfrm_state net/key/af_key.c:1199 [inline]
pfkey_add+0x31ce/0x3bf0 net/key/af_key.c:1504
pfkey_process net/key/af_key.c:2844 [inline]
pfkey_sendmsg+0x16b8/0x1bb0 net/key/af_key.c:3695
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0xa8f/0xe70 net/socket.c:2479
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2533
__sys_sendmmsg+0x411/0xa50 net/socket.c:2619
__do_sys_sendmmsg net/socket.c:2648 [inline]
__se_sys_sendmmsg net/socket.c:2645 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2645
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Bytes 252-311 of 2224 are uninitialized
Memory access of size 2224 starts at ffff888123c76000
Data copied to user address 0000000020000300

CPU: 1 PID: 4311 Comm: syz-executor.2 Tainted: G W 6.2.0-syzkaller-81157-g944070199c5e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@...glegroups.com>
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
---
 net/key/af_key.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index a815f5ab4c49a08a51f7ae5e1200e589621799e8..f77e4ab13a3abc0b98f244752c5df5358aef4060 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1196,7 +1196,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
 				err = -ENOSYS;
 				goto out;
 			}
-			x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL);
+			x->calg = kzalloc(sizeof(*x->calg), GFP_KERNEL);
 			if (!x->calg) {
 				err = -ENOMEM;
 				goto out;
-- 
2.40.0.rc0.216.gc4246ad0f0-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