All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	"nadia.derbey" <Nadia.Derbey@bull.net>,
	aquini <aquini@redhat.com>, davidlohr <davidlohr@hp.com>,
	Joe Perches <joe@perches.com>, manfred <manfred@colorfullife.com>,
	avagin <avagin@openvz.org>, LKML <linux-kernel@vger.kernel.org>,
	Kostya Serebryany <kcc@google.com>,
	Dmitry Chernenkov <dmitryc@google.com>,
	Andrey Konovalov <andreyknvl@google.com>,
	Konstantin Khlebnikov <koct9i@gmail.com>,
	kasan-dev <kasan-dev@googlegroups.com>,
	David Rientjes <rientjes@google.com>,
	Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
	Luiz Capitulino <lcapitulino@redhat.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: Out-of-bounds access in __do_proc_doulongvec_minmax
Date: Wed, 3 Dec 2014 17:27:13 +0400	[thread overview]
Message-ID: <CACT4Y+Z-G2L6LBBSUyp3smDF8a=HNsYdp=ug21dot6DNdMMU4Q@mail.gmail.com> (raw)
In-Reply-To: <547F0486.7020400@samsung.com>

On Wed, Dec 3, 2014 at 3:39 PM, Andrey Ryabinin <a.ryabinin@samsung.com> wrote:
> On 12/03/2014 12:04 PM, Dmitry Vyukov wrote:
>> Hi,
>>
>> I am working on AddressSanitizer, a fast memory error detector for kernel:
>> https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
>>
>> Here is a bug report that I've got while running trinity:
>>
>> ==================================================================
>> BUG: AddressSanitizer: out of bounds access in
>> __do_proc_doulongvec_minmax+0x8a0/0x9a0 at addr ffffffff83980960
>> Read of size 8 by task trinity-c14/6919
>> Out-of-bounds access to the global variable 'zero'
>> [ffffffff83980960-ffffffff83980964) defined at ipc/ipc_sysctl.c:158
>
> This line seems incorrect. Judging from the backtrace below variable 'zero' is
> defined in kernel/sysctl.c:123
>
>
>>
>> CPU: 1 PID: 6919 Comm: trinity-c14 Not tainted 3.18.0-rc1+ #50
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>  0000000000000001 ffff8800b68cf418 ffffffff82c2d3ae 0000000000000000
>>  ffff8800b68cf4c0 ffff8800b68cf4a8 ffffffff813eaa81 ffffffff0000000c
>>  ffff88010b003600 ffff8800b68cf479 0000000000000296 0000000000000000
>> Call Trace:
>>  [<ffffffff813ead71>] __asan_report_load8_noabort+0x51/0x70
>> mm/kasan/report.c:248
>>  [<ffffffff810cc3e0>] __do_proc_doulongvec_minmax+0x8a0/0x9a0
>> kernel/sysctl.c:2284
>>  [<     inlined    >] proc_doulongvec_minmax+0x50/0x80
>> do_proc_doulongvec_minmax kernel/sysctl.c:2322
>>  [<ffffffff810cc530>] proc_doulongvec_minmax+0x50/0x80 kernel/sysctl.c:2345
>>  [<ffffffff813c9e5a>] hugetlb_sysctl_handler_common+0x12a/0x3c0
>> mm/hugetlb.c:2270
>>  [<ffffffff813cb45c>] hugetlb_mempolicy_sysctl_handler+0x1c/0x20
>> mm/hugetlb.c:2293
>>  [<ffffffff8153e6e9>] proc_sys_call_handler+0x179/0x1f0
>> fs/proc/proc_sysctl.c:506
>>  [<ffffffff8153e76f>] proc_sys_write+0xf/0x20 fs/proc/proc_sysctl.c:524
>>  [<ffffffff813f1563>] __kernel_write+0x123/0x440 fs/read_write.c:502
>>  [<ffffffff8147ebaa>] write_pipe_buf+0x14a/0x1d0 fs/splice.c:1074
>>  [<     inlined    >] __splice_from_pipe+0x22e/0x6f0
>> splice_from_pipe_feed fs/splice.c:769
>>  [<ffffffff8147dbde>] __splice_from_pipe+0x22e/0x6f0 fs/splice.c:886
>>  [<ffffffff81483211>] splice_from_pipe+0xc1/0x110 fs/splice.c:921
>>  [<ffffffff81483298>] default_file_splice_write+0x18/0x50 fs/splice.c:1086
>>  [<     inlined    >] direct_splice_actor+0x104/0x1c0 do_splice_from
>> fs/splice.c:1128
>>  [<ffffffff8147cfc4>] direct_splice_actor+0x104/0x1c0 fs/splice.c:1284
>>  [<ffffffff8147e5ba>] splice_direct_to_actor+0x24a/0x6f0 fs/splice.c:1237
>>  [<ffffffff81483424>] do_splice_direct+0x154/0x270 fs/splice.c:1327
>>  [<ffffffff813f3bfb>] do_sendfile+0x5fb/0x1260 fs/read_write.c:1266
>>  [<     inlined    >] SyS_sendfile64+0xfa/0x100 SYSC_sendfile64
>> fs/read_write.c:1327
>>  [<ffffffff813f6bea>] SyS_sendfile64+0xfa/0x100 fs/read_write.c:1313
>>  [<ffffffff82c464f9>] ia32_do_call+0x13/0x13 arch/x86/ia32/ia32entry.S:444
>> Memory state around the buggy address:
>>  ffffffff83980680: 04 f8 f8 f8 f8 f8 f8 f8 02 f8 f8 f8 f8 f8 f8 f8
>>  ffffffff83980700: 00 f8 f8 f8 f8 f8 f8 f8 00 f8 f8 f8 f8 f8 f8 f8
>>  ffffffff83980780: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 00 00 00 00
>>  ffffffff83980800: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 04 f8 f8 f8
>>  ffffffff83980880: f8 f8 f8 f8 04 f8 f8 f8 f8 f8 f8 f8 04 f8 f8 f8
>>> ffffffff83980900: f8 f8 f8 f8 04 f8 f8 f8 f8 f8 f8 f8 04 f8 f8 f8
>>                                                        ^
>>  ffffffff83980980: f8 f8 f8 f8 00 00 00 00 f8 f8 f8 f8 00 00 00 00
>>  ffffffff83980a00: 02 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00
>>  ffffffff83980a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>  ffffffff83980b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>  ffffffff83980b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ==================================================================
>>
>> The core creates ctl_table as:
>>
>> static int zero;
>> static int one = 1;
>> static int int_max = INT_MAX;
>> static struct ctl_table ipc_kern_table[] = {
>> {
>> ...
>>   {
>>     .procname = "shm_rmid_forced",
>>     .data = &init_ipc_ns.shm_rmid_forced,
>>     .maxlen = sizeof(init_ipc_ns.shm_rmid_forced),
>>     .mode = 0644,
>>     .proc_handler = proc_ipc_dointvec_minmax_orphans,
>>     .extra1 = &zero,
>>     .extra2 = &one,
>>   },
>>
>> But later extra1/2 are casted to *unsigned long**:
>>
>> static int __do_proc_doulongvec_minmax(void *data, struct ctl_table
>> *table, int write, ...
>> {
>>   ...
>>   min = (unsigned long *) table->extra1;
>>   max = (unsigned long *) table->extra2;
>>
>> This leads to bogus bounds check for the sysctl value.
>>
>> The bug is added in commit:
>>
>> commit 9eefe520c814f6f62c5d36a2ddcd3fb99dfdb30e
>> Author: Nadia Derbey <Nadia.Derbey@bull.net>
>> Date:   Fri Jul 25 01:48:08 2008 -0700
>>
>> Later zero and one were used in a bunch of other ctl_table's.
>>
>
> I think you are blaming wrong commit. This bug was introduced by
> ed4d4902ebdd7ca8b5a51daaf6bebf4b172895cc ("mm, hugetlb: remove hugetlb_zero and hugetlb_infinity")
>
> We have two options to fix this. Reintroduce back hugetlb_zero or make 'zero' unsigned long instead.
> I would prefer the latter, changing type to 'unsigned long' shouldn't harm any other users of this variable.
>

