* Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
@ 2019-07-24 2:42 Eric Biggers
2019-07-24 3:18 ` Tetsuo Handa
0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2019-07-24 2:42 UTC (permalink / raw)
To: linux-security-module, Kentaro Takeda, Tetsuo Handa,
James Morris, Serge E. Hallyn
Cc: linux-kernel, syzkaller-bugs
[This email was generated by a script. Let me know if you have any suggestions
to make it better, or if you want it re-generated with the latest status.]
Of the currently open syzbot reports against the upstream kernel, I've manually
marked 2 of them as possibly being bugs in the "security/tomoyo" subsystem.
I've listed these reports below, sorted by an algorithm that tries to list first
the reports most likely to be still valid, important, and actionable.
If you believe a bug is no longer valid, please close the syzbot report by
sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to the
original thread, as explained at https://goo.gl/tpsmEJ#status
If you believe I misattributed a bug to the "security/tomoyo" subsystem, please
let me know, and if possible forward the report to the correct people or mailing
list.
Here are the bugs:
--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in tomoyo_realpath_from_path
Last occurred: 28 days ago
Reported: 48 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74
Original thread: https://lkml.kernel.org/lkml/0000000000004f43fa058a97f4d3@google.com/T/#u
This bug has a syzkaller reproducer only.
The original thread for this bug has received 7 replies; the last was 31 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000004f43fa058a97f4d3@google.com
--------------------------------------------------------------------------------
Title: KASAN: invalid-free in tomoyo_realpath_from_path
Last occurred: 57 days ago
Reported: 56 days ago
Branches: net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 1 reply, 56 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+9742b1c6c7aedf18beda@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000785e9d0589ec359a@google.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
2019-07-24 2:42 Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem Eric Biggers
@ 2019-07-24 3:18 ` Tetsuo Handa
2019-07-24 4:34 ` Eric Biggers
0 siblings, 1 reply; 6+ messages in thread
From: Tetsuo Handa @ 2019-07-24 3:18 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-security-module, syzkaller-bugs
On 2019/07/24 11:42, Eric Biggers wrote:
> --------------------------------------------------------------------------------
> Title: KASAN: use-after-free Read in tomoyo_realpath_from_path
> Last occurred: 28 days ago
> Reported: 48 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74
> Original thread: https://lkml.kernel.org/lkml/0000000000004f43fa058a97f4d3@google.com/T/#u
A patch is available, but I can't find a chance to setup my git tree for sending
a pull request for the patch.
> --------------------------------------------------------------------------------
> Title: KASAN: invalid-free in tomoyo_realpath_from_path
> Last occurred: 57 days ago
> Reported: 56 days ago
> Branches: net-next
> Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
> Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
This cannot be a TOMOYO's bug. We are waiting for a reproducer but
no crash occurred since then. Maybe it is time to close as invalid.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
2019-07-24 3:18 ` Tetsuo Handa
@ 2019-07-24 4:34 ` Eric Biggers
2019-07-24 4:54 ` Tetsuo Handa
0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2019-07-24 4:34 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: linux-security-module, syzkaller-bugs
On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
> > --------------------------------------------------------------------------------
> > Title: KASAN: invalid-free in tomoyo_realpath_from_path
> > Last occurred: 57 days ago
> > Reported: 56 days ago
> > Branches: net-next
> > Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
> > Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
>
> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
> no crash occurred since then. Maybe it is time to close as invalid.
Maybe. Did you check for stack buffer overflows in the functions that
tomoyo_realpath_from_path() calls? Perhaps something is corrupting the 'buf'
variable in the parent's stack frame.
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
2019-07-24 4:34 ` Eric Biggers
@ 2019-07-24 4:54 ` Tetsuo Handa
2019-07-24 5:00 ` Eric Biggers
0 siblings, 1 reply; 6+ messages in thread
From: Tetsuo Handa @ 2019-07-24 4:54 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-security-module, syzkaller-bugs
On 2019/07/24 13:34, Eric Biggers wrote:
> On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
>>> --------------------------------------------------------------------------------
>>> Title: KASAN: invalid-free in tomoyo_realpath_from_path
>>> Last occurred: 57 days ago
>>> Reported: 56 days ago
>>> Branches: net-next
>>> Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
>>> Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
>>
>> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
>> no crash occurred since then. Maybe it is time to close as invalid.
