* [d-kernel] [PATCH all] kiosk: fix incorrect KIOSK_MAX_ATTR value
@ 2024-04-15 16:28 kovalev
2024-04-15 20:11 ` Vitaly Chikunov
0 siblings, 1 reply; 2+ messages in thread
From: kovalev @ 2024-04-15 16:28 UTC (permalink / raw)
To: devel-kernel
From: Vasiliy Kovalev <kovalev@altlinux.org>
The KIOSK_MAX_ATTR value should correspond to the index of the last
available member of the structure, not their total number.
Found by Syzkaller:
[ 52.512896] ===================================================
[ 52.512907] BUG: KASAN: global-out-of-bounds in
__nla_validate_parse+0x2317/0x2560
[ 52.512921] Read of size 1 at addr ffffffff85205b90 by task
global_out_boun/3776
[ 52.512932] CPU: 0 PID: 3776 Comm: global_out_boun Not tainted
6.1.81-std-def-alt1.kasan #1
[ 52.512940] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 1.16.0-alt1 04/01/2014
[ 52.512945] Call Trace:
[ 52.512951] <TASK>
[ 52.512954] dump_stack_lvl+0x14f/0x1be
[ 52.512969] print_report+0x171/0x47b
[ 52.512980] ? __virt_addr_valid+0x60/0x560
[ 52.512992] ? __nla_validate_parse+0x2317/0x2560
[ 52.512999] kasan_report+0xbb/0x160
[ 52.513011] ? __nla_validate_parse+0x2317/0x2560
[ 52.513020] __nla_validate_parse+0x2317/0x2560
[ 52.513031] ? nla_get_range_signed+0x520/0x520
[ 52.513040] __nla_parse+0x3e/0x50
[ 52.513048] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b5/0x290
[ 52.513061] genl_family_rcv_msg_doit+0xdf/0x330
[ 52.513070] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290
[ 52.513078] ? mutex_lock_io_nested+0x1650/0x1650
[ 52.513088] ? __lock_acquire+0x15c1/0x5530
[ 52.513098] ? cap_capable+0x1dc/0x270
[ 52.513106] ? safesetid_security_capable+0xe3/0x170
[ 52.513116] ? bpf_lsm_capable+0xa/0x20
[ 52.513125] ? security_capable+0x9a/0xd0
[ 52.513132] ? ns_capable+0xe7/0x110
[ 52.513140] genl_rcv_msg+0x446/0x780
[ 52.513148] ? genl_start+0x670/0x670
[ 52.513155] ? kiosk_nl_send_msg.constprop.0+0x2f0/0x2f0
[ 52.513163] ? lock_release+0x7a0/0x7a0
[ 52.513170] ? netlink_deliver_tap+0x10d/0xcd0
[ 52.513178] netlink_rcv_skb+0x14d/0x440
[ 52.513185] ? genl_start+0x670/0x670
[ 52.513193] ? netlink_ack+0x1340/0x1340
[ 52.513205] ? netlink_deliver_tap+0x1a6/0xcd0
[ 52.513215] genl_rcv+0x29/0x40
[ 52.513221] netlink_unicast+0x550/0x810
[ 52.513241] ? netlink_attachskb+0x8a0/0x8a0
[ 52.513248] ? __check_object_size+0x2f8/0x650
[ 52.513258] netlink_sendmsg+0x924/0xe20
[ 52.513266] ? netlink_unicast+0x810/0x810
[ 52.513274] ? bpf_lsm_socket_sendmsg+0xa/0x20
[ 52.513282] ? netlink_unicast+0x810/0x810
[ 52.513289] __sock_sendmsg+0x157/0x190
[ 52.513300] ____sys_sendmsg+0x75f/0x950
[ 52.513307] ? copy_msghdr_from_user+0x101/0x160
[ 52.513314] ? kernel_sendmsg+0x50/0x50
[ 52.513323] ? lock_chain_count+0x20/0x20
[ 52.513330] ? lock_acquire+0x1fb/0x580
[ 52.513338] ___sys_sendmsg+0x115/0x1b0
[ 52.513344] ? __ia32_sys_recvmmsg+0x270/0x270
[ 52.513352] ? __lock_acquire+0x15c1/0x5530
[ 52.513363] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 52.513372] ? __fget_light+0x217/0x280
[ 52.513381] __sys_sendmsg+0xf8/0x1d0
[ 52.513387] ? __sys_sendmsg_sock+0x40/0x40
[ 52.513393] ? lock_downgrade+0x820/0x820
[ 52.513403] ? syscall_enter_from_user_mode+0x21/0x90
[ 52.513411] ? lockdep_hardirqs_on_prepare+0x239/0x410
