* [PATCH] iov_iter: Fix out-of-bound access in iov_iter_advance()
@ 2016-03-31 10:49 Takashi Iwai
2016-04-01 2:50 ` kbuild test robot
0 siblings, 1 reply; 2+ messages in thread
From: Takashi Iwai @ 2016-03-31 10:49 UTC (permalink / raw)
To: Al Viro; +Cc: Jiri Slaby, linux-kernel
Currently, iov_iter_advance() just calls iterate_and_advance() macro
as is, even if size=0 is passed. Usually it is OK to pass size=0 to
the macro. However, when the iov_iter has been already advanced to
the end of the array, it may lead to an out-of-bound access, since the
macro always reads the length of the vector at first. This bug is
actually seen via KASAN with net tun driver, for example.
BUG: KASAN: stack-out-of-bounds in iov_iter_advance+0x510/0x540 at addr ffff88003d5efd40
Read of size 8 by task syz-executor/22356
page:ffffea0000f57bc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffff80000000()
page dumped because: kasan: bad access detected
CPU: 0 PID: 22356 Comm: syz-executor Tainted: G W E 4.4.6-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
0000000000000000 ffff88003d5ef9d0 ffffffff819f42c1 ffff88003d5efa68
ffff88003d5efd40 0000000000000000 ffff88003d5efd38 ffff88003d5efa58
ffffffff815f7267 000000000000000a ffff88003d5efad8 0000000000000296
Call Trace:
[<ffffffff819f42c1>] ? dump_stack+0xb3/0x112
[<ffffffff815f7267>] ? kasan_report_error+0x507/0x540
[<ffffffff8157359f>] ? __might_fault+0x3f/0x50
[<ffffffff815f73d3>] ? __asan_report_load8_noabort+0x43/0x50
[<ffffffff81a30660>] ? iov_iter_advance+0x510/0x540
[<ffffffff81a30660>] ? iov_iter_advance+0x510/0x540
[<ffffffffa0e08c15>] ? tun_get_user+0x745/0x21a0 [tun]
[<ffffffff812791f0>] ? debug_check_no_locks_freed+0x290/0x290
[<ffffffffa0e084d0>] ? tun_select_queue+0x370/0x370 [tun]
[<ffffffff81329559>] ? futex_wake+0x149/0x420
[<ffffffff812c9027>] ? debug_lockdep_rcu_enabled+0x77/0x90
[<ffffffffa0e03895>] ? __tun_get+0x5/0x220 [tun]
[<ffffffffa0e039b1>] ? __tun_get+0x121/0x220 [tun]
[<ffffffffa0e0a88a>] ? tun_chr_write_iter+0xda/0x190 [tun]
[<ffffffff8164841a>] ? __vfs_write+0x30a/0x480
[<ffffffff81648110>] ? vfs_iter_write+0x320/0x320
[<ffffffff812c9027>] ? debug_lockdep_rcu_enabled+0x77/0x90
[<ffffffff818c1448>] ? common_file_perm+0x158/0x7a0
[<ffffffff818c1cb7>] ? apparmor_file_permission+0x27/0x30
[<ffffffff81648fa5>] ? rw_verify_area+0x105/0x2f0
[<ffffffff8164960c>] ? vfs_write+0x16c/0x4a0
[<ffffffff8164c29a>] ? SyS_write+0x11a/0x230
This patch adds the proper check of the size to iov_iter_advance(),
like all other functions calling iterate_and_advance() macro.
Reported-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
We can put these checks in iterate_and_advance(), too. I chose this
patch since it's smaller, and doing in the macro will be a bit ugly.
Let me know if you prefer another option.
lib/iov_iter.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 5fecddc32b1b..17319344a9cb 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -508,6 +508,10 @@ EXPORT_SYMBOL(iov_iter_copy_from_user_atomic);
void iov_iter_advance(struct iov_iter *i, size_t size)
{
+ if (unlikely(size > i->count))
+ size = i->count;
+ if (unlikely(!size))
+ return 0;
iterate_and_advance(i, size, v, 0, 0, 0)
}
EXPORT_SYMBOL(iov_iter_advance);
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] iov_iter: Fix out-of-bound access in iov_iter_advance()
2016-03-31 10:49 [PATCH] iov_iter: Fix out-of-bound access in iov_iter_advance() Takashi Iwai
@ 2016-04-01 2:50 ` kbuild test robot
0 siblings, 0 replies; 2+ messages in thread
From: kbuild test robot @ 2016-04-01 2:50 UTC (permalink / raw)
To: Takashi Iwai; +Cc: kbuild-all, Al Viro, Jiri Slaby, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1868 bytes --]
Hi Takashi,
[auto build test WARNING on v4.6-rc1]
[also build test WARNING on next-20160331]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
url: https://github.com/0day-ci/linux/commits/Takashi-Iwai/iov_iter-Fix-out-of-bound-access-in-iov_iter_advance/20160331-185222
config: ia64-allnoconfig (attached as .config)
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=ia64
All warnings (new ones prefixed by >>):
lib/iov_iter.c: In function 'iov_iter_advance':
>> lib/iov_iter.c:514:3: warning: 'return' with a value, in function returning void
return 0;
^
vim +/return +514 lib/iov_iter.c
498 __copy_from_user_inatomic((p += v.iov_len) - v.iov_len,
499 v.iov_base, v.iov_len),
500 memcpy_from_page((p += v.bv_len) - v.bv_len, v.bv_page,
501 v.bv_offset, v.bv_len),
502 memcpy((p += v.iov_len) - v.iov_len, v.iov_base, v.iov_len)
503 )
504 kunmap_atomic(kaddr);
505 return bytes;
506 }
507 EXPORT_SYMBOL(iov_iter_copy_from_user_atomic);
508
509 void iov_iter_advance(struct iov_iter *i, size_t size)
510 {
511 if (unlikely(size > i->count))
512 size = i->count;
513 if (unlikely(!size))
> 514 return 0;
515 iterate_and_advance(i, size, v, 0, 0, 0)
516 }
517 EXPORT_SYMBOL(iov_iter_advance);
518
519 /*
520 * Return the count of just the current iov_iter segment.
521 */
522 size_t iov_iter_single_seg_count(const struct iov_iter *i)
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 5532 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-04-01 2:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-31 10:49 [PATCH] iov_iter: Fix out-of-bound access in iov_iter_advance() Takashi Iwai
2016-04-01 2:50 ` kbuild test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.