lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID:
 <PH0PR06MB75601C41918660D3D1C2574894062@PH0PR06MB7560.namprd06.prod.outlook.com>
Date: Wed, 10 Apr 2024 20:49:57 +0000
From: Cem Topcuoglu <topcuoglu.c@...theastern.edu>
To: "stable@...r.kernel.org" <stable@...r.kernel.org>
CC: Parthik Bhardwaj <bhardwaj.p@...theastern.edu>, Changming Liu
	<liu.changm@...theastern.edu>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, "regressions@...ts.linux.dev"
	<regressions@...ts.linux.dev>, "davem@...emloft.net" <davem@...emloft.net>,
	"edumazet@...gle.com" <edumazet@...gle.com>, "kuba@...nel.org"
	<kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: KASAN: slab-out-of-bounds Write in ops_init

Hi,

We encountered a bug labelled “KASAN: slab-out-of-bounds Write in ops_init” while fuzzing kernel version 5.15.124 with Syzkaller (lines exist in 5.15.154 as well).
 
In the net_namespace.c file, we have an if condition at line 89. Subsequently, Syzkaller encounters the bug at line 90.
 
89           if (old_ng->s.len > id) {
90                                           old_ng->ptr[id] = data;
91                                           return 0;
92           }
 
Upon inspecting the net_generic struct, we noticed that this struct uses union which puts the array and the header (including the array length information) together.
We suspect that with this union, modifying the ng->ptr[0] is essentially modifying ng->s.len, which might fail the check in 89. This might be the cause for Syzkaller detecting this slab-out-of-bound. 
Since we are CS PhD students and Linux hobbyists, we do not have a full understanding of what could lead to this. We would really appreciate if you guys can share some insights into this matter : )
 
We attached the syzkaller’s bug report below.
 
==================================================================
BUG: KASAN: slab-out-of-bounds in net_assign_generic
usr/src/kernel/net/core/net_namespace.c:90 [inline]
BUG: KASAN: slab-out-of-bounds in ops_init+0x44b/0x4d0
usr/src/kernel/net/core/net_namespace.c:129
Write of size 8 at addr ffff888043c62ae8 by task (coredump)/5424
CPU: 1 PID: 5424 Comm: (coredump) Not tainted 5.15.124-yocto-standard #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
<TASK>
__dump_stack usr/src/kernel/lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x51/0x70 usr/src/kernel/lib/dump_stack.c:106
print_address_description.constprop.0+0x24/0x140 usr/src/kernel/mm/kasan/report.c:248
__kasan_report usr/src/kernel/mm/kasan/report.c:434 [inline]
kasan_report.cold+0x7d/0x117 usr/src/kernel/mm/kasan/report.c:451
__asan_report_store8_noabort+0x17/0x20 usr/src/kernel/mm/kasan/report_generic.c:314
net_assign_generic usr/src/kernel/net/core/net_namespace.c:90 [inline]
ops_init+0x44b/0x4d0 usr/src/kernel/net/core/net_namespace.c:129
setup_net+0x40a/0x970 usr/src/kernel/net/core/net_namespace.c:329
copy_net_ns+0x2ac/0x680 usr/src/kernel/net/core/net_namespace.c:473
create_new_namespaces+0x390/0xa50 usr/src/kernel/kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xb0/0x1d0 usr/src/kernel/kernel/nsproxy.c:226
ksys_unshare+0x30c/0x850 usr/src/kernel/kernel/fork.c:3094
__do_sys_unshare usr/src/kernel/kernel/fork.c:3168 [inline]
__se_sys_unshare usr/src/kernel/kernel/fork.c:3166 [inline]
__x64_sys_unshare+0x36/0x50 usr/src/kernel/kernel/fork.c:3166
do_syscall_x64 usr/src/kernel/arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x40/0x90 usr/src/kernel/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fbafce1b39b
Code: 73 01 c3 48 8b 0d 85 2a 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00
00 90 f3 0f 1e fa b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 55 2a 0e 00 f7
d8 64 89 01 48
RSP: 002b:00007ffddc8dfda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000557e645dd018 RCX: 00007fbafce1b39b
RDX: 0000000000000000 RSI: 00007ffddc8dfd10 RDI: 0000000040000000
RBP: 00007ffddc8dfde0 R08: 0000000000000000 R09: 00007ffd00000067
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000fffffff5
R13: 00007fbafd26ba60 R14: 0000000040000000 R15: 0000000000000000
</TASK>
Allocated by task 5424:
kasan_save_stack+0x26/0x60 usr/src/kernel/mm/kasan/common.c:38
kasan_set_track usr/src/kernel/mm/kasan/common.c:46 [inline]
set_alloc_info usr/src/kernel/mm/kasan/common.c:434 [inline]
____kasan_kmalloc usr/src/kernel/mm/kasan/common.c:513 [inline]
____kasan_kmalloc usr/src/kernel/mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xae/0xe0 usr/src/kernel/mm/kasan/common.c:522
kasan_kmalloc usr/src/kernel/include/linux/kasan.h:264 [inline]
__kmalloc+0x308/0x560 usr/src/kernel/mm/slub.c:4407
kmalloc usr/src/kernel/include/linux/slab.h:596 [inline]
kzalloc usr/src/kernel/include/linux/slab.h:721 [inline]
net_alloc_generic+0x28/0x80 usr/src/kernel/net/core/net_namespace.c:74
net_alloc usr/src/kernel/net/core/net_namespace.c:401 [inline]
copy_net_ns+0xc3/0x680 usr/src/kernel/net/core/net_namespace.c:460
create_new_namespaces+0x390/0xa50 usr/src/kernel/kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xb0/0x1d0 usr/src/kernel/kernel/nsproxy.c:226
ksys_unshare+0x30c/0x850 usr/src/kernel/kernel/fork.c:3094
__do_sys_unshare usr/src/kernel/kernel/fork.c:3168 [inline]
__se_sys_unshare usr/src/kernel/kernel/fork.c:3166 [inline]
__x64_sys_unshare+0x36/0x50 usr/src/kernel/kernel/fork.c:3166
do_syscall_x64 usr/src/kernel/arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x40/0x90 usr/src/kernel/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
The buggy address belongs to the object at ffff888043c62a00
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 232 bytes inside of
256-byte region [ffff888043c62a00, ffff888043c62b00)
The buggy address belongs to the page:
page:000000008dd0a6b6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43c62
head:000000008dd0a6b6 order:1 compound_mapcount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 ffffea0001108f00 0000000700000007 ffff888001041b40
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888043c62980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888043c62a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888043c62a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
^
ffff888043c62b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888043c62b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
 
Best
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