[ 52.513421] ? trace_hardirqs_on+0x2d/0x110
[ 52.513423] do_syscall_64+0x59/0x90
[ 52.513423] ? __ct_user_enter+0xe1/0x160
[ 52.513423] ? exc_page_fault+0x109/0x1f0
[ 52.513423] entry_SYSCALL_64_after_hwframe+0x64/0xce
[ 52.513423] RIP: 0033:0x7fdbe798ad49
[ 52.513423] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7
d8 64 89 01 48
[ 52.513423] RSP: 002b:00007ffef36c9aa8 EFLAGS: 00000292
ORIG_RAX:000000000000002e
[ 52.513423] RAX: ffffffffffffffda RBX: 00000000200007d6 RCX: 00007fdbe798ad49
[ 52.513423] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003
[ 52.513423] RBP: 00007ffef36c9ad0 R08: 00007ffef36c9aa7 R09: 0000000000000000
[ 52.513423] R10: 0000000000000000 R11: 0000000000000292 R12: 000055a5c5352060
[ 52.513423] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 52.513423] </TASK>
[ 52.513423] The buggy address belongs to the variable:
[ 52.513423] kiosk_policy+0x30/0x60
[ 52.513423] The buggy address belongs to the physical page:
[ 52.513423] page:000000009fbf94f1 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x5205
[ 52.513423] flags: 0x1fffff80001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
[ 52.513423] raw: 001fffff80001000 ffffea0000148148 ffffea0000148148
0000000000000000
[ 52.513423] raw: 0000000000000000 0000000000000000 00000001ffffffff
0000000000000000
[ 52.513423] page dumped because: kasan: bad access detected
[ 52.513423] Memory state around the buggy address:
[ 52.513423] ffffffff85205a80: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
[ 52.513423] ffffffff85205b00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
[ 52.513423] >ffffffff85205b80: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
[ 52.513423] ^
[ 52.513423] ffffffff85205c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 52.513423] ffffffff85205c80: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
[ 52.513423] ==================================================================
Fixes: 35d97fb708d5 ("kiosk: Implement kiosk module")
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
security/kiosk/kiosk_lsm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c
index cf7a7df6599582..ffd0ca3a8867d6 100644
--- a/security/kiosk/kiosk_lsm.c
+++ b/security/kiosk/kiosk_lsm.c
@@ -62,10 +62,11 @@ enum kiosk_attrs {
KIOSK_NOATTR = 0,
KIOSK_ACTION,
KIOSK_DATA,
- KIOSK_MAX_ATTR,
+ __KIOSK_MAX_ATTR,
+ KIOSK_MAX_ATTR = __KIOSK_MAX_ATTR - 1,
};
-static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR] = {
+static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR + 1] = {
[KIOSK_ACTION] = {
.type = NLA_S16,
},
--
2.33.8
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [d-kernel] [PATCH all] kiosk: fix incorrect KIOSK_MAX_ATTR value
2024-04-15 16:28 [d-kernel] [PATCH all] kiosk: fix incorrect KIOSK_MAX_ATTR value kovalev
@ 2024-04-15 20:11 ` Vitaly Chikunov
0 siblings, 0 replies; 2+ messages in thread
From: Vitaly Chikunov @ 2024-04-15 20:11 UTC (permalink / raw)
To: ALT Linux kernel packages development
On Mon, Apr 15, 2024 at 07:28:52PM +0300, kovalev@altlinux.org wrote:
> From: Vasiliy Kovalev <kovalev@altlinux.org>
>
> The KIOSK_MAX_ATTR value should correspond to the index of the last
> available member of the structure, not their total number.
