Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Dan Carpenter]

On Fri, Jul 01, 2022 at 06:08:29AM -0700, Soumya Negi wrote:
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> 3f8a27f9e27bd78604c0709224cec0ec85a8b106
> 
> -- 
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdqp0ZGKyJWE76zdyKwhv104JRA8ujUY5NoYO47HC9XWQ%40mail.gmail.com.

> From 3aa5aaffef64a5574cbdb3f5c985bc25b612140c Mon Sep 17 00:00:00 2001
> From: Soumya Negi <soumya.negi97@gmail.com>
> Date: Fri, 1 Jul 2022 04:52:17 -0700
> Subject: [PATCH] isdn: capi: Add check for controller count in
>  detach_capi_ctr()
> 
> Fixes Syzbot bug:
> https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
> 
> This patch checks whether any ISDN devices are registered before unregistering
> a CAPI controller(device). Without the check, the controller struct capi_str
> results in out-of-bounds access bugs to other CAPI data strucures in
> detach_capri_ctr() as seen in the bug report.
> 

This bug was already fixed by commit 1f3e2e97c003 ("isdn: cpai: check
ctr->cnr to avoid array index out of bound").

It just needs to be backported.  Unfortunately there was no Fixes tag so
it wasn't picked up.  Also I'm not sure how backports work in netdev.

regards,
dan carpenter

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Greg KH]

On Mon, Jul 04, 2022 at 02:26:19PM +0300, Dan Carpenter wrote:
> 
> On Fri, Jul 01, 2022 at 06:08:29AM -0700, Soumya Negi wrote:
> > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> > 3f8a27f9e27bd78604c0709224cec0ec85a8b106
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdqp0ZGKyJWE76zdyKwhv104JRA8ujUY5NoYO47HC9XWQ%40mail.gmail.com.
> 
> > From 3aa5aaffef64a5574cbdb3f5c985bc25b612140c Mon Sep 17 00:00:00 2001
> > From: Soumya Negi <soumya.negi97@gmail.com>
> > Date: Fri, 1 Jul 2022 04:52:17 -0700
> > Subject: [PATCH] isdn: capi: Add check for controller count in
> >  detach_capi_ctr()
> > 
> > Fixes Syzbot bug:
> > https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
> > 
> > This patch checks whether any ISDN devices are registered before unregistering
> > a CAPI controller(device). Without the check, the controller struct capi_str
> > results in out-of-bounds access bugs to other CAPI data strucures in
> > detach_capri_ctr() as seen in the bug report.
> > 
> 
> This bug was already fixed by commit 1f3e2e97c003 ("isdn: cpai: check
> ctr->cnr to avoid array index out of bound").
> 
> It just needs to be backported.  Unfortunately there was no Fixes tag so
> it wasn't picked up.  Also I'm not sure how backports work in netdev.

That commit has already been backported quite a while ago and is in the
following releases:
	4.4.290 4.9.288 4.14.253 4.19.214 5.4.156 5.10.76 5.14.15 5.15


thanks,

greg k-h

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Soumya Negi]

Thanks for letting me know. Is there a way I can check whether an open
syzbot bug already has a fix as in this case? Right now I am thinking
of running the reproducer on linux-next as well before starting on a
bug.

Regards
Soumya

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Greg KH]

On Mon, Jul 04, 2022 at 09:04:30PM -0700, Soumya Negi wrote:
> Thanks for letting me know. Is there a way I can check whether an open
> syzbot bug already has a fix as in this case? Right now I am thinking
> of running the reproducer on linux-next as well before starting on a
> bug.

I have no context at all as to what you are referring to here, sorry.

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Soumya Negi]

On Mon, Jul 04, 2022 at 01:54:17PM +0200, Greg KH wrote:
> On Mon, Jul 04, 2022 at 02:26:19PM +0300, Dan Carpenter wrote:
> > 
> > On Fri, Jul 01, 2022 at 06:08:29AM -0700, Soumya Negi wrote:
> > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> > > 3f8a27f9e27bd78604c0709224cec0ec85a8b106
> > > 
> > > -- 
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdqp0ZGKyJWE76zdyKwhv104JRA8ujUY5NoYO47HC9XWQ%40mail.gmail.com.
> > 
> > > From 3aa5aaffef64a5574cbdb3f5c985bc25b612140c Mon Sep 17 00:00:00 2001
> > > From: Soumya Negi <soumya.negi97@gmail.com>
> > > Date: Fri, 1 Jul 2022 04:52:17 -0700
> > > Subject: [PATCH] isdn: capi: Add check for controller count in
> > >  detach_capi_ctr()
> > > 
> > > Fixes Syzbot bug:
> > > https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
> > > 
> > > This patch checks whether any ISDN devices are registered before unregistering
> > > a CAPI controller(device). Without the check, the controller struct capi_str
> > > results in out-of-bounds access bugs to other CAPI data strucures in
> > > detach_capri_ctr() as seen in the bug report.
> > > 
> > 
> > This bug was already fixed by commit 1f3e2e97c003 ("isdn: cpai: check
> > ctr->cnr to avoid array index out of bound").
> > 
> > It just needs to be backported.  Unfortunately there was no Fixes tag so
> > it wasn't picked up.  Also I'm not sure how backports work in netdev.
> 
> That commit has already been backported quite a while ago and is in the
> following releases:
> 	4.4.290 4.9.288 4.14.253 4.19.214 5.4.156 5.10.76 5.14.15 5.15
> 

Thanks for letting me know. Is there a way I can check whether an open
syzbot bug already has a fix as in this case? Right now I am thinking
of running the reproducer on linux-next as well before starting on a
bug.

