All of lore.kernel.org
 help / color / mirror / Atom feed
* out of bounds strscpy from seccomp_actions_logged_handler
@ 2017-10-24 23:46 Dave Jones
  2017-10-24 23:54 ` Tyler Hicks
  0 siblings, 1 reply; 3+ messages in thread
From: Dave Jones @ 2017-10-24 23:46 UTC (permalink / raw)
  To: Tyler Hicks; +Cc: Kees Cook, Linux Kernel

(Triggered with trinity, but it seems just a 'cat
/proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).


BUG: KASAN: global-out-of-bounds in strscpy+0x133/0x2d0
Read of size 8 at addr ffffffff824b0028 by task trinity-c63/6883

CPU: 3 PID: 6883 Comm: trinity-c63 Not tainted 4.14.0-rc6-think+ #1 
Call Trace:
 dump_stack+0xbc/0x145
 ? dma_virt_map_sg+0xfb/0xfb
 print_address_description+0x2d/0x260
 kasan_report+0x277/0x360
 ? strscpy+0x133/0x2d0
 strscpy+0x133/0x2d0
 ? strcasecmp+0xb0/0xb0
 seccomp_actions_logged_handler+0x2c5/0x440
 ? seccomp_send_sigsys+0xd0/0xd0
 ? lock_downgrade+0x310/0x310
 ? lock_release+0x890/0x890
 ? do_raw_spin_unlock+0x147/0x220
 ? do_raw_spin_trylock+0x100/0x100
 ? do_raw_spin_trylock+0x40/0x100
 ? do_raw_spin_lock+0x110/0x110
 proc_sys_call_handler+0x1b1/0x1f0
 ? seccomp_send_sigsys+0xd0/0xd0
 ? proc_sys_readdir+0x6d0/0x6d0
 do_iter_read+0x23b/0x280
 vfs_readv+0x107/0x180
 ? compat_rw_copy_check_uvector+0x1d0/0x1d0
 ? native_sched_clock+0xf9/0x1a0
 ? cyc2ns_read_end+0x10/0x10
 ? __fget_light+0x181/0x200
 ? fget_raw+0x10/0x10
 ? __lock_is_held+0x2e/0xd0
 ? rcu_read_lock_sched_held+0x90/0xa0
 ? __context_tracking_exit.part.4+0x223/0x290
 ? context_tracking_recursion_enter+0x50/0x50
 ? __task_pid_nr_ns+0x1c4/0x300
 ? do_preadv+0xb0/0xf0
 do_preadv+0xb0/0xf0
 ? SyS_preadv+0x10/0x10
 do_syscall_64+0x182/0x400
 ? syscall_return_slowpath+0x270/0x270
 ? rcu_read_lock_sched_held+0x90/0xa0
 ? __context_tracking_exit.part.4+0x223/0x290
 ? mark_held_locks+0x1b/0xa0
 ? return_from_SYSCALL_64+0x2d/0x7a
 ? trace_hardirqs_on_caller+0x17a/0x250
 ? trace_hardirqs_on_thunk+0x1a/0x1c
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x7f52d5f45219
RSP: 002b:00007fff8a422838 EFLAGS: 00000246
 ORIG_RAX: 0000000000000147
RAX: ffffffffffffffda RBX: 0000000000000147 RCX: 00007f52d5f45219
RDX: 00000000000000f3 RSI: 000055d6d5b413d0 RDI: 00000000000000b2
RBP: 00007fff8a4228e0 R08: 0000316c1272491c R09: 0000000000000000
R10: 00000000725c3dd7 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f52d645b058 R14: 00007f52d661b698 R15: 00007f52d645b000

The buggy address belongs to the variable:
 kdb_rwtypes+0x1268/0x1320

Memory state around the buggy address:
 ffffffff824aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff824aff80: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
>ffffffff824b0000: fa fa fa fa 00 05 fa fa fa fa fa fa 02 fa fa fa
                                  ^
 ffffffff824b0080: fa fa fa fa 00 00 01 fa fa fa fa fa 00 00 04 fa
 ffffffff824b0100: fa fa fa fa 00 06 fa fa fa fa fa fa 00 07 fa fa
==================================================================
Disabling lock debugging due to kernel taint

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: out of bounds strscpy from seccomp_actions_logged_handler
  2017-10-24 23:46 out of bounds strscpy from seccomp_actions_logged_handler Dave Jones
@ 2017-10-24 23:54 ` Tyler Hicks
  2017-10-25  0:18   ` Dave Jones
  0 siblings, 1 reply; 3+ messages in thread
From: Tyler Hicks @ 2017-10-24 23:54 UTC (permalink / raw)
  To: Dave Jones; +Cc: Kees Cook, Linux Kernel


[-- Attachment #1.1: Type: text/plain, Size: 3143 bytes --]

On 10/24/2017 06:46 PM, Dave Jones wrote:
> (Triggered with trinity, but it seems just a 'cat
> /proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).

