From: Andrey Konovalov <andreyknvl@google.com>
To: Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: net/key: slab-out-of-bounds in pfkey_compile_policy
Date: Tue, 2 May 2017 18:45:03 +0200 [thread overview]
Message-ID: <CAAeHK+xqxvEWMXS9sDNi2seUqFzJkijKJhivB8JDehpCJvBAaw@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3773 bytes --]
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit d3b5d35290d729a2518af00feca867385a1b08fa (4.11).
A reproducer and .config are attached.
==================================================================
BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 at
addr ffff88006701f798
Read of size 1280 by task a.out/4181
CPU: 0 PID: 4181 Comm: a.out Not tainted 4.11.0+ #306
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
print_address_description mm/kasan/report.c:202
kasan_report_error mm/kasan/report.c:291
kasan_report+0x252/0x510 mm/kasan/report.c:347
check_memory_region_inline mm/kasan/kasan.c:326
check_memory_region+0x139/0x190 mm/kasan/kasan.c:333
memcpy+0x23/0x50 mm/kasan/kasan.c:368
pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474
pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3294
xfrm_user_policy+0x349/0x560 net/xfrm/xfrm_state.c:1892
do_ip_setsockopt.isra.12+0x1d05/0x38c0 net/ipv4/ip_sockglue.c:1175
ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1264
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2732
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2750
SYSC_setsockopt net/socket.c:1798
SyS_setsockopt+0x270/0x3a0 net/socket.c:1777
entry_SYSCALL_64_fastpath+0x1f/0xbe arch/x86/entry/entry_64.S:204
RIP: 0033:0x7f13a0968b79
RSP: 002b:00007fff131bc3f8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fff131bc550 RCX: 00007f13a0968b79
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000004004e0 R08: 00000000000000c2 R09: 0000000000000000
R10: 0000000020a2ff3e R11: 0000000000000206 R12: 0000000000000000
R13: 00007fff131bc550 R14: 0000000000000000 R15: 0000000000000000
Object at ffff88006701f780, in cache kmalloc-256 size: 256
Allocated:
PID = 4181
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
__kmalloc+0xa0/0x2d0 mm/slub.c:3745
kmalloc ./include/linux/slab.h:495
xfrm_user_policy+0xd8/0x560 net/xfrm/xfrm_state.c:1881
do_ip_setsockopt.isra.12+0x1d05/0x38c0 net/ipv4/ip_sockglue.c:1175
ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1264
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2732
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2750
SYSC_setsockopt net/socket.c:1798
SyS_setsockopt+0x270/0x3a0 net/socket.c:1777
entry_SYSCALL_64_fastpath+0x1f/0xbe arch/x86/entry/entry_64.S:204
Freed:
PID = 3951
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
slab_free_hook mm/slub.c:1357
slab_free_freelist_hook mm/slub.c:1379
slab_free mm/slub.c:2961
kfree+0xe8/0x2b0 mm/slub.c:3882
free_bprm+0x19d/0x200 fs/exec.c:1382
do_execveat_common.isra.34+0x19ad/0x2220 fs/exec.c:1778
do_execve fs/exec.c:1813
SYSC_execve fs/exec.c:1894
SyS_execve+0x39/0x50 fs/exec.c:1889
do_syscall_64+0x2c7/0x7a0 arch/x86/entry/common.c:281
return_from_SYSCALL_64+0x0/0x7a arch/x86/entry/entry_64.S:246
Memory state around the buggy address:
ffff88006701f700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88006701f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88006701f800: 00 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc
^
ffff88006701f880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88006701f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[-- Attachment #2: pfkey_compile_policy-oob-poc.c --]
[-- Type: text/x-csrc, Size: 2812 bytes --]
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#define _GNU_SOURCE
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/if_tun.h>
#include <linux/ip.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <linux/tcp.h>
#include <net/if_arp.h>
#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}
long r[4];
void main()
{
memset(r, -1, sizeof(r));
r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0xeed000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul, 0, 0, 0, 0,
0, 0);
(memcpy(
(void*)0x20a2ff3e,
"\x02\x00\x00\x00\x02\x00\x01\x00\x00\x00\xbe\x8c\x5e\xe1\x8c\x88"
"\xa1\x00\x01\x00\x00\x00\x00\x05\x01\xda\xfd\x02\xa3\x8a\x3c\xdc"
"\xf7\xb9\x33\xd8\x98\x05\x55\xf7\x48\x52\xbb\x6a\x88\x07\x56\x7f"
"\x59\xdb\xa6\x7e\x21\x47\xb3\x55\x04\x00\x6f\xcd\x67\x01\xe2\x01"
"\x00\x67\x2f\x21\x63\xe0\x20\x9c\xee\x4a\x5a\xcb\x3d\xa4\x83\xf0"
"\xa4\xcf\x97\xe1\x70\xb6\xc8\x8e\xbb\xff\x06\x01\x00\x00\x00\x01"
"\x00\x00\x00\xb1\x21\xec\x14\x74\xd7\x10\xf5\x42\x50\x6b\x00\xec"
"\x00\x8b\xc5\xcf\xb7\xb3\xe7\xec\x08\xe8\x7c\xcc\xff\xf6\xba\x00"
"\x00\x00\x02\x4f\x02\x98\xe9\xe9\xf5\x54\x06\xaa\x10\xdd\xfd\xff"
"\x03\x6a\x00\x00\x00\x00\xd7\x91\xa2\xff\xe3\xc5\x73\x2c\x1a\xdb"
"\x8a\xfc\x5b\xd8\xc2\xd1\x7f\xde\xa2\x1b\x54\x10\x68\x39\x3d\x22"
"\xb5\xaf\xfa\x00\x04\x1a\xd0\xd2\xc0\x3e\xef\x67\x95\xde\x42\xe3"
"\x84\x9b",
194));
r[3] = execute_syscall(__NR_setsockopt, r[1], 0x0ul, 0x10ul,
0x20a2ff3eul, 0xc2ul, 0, 0, 0, 0);
}
next reply other threads:[~2017-05-02 16:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-02 16:45 Andrey Konovalov [this message]
2017-05-02 16:46 ` net/key: slab-out-of-bounds in pfkey_compile_policy Andrey Konovalov
2017-05-02 16:47 ` Andrey Konovalov
2017-05-05 9:11 ` Steffen Klassert
2017-05-05 12:18 ` Andrey Konovalov
2017-05-08 11:49 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAeHK+xqxvEWMXS9sDNi2seUqFzJkijKJhivB8JDehpCJvBAaw@mail.gmail.com \
--to=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.