Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3765875imm; Mon, 2 Jul 2018 05:18:36 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIpTHv6R3if5CKLjVcUX0yM8c3OReJFGgVUWYZXEWyOvNfsx5DoWUyAUYO5viNV7wPqoyBg X-Received: by 2002:a65:614e:: with SMTP id o14-v6mr21910106pgv.308.1530533916106; Mon, 02 Jul 2018 05:18:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530533916; cv=none; d=google.com; s=arc-20160816; b=oCvxsPstop2JIREFU+qSqp4sSt5TpTke6NS6aru9apcux3FYQwOH8/SHcJR+eewx45 IGOFYzJ7Xvg9hADhpwHacGUCniGTfImmwZrZFEtbgtqcFh2aI0vYqgbkGkbbCE6ax6rb wMTa/V+aVZLsRYMPx80zW4xDJVaLjj3D1I1tIeNdf3gIX+AnQU9TLAfD66JNTa/S1hHd Sq14lRCVEi0CXimsLm6WsQFUre/sHKGt6rButhsmiY2YxS9UgJJERGBTLTLTVdl55E+8 2pf3+Dbj6Ha4D8CrvGl5J0pBYEGrch33gPKIGOTX72/fIiZLxJYPFjtBOUdRlWRG97pk aexg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=9FDy9G8n7aEyIin1ViIujVMnL0sRlxi6z8dIak+H1J4=; b=BEao1zwBog3WcyzbvW6C2zf/ePvFnu8m4mT18PQSCloZjV7CmLISVqcuo88gIJcJ0I Sw0aFsXOgCJhWuf25muLQrKT1WpIYUqpmHemw3OCJPAWE1hV5AAtAVHiVS6Y51StIP47 lnPk5K4sPI+Gn7zZwQXM55h918Us/ZNp4EFv7NHRnlyofdME+KAx6DZWVUlF+bjOmgbI trkuBfZrd1n+R+AF2JMor98INYCkSRP8STCwVJZ+W88gO82oD1om9+7/r6fOrALpV22Y 0zcXZYuiRzEljEccUDQ9aaJYjbJsn/4Heb0dKU/ulmG6dOqyuTQBLVVvG9la/u1okIQC w3Qg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lVfLp8Ll; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o26-v6si14398824pge.307.2018.07.02.05.18.21; Mon, 02 Jul 2018 05:18:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lVfLp8Ll; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752702AbeGBMQM (ORCPT + 99 others); Mon, 2 Jul 2018 08:16:12 -0400 Received: from mail-pg0-f65.google.com ([74.125.83.65]:40726 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752613AbeGBMQB (ORCPT ); Mon, 2 Jul 2018 08:16:01 -0400 Received: by mail-pg0-f65.google.com with SMTP id x5-v6so208887pgp.7 for ; Mon, 02 Jul 2018 05:16:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9FDy9G8n7aEyIin1ViIujVMnL0sRlxi6z8dIak+H1J4=; b=lVfLp8LlSoebZrlOkHZuw0Vl/yAV7ApIlEfxEz/Nxa/W8i3PoGdb2WKIWmhbbibWD9 2Z2jArYaVYxSfF9nmSsQ1+2O0Rn54qoYA9THTVdPckAnet6KVNaMBoN7YfK/HYcLtDVs DUclRRsvlPfbmR6WlM1lDybidyDRsM9ygXN3g/7sEcPx9k7+yykBbHpbMltamYLcFprg lQoTGXwU7p7Ua9Ta2qam68ArHxHSuYPXEIHgPjZ7nOlPGiEqxpful8T1BXMtWzDtjj6V cbyNykeyOkrSn7xibuZxdbuJRFd1IQIeZx/m0MFG3HBbg9UOTpoircHRm7e28H6/1q9t gK6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9FDy9G8n7aEyIin1ViIujVMnL0sRlxi6z8dIak+H1J4=; b=Bc7Y53gsU7YVonoa7PX686qdq1wmXOKva7Yp+crs0/8uRhDt4uQf9OZGijjIpH9jnb CXVo9f0XTq65GKSMrVvJ+BZLm3TFY4cekhacDUP20ooszJeFj5KmvjyKRl01PpCqSh/i 5LlC/l7WDBwscEcxFOCbX1NFT9LEkwi2a6TeQf7sxspXQ2NpRtw1mQfbZNibXWWC7Qhc Dv337tA/PqX5IED2Sx/INREBn0EMhAKkB9tT5WyCiLtJ8DJKjdQx288B0KhNi+FA6Bmi WknfUFxBnrvORVB/Ol1FZx7XTkmclyHvBBxtOyTEvfVUmxNyuqUhseK/NEhOoeiYCGGb rseg== X-Gm-Message-State: APt69E1JpslAf7Bn8j+kEZMY3EtWQMlDA1loKn9dHzkQowZPrmYfSSo5 vFXnNXlGvU2/WIE5+Ut/ZVCi+VYv4UL4kkBgejexwpXvOEA= X-Received: by 