-Soumya

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[butt3rflyh4ck]

The patch for this issue had be available upstream last year.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f3e2e97c003f80c4b087092b225c8787ff91e4d


Regards,
  butt3rflyh4ck.

On Tue, Jul 5, 2022 at 12:59 PM Soumya Negi <soumya.negi97@gmail.com> wrote:
>
> On Mon, Jul 04, 2022 at 01:54:17PM +0200, Greg KH wrote:
> > On Mon, Jul 04, 2022 at 02:26:19PM +0300, Dan Carpenter wrote:
> > >
> > > On Fri, Jul 01, 2022 at 06:08:29AM -0700, Soumya Negi wrote:
> > > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> > > > 3f8a27f9e27bd78604c0709224cec0ec85a8b106
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdqp0ZGKyJWE76zdyKwhv104JRA8ujUY5NoYO47HC9XWQ%40mail.gmail.com.
> > >
> > > > From 3aa5aaffef64a5574cbdb3f5c985bc25b612140c Mon Sep 17 00:00:00 2001
> > > > From: Soumya Negi <soumya.negi97@gmail.com>
> > > > Date: Fri, 1 Jul 2022 04:52:17 -0700
> > > > Subject: [PATCH] isdn: capi: Add check for controller count in
> > > >  detach_capi_ctr()
> > > >
> > > > Fixes Syzbot bug:
> > > > https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
> > > >
> > > > This patch checks whether any ISDN devices are registered before unregistering
> > > > a CAPI controller(device). Without the check, the controller struct capi_str
> > > > results in out-of-bounds access bugs to other CAPI data strucures in
> > > > detach_capri_ctr() as seen in the bug report.
> > > >
> > >
> > > This bug was already fixed by commit 1f3e2e97c003 ("isdn: cpai: check
> > > ctr->cnr to avoid array index out of bound").
> > >
> > > It just needs to be backported.  Unfortunately there was no Fixes tag so
> > > it wasn't picked up.  Also I'm not sure how backports work in netdev.
> >
> > That commit has already been backported quite a while ago and is in the
> > following releases:
> >       4.4.290 4.9.288 4.14.253 4.19.214 5.4.156 5.10.76 5.14.15 5.15
> >
>
> Thanks for letting me know. Is there a way I can check whether an open
> syzbot bug already has a fix as in this case? Right now I am thinking
> of running the reproducer on linux-next as well before starting on a
> bug.
>
> -Soumya



-- 
Active Defense Lab of Venustech

Re: Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Greg KH]

On Mon, Jul 04, 2022 at 09:59:38PM -0700, Soumya Negi wrote:
> On Mon, Jul 04, 2022 at 01:54:17PM +0200, Greg KH wrote:
> > On Mon, Jul 04, 2022 at 02:26:19PM +0300, Dan Carpenter wrote:
> > > 
> > > On Fri, Jul 01, 2022 at 06:08:29AM -0700, Soumya Negi wrote:
> > > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> > > > 3f8a27f9e27bd78604c0709224cec0ec85a8b106
> > > > 
> > > > -- 
> > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdqp0ZGKyJWE76zdyKwhv104JRA8ujUY5NoYO47HC9XWQ%40mail.gmail.com.
> > > 
> > > > From 3aa5aaffef64a5574cbdb3f5c985bc25b612140c Mon Sep 17 00:00:00 2001
> > > > From: Soumya Negi <soumya.negi97@gmail.com>
> > > > Date: Fri, 1 Jul 2022 04:52:17 -0700
> > > > Subject: [PATCH] isdn: capi: Add check for controller count in
> > > >  detach_capi_ctr()
> > > > 
> > > > Fixes Syzbot bug:
> > > > https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
> > > > 
> > > > This patch checks whether any ISDN devices are registered before unregistering
> > > > a CAPI controller(device). Without the check, the controller struct capi_str
> > > > results in out-of-bounds access bugs to other CAPI data strucures in
> > > > detach_capri_ctr() as seen in the bug report.
> > > > 
> > > 
> > > This bug was already fixed by commit 1f3e2e97c003 ("isdn: cpai: check
> > > ctr->cnr to avoid array index out of bound").
> > > 
> > > It just needs to be backported.  Unfortunately there was no Fixes tag so
> > > it wasn't picked up.  Also I'm not sure how backports work in netdev.
> > 
> > That commit has already been backported quite a while ago and is in the
> > following releases:
> > 	4.4.290 4.9.288 4.14.253 4.19.214 5.4.156 5.10.76 5.14.15 5.15
> > 
> 
> Thanks for letting me know. Is there a way I can check whether an open
> syzbot bug already has a fix as in this case? Right now I am thinking
> of running the reproducer on linux-next as well before starting on a
> bug.

Always run the reproducer first if for no other reason than to be able
to test if you do fix a problem or not.  You can also always have syzbot
run it too, use the email interface to it for that.

good luck!

greg k-h