>
> Maybe. Did you check for stack buffer overflows in the functions that
> tomoyo_realpath_from_path() calls? Perhaps something is corrupting the 'buf'
> variable in the parent's stack frame.
>
What do you mean? If this crash were a stack buffer overflow, this crash
should have already occurred again.
Since the "buf" variable is a local variable, it cannot be shared between
two threads. Since "buf" is assigned as
buf = kmalloc(buf_len, GFP_NOFS);
and nobody else is reassigning "buf",
kfree(buf);
can't become an invalid free.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
2019-07-24 4:54 ` Tetsuo Handa
@ 2019-07-24 5:00 ` Eric Biggers
0 siblings, 0 replies; 6+ messages in thread
From: Eric Biggers @ 2019-07-24 5:00 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: linux-security-module, syzkaller-bugs
On Wed, Jul 24, 2019 at 01:54:40PM +0900, Tetsuo Handa wrote:
> On 2019/07/24 13:34, Eric Biggers wrote:
> > On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
> >>> --------------------------------------------------------------------------------
> >>> Title: KASAN: invalid-free in tomoyo_realpath_from_path
> >>> Last occurred: 57 days ago
> >>> Reported: 56 days ago
> >>> Branches: net-next
> >>> Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
> >>> Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
> >>
> >> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
> >> no crash occurred since then. Maybe it is time to close as invalid.
> >
> > Maybe. Did you check for stack buffer overflows in the functions that
> > tomoyo_realpath_from_path() calls? Perhaps something is corrupting the 'buf'
> > variable in the parent's stack frame.
> >
>
> What do you mean? If this crash were a stack buffer overflow, this crash
> should have already occurred again.
>
Well not necessarily, it could be very rare.
That being said, it was only seen on net-next and only once; so it could have
been caused by some broken patch elsewhere in the kernel that was only present
for a short time.
So if you aren't going to do anything else with this, please just go ahead and
invalidate it.
> Since the "buf" variable is a local variable, it cannot be shared between
> two threads. Since "buf" is assigned as
>
> buf = kmalloc(buf_len, GFP_NOFS);
>
> and nobody else is reassigning "buf",
>
> kfree(buf);
>
> can't become an invalid free.
>
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
@ 2019-07-02 5:14 Eric Biggers
0 siblings, 0 replies; 6+ messages in thread
From: Eric Biggers @ 2019-07-02 5:14 UTC (permalink / raw)
To: linux-security-module, Kentaro Takeda, Tetsuo Handa,
James Morris, Serge E. Hallyn
Cc: linux-kernel, syzkaller-bugs
[This email was generated by a script. Let me know if you have any suggestions
to make it better, or if you want it re-generated with the latest status.]
Of the currently open syzbot reports against the upstream kernel, I've manually
marked 2 of them as possibly being bugs in the "security/tomoyo" subsystem.
I've listed these reports below, sorted by an algorithm that tries to list first
the reports most likely to be still valid, important, and actionable.
If you believe a bug is no longer valid, please close the syzbot report by
sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to the
original thread, as explained at https://goo.gl/tpsmEJ#status
If you believe I misattributed a bug to the "security/tomoyo" subsystem, please
let me know, and if possible forward the report to the correct people or mailing
list.
Here are the bugs:
--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in tomoyo_realpath_from_path
Last occurred: 6 days ago
Reported: 26 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74
Original thread: https://lkml.kernel.org/lkml/0000000000004f43fa058a97f4d3@google.com/T/#u
This bug has a syzkaller reproducer only.
The original thread for this bug has received 7 replies; the last was 9 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 9 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lkml.kernel.org/r/0000000000004f43fa058a97f4d3@google.com
--------------------------------------------------------------------------------
Title: KASAN: invalid-free in tomoyo_realpath_from_path
Last occurred: 35 days ago
Reported: 34 days ago
Branches: net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 1 reply, 34 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+9742b1c6c7aedf18beda@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000785e9d0589ec359a@google.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-24 5:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-24 2:42 Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem Eric Biggers
2019-07-24 3:18 ` Tetsuo Handa
2019-07-24 4:34 ` Eric Biggers
2019-07-24 4:54 ` Tetsuo Handa
2019-07-24 5:00 ` Eric Biggers
-- strict thread matches above, loose matches on Subject: below --
2019-07-02 5:14 Eric Biggers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.