KASAN: slab-out-of-bounds Read in vsscanf

Casey Schaufler casey at schaufler-ca.com
Fri Mar 27 16:16:29 UTC 2020


On 3/27/2020 1:27 AM, Hillf Danton wrote:
> On Thu, 26 Mar 2020 18:20:14 -0700
>> syzbot found the following crash on:
>>
>> HEAD commit:    1b649e0b Merge git://git.kernel.org/pub/scm/linux/kernel/g..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=11044405e00000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
>> dashboard link: https://syzkaller.appspot.com/bug?extid=bfdd4a2f07be52351350
>> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13819303e00000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13eaed4be00000
>>
>> Bisection is inconclusive: the bug happens on the oldest tested release.
>>
>> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=150e6ac5e00000
>> final crash:    https://syzkaller.appspot.com/x/report.txt?x=170e6ac5e00000
>> console output: https://syzkaller.appspot.com/x/log.txt?x=130e6ac5e00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+bfdd4a2f07be52351350 at syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
>> Read of size 1 at addr ffff888093622f42 by task syz-executor055/7117
>>
>> CPU: 1 PID: 7117 Comm: syz-executor055 Not tainted 5.6.0-rc7-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:77 [inline]
>>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>>  print_address_description+0x74/0x5c0 mm/kasan/report.c:374
>>  __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
>>  kasan_report+0x25/0x50 mm/kasan/common.c:641
>>  vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
>>  sscanf+0x6c/0x90 lib/vsprintf.c:3481
>>  smk_set_cipso+0x1ac/0x6a0 security/smack/smackfs.c:881
>>  __vfs_write+0xa7/0x710 fs/read_write.c:494
>>  vfs_write+0x271/0x570 fs/read_write.c:558
>>  ksys_write+0x115/0x220 fs/read_write.c:611
>>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x4401b9
>> Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
>> RSP: 002b:00007ffd20456888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
>> RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9
>> RDX: 0000000000000001 RSI: 00000000200005c0 RDI: 0000000000000003
>> RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
>> R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a40
>> R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
>>
>> Allocated by task 7117:
>>  save_stack mm/kasan/common.c:72 [inline]
>>  set_track mm/kasan/common.c:80 [inline]
>>  __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
>>  __do_kmalloc mm/slab.c:3656 [inline]
>>  __kmalloc_track_caller+0x249/0x320 mm/slab.c:3671
>>  memdup_user_nul+0x26/0xf0 mm/util.c:259
>>  smk_set_cipso+0xff/0x6a0 security/smack/smackfs.c:859
>>  __vfs_write+0xa7/0x710 fs/read_write.c:494
>>  vfs_write+0x271/0x570 fs/read_write.c:558
>>  ksys_write+0x115/0x220 fs/read_write.c:611
>>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Freed by task 1:
>>  save_stack mm/kasan/common.c:72 [inline]
>>  set_track mm/kasan/common.c:80 [inline]
>>  kasan_set_free_info mm/kasan/common.c:337 [inline]
>>  __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
>>  __cache_free mm/slab.c:3426 [inline]
>>  kfree+0x10a/0x220 mm/slab.c:3757
>>  tomoyo_path_perm+0x59b/0x740 security/tomoyo/file.c:842
>>  security_inode_getattr+0xc0/0x140 security/security.c:1254
>>  vfs_getattr+0x27/0x6e0 fs/stat.c:117
>>  vfs_statx fs/stat.c:201 [inline]
>>  vfs_lstat include/linux/fs.h:3277 [inline]
>>  __do_sys_newlstat fs/stat.c:364 [inline]
>>  __se_sys_newlstat+0x85/0x140 fs/stat.c:358
>>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> The buggy address belongs to the object at ffff888093622f40
>>  which belongs to the cache kmalloc-32 of size 32
>> The buggy address is located 2 bytes inside of
>>  32-byte region [ffff888093622f40, ffff888093622f60)
>> The buggy address belongs to the page:
>> page:ffffea00024d8880 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888093622fc1
>> flags: 0xfffe0000000200(slab)
>> raw: 00fffe0000000200 ffffea000271b988 ffffea00028ae488 ffff8880aa4001c0
>> raw: ffff888093622fc1 ffff888093622000 0000000100000039 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>  ffff888093622e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>>  ffff888093622e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
>>> ffff888093622f00: fb fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc
>>                                            ^
>>  ffff888093622f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>>  ffff888093623000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ==================================================================
>
> Add barrier to soob.
>
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -878,11 +878,21 @@ static ssize_t smk_set_cipso(struct file
>  	else
>  		rule += strlen(skp->smk_known) + 1;
>  
> +	if (rule > data + count) {
> +		rc = -EOVERFLOW;
> +		goto out;
> +	}
> +
>  	ret = sscanf(rule, "%d", &maplevel);
>  	if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
>  		goto out;
>  
>  	rule += SMK_DIGITLEN;
> +	if (rule > data + count) {
> +		rc = -EOVERFLOW;
> +		goto out;
> +	}
> +
>  	ret = sscanf(rule, "%d", &catlen);
>  	if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
>  		goto out;

Thank you.



More information about the Linux-security-module-archive mailing list