2002:a62:b612:: with SMTP id j18-v6mr25245868pff.199.1530533760229; Mon, 02 Jul 2018 05:16:00 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:de2:0:0:0:0 with HTTP; Mon, 2 Jul 2018 05:15:39 -0700 (PDT) In-Reply-To: References: <38c5a8ad-c192-74b9-b2ff-9eb2a3386930@gmail.com> <1530493827.2749.8.camel@themaw.net> <1530495726.2749.13.camel@themaw.net> <1bbf3634-6c2a-f40e-a9d3-9d6ffc9a0562@gmail.com> <1530526820.9527.4.camel@themaw.net> From: Dmitry Vyukov Date: Mon, 2 Jul 2018 14:15:39 +0200 Message-ID: Subject: Re: [PATCH upstream] KASAN: slab-out-of-bounds Read in getname_kernel To: tomas Cc: Ian Kent , LKML , syzkaller , autofs@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 2, 2018 at 1:55 PM, tomas wrote: > Yes, thanks. Please use my full name, Tomas Bortoli. Please also include: Reported-by: syzbot+60c837b428dc84e83a93@syzkaller.appspotmail.com from the original bug report. This this help to keep automatic testing process running. Thanks > > On 07/02/2018 12:20 PM, Ian Kent wrote: >> On Mon, 2018-07-02 at 10:31 +0200, tomas wrote: >>> Hi Ian, >>> >>> you are welcome! >>> >>> yes your patch is much better. You should just put the "_IOC_NR" macro >>> around "cmd" in the lines added to "validate_dev_ioctl" to make it work. >> LOL, yes, that was a dumb mistake. >> >> I'll send it to Andrew Morton, after some fairly simple sanity testing, >> with both our Signed-off-by added. >> >>> Tomas >>> >>> >>> On 07/02/2018 03:42 AM, Ian Kent wrote: >>>> On Mon, 2018-07-02 at 09:10 +0800, Ian Kent wrote: >>>>> On Mon, 2018-07-02 at 00:04 +0200, tomas wrote: >>>>>> Hi, >>>>>> >>>>>> I've looked into this issue found by Syzbot and I made a patch: >>>>>> >>>>>> https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425 >>>>>> b116 >>>>>> 3 >>>>> Umm ... oops! >>>>> >>>>> Thanks for looking into this Tomas. >>>>> >>>>>> The autofs subsystem does not check that the "path" parameter is present >>>>>> within the "param" struct passed by the userspace in case the >>>>>> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a >>>>>> path is always provided (though a path is not always present, as per how >>>>>> the struct is defined: >>>>>> https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_de >>>>>> v-io >>>>>> ct >>>>>> l.h#L89). >>>>>> Skipping the check provokes an oob read in "strlen", called by >>>>>> "getname_kernel", in turn called by the autofs to assess the length of >>>>>> the non-existing path. >>>>>> >>>>>> To solve it, modify the "validate_dev_ioctl" function to check also that >>>>>> a path has been provided if the command is >>>>>> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD. >>>>>> >>>>>> >>>>>> --- b/fs/autofs/dev-ioctl.c 2018-07-01 23:10:16.059728621 +0200around >>>>>> +++ a/fs/autofs/dev-ioctl.c 2018-07-01 23:10:24.311792133 +0200 >>>>>> @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s >>>>>> goto