Hi Dave - Thanks for the report. This is a false positive that was
previously discussed here:

https://lkml.kernel.org/r/<20171010182805.52b9b2af@cakuba.netronome.com>

Tyler

> 
> 
> BUG: KASAN: global-out-of-bounds in strscpy+0x133/0x2d0
> Read of size 8 at addr ffffffff824b0028 by task trinity-c63/6883
> 
> CPU: 3 PID: 6883 Comm: trinity-c63 Not tainted 4.14.0-rc6-think+ #1 
> Call Trace:
>  dump_stack+0xbc/0x145
>  ? dma_virt_map_sg+0xfb/0xfb
>  print_address_description+0x2d/0x260
>  kasan_report+0x277/0x360
>  ? strscpy+0x133/0x2d0
>  strscpy+0x133/0x2d0
>  ? strcasecmp+0xb0/0xb0
>  seccomp_actions_logged_handler+0x2c5/0x440
>  ? seccomp_send_sigsys+0xd0/0xd0
>  ? lock_downgrade+0x310/0x310
>  ? lock_release+0x890/0x890
>  ? do_raw_spin_unlock+0x147/0x220
>  ? do_raw_spin_trylock+0x100/0x100
>  ? do_raw_spin_trylock+0x40/0x100
>  ? do_raw_spin_lock+0x110/0x110
>  proc_sys_call_handler+0x1b1/0x1f0
>  ? seccomp_send_sigsys+0xd0/0xd0
>  ? proc_sys_readdir+0x6d0/0x6d0
>  do_iter_read+0x23b/0x280
>  vfs_readv+0x107/0x180
>  ? compat_rw_copy_check_uvector+0x1d0/0x1d0
>  ? native_sched_clock+0xf9/0x1a0
>  ? cyc2ns_read_end+0x10/0x10
>  ? __fget_light+0x181/0x200
>  ? fget_raw+0x10/0x10
>  ? __lock_is_held+0x2e/0xd0
>  ? rcu_read_lock_sched_held+0x90/0xa0
>  ? __context_tracking_exit.part.4+0x223/0x290
>  ? context_tracking_recursion_enter+0x50/0x50
>  ? __task_pid_nr_ns+0x1c4/0x300
>  ? do_preadv+0xb0/0xf0
>  do_preadv+0xb0/0xf0
>  ? SyS_preadv+0x10/0x10
>  do_syscall_64+0x182/0x400
>  ? syscall_return_slowpath+0x270/0x270
>  ? rcu_read_lock_sched_held+0x90/0xa0
>  ? __context_tracking_exit.part.4+0x223/0x290
>  ? mark_held_locks+0x1b/0xa0
>  ? return_from_SYSCALL_64+0x2d/0x7a
>  ? trace_hardirqs_on_caller+0x17a/0x250
>  ? trace_hardirqs_on_thunk+0x1a/0x1c
>  entry_SYSCALL64_slow_path+0x25/0x25
> RIP: 0033:0x7f52d5f45219
> RSP: 002b:00007fff8a422838 EFLAGS: 00000246
>  ORIG_RAX: 0000000000000147
> RAX: ffffffffffffffda RBX: 0000000000000147 RCX: 00007f52d5f45219
> RDX: 00000000000000f3 RSI: 000055d6d5b413d0 RDI: 00000000000000b2
> RBP: 00007fff8a4228e0 R08: 0000316c1272491c R09: 0000000000000000
> R10: 00000000725c3dd7 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f52d645b058 R14: 00007f52d661b698 R15: 00007f52d645b000
> 
> The buggy address belongs to the variable:
>  kdb_rwtypes+0x1268/0x1320
> 
> Memory state around the buggy address:
>  ffffffff824aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffffffff824aff80: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
>> ffffffff824b0000: fa fa fa fa 00 05 fa fa fa fa fa fa 02 fa fa fa
>                                   ^
>  ffffffff824b0080: fa fa fa fa 00 00 01 fa fa fa fa fa 00 00 04 fa
>  ffffffff824b0100: fa fa fa fa 00 06 fa fa fa fa fa fa 00 07 fa fa
> ==================================================================
> Disabling lock debugging due to kernel taint
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: out of bounds strscpy from seccomp_actions_logged_handler
  2017-10-24 23:54 ` Tyler Hicks
@ 2017-10-25  0:18   ` Dave Jones
  0 siblings, 0 replies; 3+ messages in thread
From: Dave Jones @ 2017-10-25  0:18 UTC (permalink / raw)
  To: Tyler Hicks; +Cc: Kees Cook, Linux Kernel

On Tue, Oct 24, 2017 at 06:54:25PM -0500, Tyler Hicks wrote:
 > On 10/24/2017 06:46 PM, Dave Jones wrote:
 > > (Triggered with trinity, but it seems just a 'cat
 > > /proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).
 > 
 > Hi Dave - Thanks for the report. This is a false positive that was
 > previously discussed here:
 > 
 > https://lkml.kernel.org/r/<20171010182805.52b9b2af@cakuba.netronome.com>
 
Bah, I thought this smelled familiar.  I'll just roll Andrey's
workaround diff into my builds for fuzzing runs until someone figures
out something better.

	Dave

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-10-25  0:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-24 23:46 out of bounds strscpy from seccomp_actions_logged_handler Dave Jones
2017-10-24 23:54 ` Tyler Hicks
2017-10-25  0:18   ` Dave Jones

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.