From: Jann Horn <jannh@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: neilb@suse.com, Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-doc@vger.kernel.org,
kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>
Subject: Re: [PATCH mm] VFS: seq_file: ensure ->from is valid.
Date: Mon, 9 Jul 2018 21:40:54 +0200 [thread overview]
Message-ID: <CAG48ez36DjH__USsW4ViFXqUj3y8GJf1Bz7tyje0Wpub6zgXcQ@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+F3zUZ6+8cKuurq2fV8L5Piy5dvYrYXeFVG0kVmpZMRw@mail.gmail.com>
On Mon, Jul 9, 2018 at 8:16 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Fri, Jul 6, 2018 at 8:29 PM, NeilBrown <neilb@suse.com> wrote:
> >
> > Previous patch ("VFS: simplify seq_file iteration code and interface")
> > removed code to set ->from to zero when ->count is zero, as ->from is
> > dead at that time. However it didn't ensure ->from was set properly
> > whenever ->count becomes non-zero.
> > This can only happen when ->show() is called. Of the three places it
> > is called one already has ->from set to zero. The other two are
> > fixed by setting from to zero after fully flushing the buffer (at which
> > point ->count will also be zero).
> >
> > Reported-by: Jann Horn <jannh@google.com>
> > Signed-off-by: NeilBrown <neilb@suse.com>
>
> I *think* this solves this report, which looks very much like Jann's reproducer:
>
> https://syzkaller.appspot.com/bug?extid=4b712dce5cbce6700f27
I don't think the path I found and what syzcaller reported match
precisely. The syz reproducer linked on that page is:
r0 = memfd_create(&(0x7f00000000c0)='md5sum\x00', 0x0)
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x0, 0x51, r0, 0x0)
mkdir(&(0x7f0000000040)='./control\x00', 0x0)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7,
&(0x7f0000000000), &(0x7f0000000080)=0x4)
r2 = syz_open_procfs(0x0, &(0x7f0000000040)='smaps\x00')
readv(r2, &(0x7f00000021c0)=[{&(0x7f0000000140)=""/79, 0x432},
{&(0x7f00000001c0)=""/4096, 0x1000}], 0x2)
If we assume that this is the same bug, only the last two lines are
interesting. They should cause two invocations of seq_read(). The
first invocation should start with ->from==0, so the bug shouldn't
trigger there. So it has to happen on the second invocation. So the
first invocation has to leave ->from at some high value and ->count
nonzero. But the only place in seq_read() that could set ->from on the
first read (if the traverse case doesn't happen) is the one at the end
of seq_read() that properly adjusts ->count down by the same number in
the line above. This doesn't add up.
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: neilb@suse.com, Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-doc@vger.kernel.org,
kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>
Subject: Re: [PATCH mm] VFS: seq_file: ensure ->from is valid.
Date: Mon, 9 Jul 2018 21:40:54 +0200 [thread overview]
Message-ID: <CAG48ez36DjH__USsW4ViFXqUj3y8GJf1Bz7tyje0Wpub6zgXcQ@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+F3zUZ6+8cKuurq2fV8L5Piy5dvYrYXeFVG0kVmpZMRw@mail.gmail.com>
On Mon, Jul 9, 2018 at 8:16 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Fri, Jul 6, 2018 at 8:29 PM, NeilBrown <neilb@suse.com> wrote:
> >
> > Previous patch ("VFS: simplify seq_file iteration code and interface")
> > removed code to set ->from to zero when ->count is zero, as ->from is
> > dead at that time. However it didn't ensure ->from was set properly
> > whenever ->count becomes non-zero.
> > This can only happen when ->show() is called. Of the three places it
> > is called one already has ->from set to zero. The other two are
> > fixed by setting from to zero after fully flushing the buffer (at which
> > point ->count will also be zero).
> >
> > Reported-by: Jann Horn <jannh@google.com>
> > Signed-off-by: NeilBrown <neilb@suse.com>
>
> I *think* this solves this report, which looks very much like Jann's reproducer:
>
> https://syzkaller.appspot.com/bug?extid=4b712dce5cbce6700f27
I don't think the path I found and what syzcaller reported match
precisely. The syz reproducer linked on that page is:
r0 = memfd_create(&(0x7f00000000c0)='md5sum\x00', 0x0)
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x0, 0x51, r0, 0x0)
mkdir(&(0x7f0000000040)='./control\x00', 0x0)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7,
&(0x7f0000000000), &(0x7f0000000080)=0x4)
r2 = syz_open_procfs(0x0, &(0x7f0000000040)='smaps\x00')
readv(r2, &(0x7f00000021c0)=[{&(0x7f0000000140)=""/79, 0x432},
{&(0x7f00000001c0)=""/4096, 0x1000}], 0x2)
If we assume that this is the same bug, only the last two lines are
interesting. They should cause two invocations of seq_read(). The
first invocation should start with ->from==0, so the bug shouldn't
trigger there. So it has to happen on the second invocation. So the
first invocation has to leave ->from at some high value and ->count
nonzero. But the only place in seq_read() that could set ->from on the
first read (if the traverse case doesn't happen) is the one at the end
of seq_read() that properly adjusts ->count down by the same number in
the line above. This doesn't add up.
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-07-09 19:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-15 22:42 [PATCH] VFS: simplify seq_file iteration code and interface NeilBrown
2018-04-30 1:50 ` [PATCH resend] " NeilBrown
2018-04-30 18:03 ` Jonathan Corbet
2018-04-30 18:03 ` Jonathan Corbet
2018-05-31 22:26 ` [PATCH resend*2] " NeilBrown
2018-06-18 6:46 ` [PATCH resend*3] " NeilBrown
2018-07-07 0:56 ` Jann Horn
2018-07-07 0:56 ` Jann Horn
2018-07-07 3:23 ` NeilBrown
2018-07-07 3:29 ` [PATCH mm] VFS: seq_file: ensure ->from is valid NeilBrown
2018-07-07 3:50 ` Jann Horn
2018-07-07 3:50 ` Jann Horn
2018-07-09 18:16 ` Kees Cook
2018-07-09 18:16 ` Kees Cook
2018-07-09 19:40 ` Jann Horn [this message]
2018-07-09 19:40 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez36DjH__USsW4ViFXqUj3y8GJf1Bz7tyje0Wpub6zgXcQ@mail.gmail.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.