>
> Found by Syzkaller:
>
> [ 52.512896] ===================================================
> [ 52.512907] BUG: KASAN: global-out-of-bounds in
> __nla_validate_parse+0x2317/0x2560
> [ 52.512921] Read of size 1 at addr ffffffff85205b90 by task
> global_out_boun/3776
>
> [ 52.512932] CPU: 0 PID: 3776 Comm: global_out_boun Not tainted
> 6.1.81-std-def-alt1.kasan #1
> [ 52.512940] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
> BIOS 1.16.0-alt1 04/01/2014
> [ 52.512945] Call Trace:
> [ 52.512951] <TASK>
> [ 52.512954] dump_stack_lvl+0x14f/0x1be
> [ 52.512969] print_report+0x171/0x47b
> [ 52.512980] ? __virt_addr_valid+0x60/0x560
> [ 52.512992] ? __nla_validate_parse+0x2317/0x2560
> [ 52.512999] kasan_report+0xbb/0x160
> [ 52.513011] ? __nla_validate_parse+0x2317/0x2560
> [ 52.513020] __nla_validate_parse+0x2317/0x2560
> [ 52.513031] ? nla_get_range_signed+0x520/0x520
> [ 52.513040] __nla_parse+0x3e/0x50
> [ 52.513048] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b5/0x290
> [ 52.513061] genl_family_rcv_msg_doit+0xdf/0x330
> [ 52.513070] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290
> [ 52.513078] ? mutex_lock_io_nested+0x1650/0x1650
> [ 52.513088] ? __lock_acquire+0x15c1/0x5530
> [ 52.513098] ? cap_capable+0x1dc/0x270
> [ 52.513106] ? safesetid_security_capable+0xe3/0x170
> [ 52.513116] ? bpf_lsm_capable+0xa/0x20
> [ 52.513125] ? security_capable+0x9a/0xd0
> [ 52.513132] ? ns_capable+0xe7/0x110
> [ 52.513140] genl_rcv_msg+0x446/0x780
> [ 52.513148] ? genl_start+0x670/0x670
> [ 52.513155] ? kiosk_nl_send_msg.constprop.0+0x2f0/0x2f0
> [ 52.513163] ? lock_release+0x7a0/0x7a0
> [ 52.513170] ? netlink_deliver_tap+0x10d/0xcd0
> [ 52.513178] netlink_rcv_skb+0x14d/0x440
> [ 52.513185] ? genl_start+0x670/0x670
> [ 52.513193] ? netlink_ack+0x1340/0x1340
> [ 52.513205] ? netlink_deliver_tap+0x1a6/0xcd0
> [ 52.513215] genl_rcv+0x29/0x40
> [ 52.513221] netlink_unicast+0x550/0x810
> [ 52.513241] ? netlink_attachskb+0x8a0/0x8a0
> [ 52.513248] ? __check_object_size+0x2f8/0x650
> [ 52.513258] netlink_sendmsg+0x924/0xe20
> [ 52.513266] ? netlink_unicast+0x810/0x810
> [ 52.513274] ? bpf_lsm_socket_sendmsg+0xa/0x20
> [ 52.513282] ? netlink_unicast+0x810/0x810
> [ 52.513289] __sock_sendmsg+0x157/0x190
> [ 52.513300] ____sys_sendmsg+0x75f/0x950
> [ 52.513307] ? copy_msghdr_from_user+0x101/0x160
> [ 52.513314] ? kernel_sendmsg+0x50/0x50
> [ 52.513323] ? lock_chain_count+0x20/0x20
> [ 52.513330] ? lock_acquire+0x1fb/0x580
> [ 52.513338] ___sys_sendmsg+0x115/0x1b0
> [ 52.513344] ? __ia32_sys_recvmmsg+0x270/0x270
> [ 52.513352] ? __lock_acquire+0x15c1/0x5530
> [ 52.513363] ? lockdep_hardirqs_on_prepare+0x410/0x410
> [ 52.513372] ? __fget_light+0x217/0x280
> [ 52.513381] __sys_sendmsg+0xf8/0x1d0
> [ 52.513387] ? __sys_sendmsg_sock+0x40/0x40
> [ 52.513393] ? lock_downgrade+0x820/0x820
> [ 52.513403] ? syscall_enter_from_user_mode+0x21/0x90
> [ 52.513411] ? lockdep_hardirqs_on_prepare+0x239/0x410
> [ 52.513421] ? trace_hardirqs_on+0x2d/0x110
> [ 52.513423] do_syscall_64+0x59/0x90