out; >>>>>> } >>>>>> } >>>>>> + /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */ >>>>>> + else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD) >>>>>> + return -EINVAL; >>>>> My preference is to put the comment inside the else but ... >>>>> >>>>> There's another question, should the check be done in >>>>> autofs_dev_ioctl_openmount() in the same way it's checked in other >>>>> ioctls that need a path, such as in autofs_dev_ioctl_requester() >>>>> and autofs_dev_ioctl_ismountpoint()? >>>>> >>>>> For consistency I'd say it should. >>>>> >>>>>> >>>>>> err = 0;You should just put the "_IOC_NR" directive around "cmd" in >>>>>> the lines added to "validate_dev_ioctl" to make it work. >>>>>> out: >>>>>> >>>>>> >>>>>> Tested and solves the issue on Linus' main git tree. >>>>>> >>>>>> >>>> Or perhaps this (not even compile tested) patch would be better? >>>> >>>> autofs - fix slab out of bounds read in getname_kernel() >>>> >>>> From: Ian Kent >>>> >>>> The autofs subsystem does not check that the "path" parameter is >>>> present for all cases where it is required when it is passed in >>>> via the "param" struct. >>>> >>>> In particular it isn't checked for the AUTOFS_DEV_IOCTL_OPENMOUNT_CMD >>>> ioctl command. >>>> >>>> To solve it, modify validate_dev_ioctl() function to check that a >>>> path has been provided for ioctl commands that require it. >>>> --- >>>> fs/autofs/dev-ioctl.c | 15 +++++++-------- >>>> 1 file changed, 7 insertions(+), 8 deletions(-) >>>> >>>> diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c >>>> index ea4ca1445ab7..61c63715c3fb 100644 >>>> --- a/fs/autofs/dev-ioctl.c >>>> +++ b/fs/autofs/dev-ioctl.c >>>> @@ -135,6 +135,11 @@ static int validate_dev_ioctl(int cmd, struct >>>> autofs_dev_ioctl *param) >>>> cmd); >>>> goto out; >>>> } >>>> + } else if (cmd == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD || >>>> + cmd == AUTOFS_DEV_IOCTL_REQUESTER_CMD || >>>> + cmd == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) { >>>> + err = -EINVAL; >>>> + goto out; >>>> } >>>> >>>> err = 0; >>>> @@ -433,10 +438,7 @@ static int autofs_dev_ioctl_requester(struct file *fp, >>>> dev_t devid; >>>> int err = -ENOENT; >>>> >>>> - if (param->size <= AUTOFS_DEV_IOCTL_SIZE) { >>>> - err = -EINVAL; >>>> - goto out; >>>> - } >>>> + /* param->path has already been checked */ >>>> >>>> devid = sbi->sb->s_dev; >>>> >>>> @@ -521,10 +523,7 @@ static int autofs_dev_ioctl_ismountpoint(struct file >>>> *fp, >>>> unsigned int devid, magic; >>>> int err = -ENOENT; >>>> >>>> - if (param->size <= AUTOFS_DEV_IOCTL_SIZE) { >>>> - err = -EINVAL; >>>> - goto out; >>>> - } >>>> + /* param->path has already been checked */ >>>> >>>> name = param->path; >>>> type = param->ismountpoint.in.type; >>> > > -- > You received this message because you are subscribed to the Google Groups "syzkaller" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.