ipc/ipc_sysctl.c also contains zero, one and int_max variables that
are used in a similar way:

static int zero;
static int one = 1;
static int int_max = INT_MAX;

  parent reply	other threads:[~2014-12-03 13:27 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-03  9:04 Out-of-bounds access in __do_proc_doulongvec_minmax Dmitry Vyukov
2014-12-03 12:39 ` Andrey Ryabinin
2014-12-03 12:41   ` [PATCH] kernel: sysctl: use 'unsigned long' type for 'zero' variable Andrey Ryabinin
2014-12-03 13:04     ` Rafael Aquini
2014-12-03 21:12     ` David Rientjes
2014-12-03 23:25     ` Andrew Morton
2014-12-04  0:19       ` Andrew Morton
2014-12-04 11:35         ` Andrey Ryabinin
2014-12-04  6:12       ` Manfred Spraul
2014-12-05 22:50         ` Andrew Morton
2014-12-13 20:51       ` Manfred Spraul
2014-12-15  6:41         ` Andrey Ryabinin
2014-12-17 14:30         ` [PATCH 1/2] hugetlb, sysctl: pass '.extra1 = NULL' rather then '.extra1 = &zero' Andrey Ryabinin
2014-12-17 14:30           ` Andrey Ryabinin
2014-12-17 14:30           ` [PATCH 2/2] mm: hugetlb: fix type of hugetlb_treat_as_movable variable Andrey Ryabinin
2014-12-17 14:30             ` Andrey Ryabinin
2014-12-18  0:39             ` David Rientjes
2014-12-18  0:39               ` David Rientjes
2014-12-18  0:38           ` [PATCH 1/2] hugetlb, sysctl: pass '.extra1 = NULL' rather then '.extra1 = &zero' David Rientjes
2014-12-18  0:38             ` David Rientjes
2014-12-03 13:27   ` Dmitry Vyukov [this message]
2014-12-03 13:37     ` Out-of-bounds access in __do_proc_doulongvec_minmax Andrey Ryabinin
2014-12-03 13:39       ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+Z-G2L6LBBSUyp3smDF8a=HNsYdp=ug21dot6DNdMMU4Q@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=Nadia.Derbey@bull.net \
    --cc=a.ryabinin@samsung.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@google.com \
    --cc=aquini@redhat.com \
    --cc=avagin@openvz.org \
    --cc=davidlohr@hp.com \
    --cc=dmitryc@google.com \
    --cc=joe@perches.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=kcc@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=koct9i@gmail.com \
    --cc=lcapitulino@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manfred@colorfullife.com \
    --cc=n-horiguchi@ah.jp.nec.com \
    --cc=rientjes@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.