> [ 52.513423] ? __ct_user_enter+0xe1/0x160
> [ 52.513423] ? exc_page_fault+0x109/0x1f0
> [ 52.513423] entry_SYSCALL_64_after_hwframe+0x64/0xce
> [ 52.513423] RIP: 0033:0x7fdbe798ad49
> [ 52.513423] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89
> f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
> 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7
> d8 64 89 01 48
> [ 52.513423] RSP: 002b:00007ffef36c9aa8 EFLAGS: 00000292
> ORIG_RAX:000000000000002e
> [ 52.513423] RAX: ffffffffffffffda RBX: 00000000200007d6 RCX: 00007fdbe798ad49
> [ 52.513423] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003
> [ 52.513423] RBP: 00007ffef36c9ad0 R08: 00007ffef36c9aa7 R09: 0000000000000000
> [ 52.513423] R10: 0000000000000000 R11: 0000000000000292 R12: 000055a5c5352060
> [ 52.513423] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [ 52.513423] </TASK>
>
> [ 52.513423] The buggy address belongs to the variable:
> [ 52.513423] kiosk_policy+0x30/0x60
>
> [ 52.513423] The buggy address belongs to the physical page:
> [ 52.513423] page:000000009fbf94f1 refcount:1 mapcount:0
> mapping:0000000000000000 index:0x0 pfn:0x5205
> [ 52.513423] flags: 0x1fffff80001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
> [ 52.513423] raw: 001fffff80001000 ffffea0000148148 ffffea0000148148
> 0000000000000000
> [ 52.513423] raw: 0000000000000000 0000000000000000 00000001ffffffff
> 0000000000000000
> [ 52.513423] page dumped because: kasan: bad access detected
>
> [ 52.513423] Memory state around the buggy address:
> [ 52.513423] ffffffff85205a80: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
> [ 52.513423] ffffffff85205b00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> [ 52.513423] >ffffffff85205b80: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
> [ 52.513423] ^
> [ 52.513423] ffffffff85205c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 52.513423] ffffffff85205c80: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
> [ 52.513423] ==================================================================
>
> Fixes: 35d97fb708d5 ("kiosk: Implement kiosk module")
> Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Applied, thanks
> ---
> security/kiosk/kiosk_lsm.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c
> index cf7a7df6599582..ffd0ca3a8867d6 100644
> --- a/security/kiosk/kiosk_lsm.c
> +++ b/security/kiosk/kiosk_lsm.c
> @@ -62,10 +62,11 @@ enum kiosk_attrs {
> KIOSK_NOATTR = 0,
> KIOSK_ACTION,
> KIOSK_DATA,
> - KIOSK_MAX_ATTR,
> + __KIOSK_MAX_ATTR,
> + KIOSK_MAX_ATTR = __KIOSK_MAX_ATTR - 1,
> };
>
> -static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR] = {
> +static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR + 1] = {
> [KIOSK_ACTION] = {
> .type = NLA_S16,
> },
> --
> 2.33.8
>
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-15 20:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-15 16:28 [d-kernel] [PATCH all] kiosk: fix incorrect KIOSK_MAX_ATTR value kovalev
2024-04-15 20:11 ` Vitaly Chikunov
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git