From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 15 Apr 2024 23:11:43 +0300 From: Vitaly Chikunov To: ALT Linux kernel packages development Message-ID: <20240415201143.nabzpcrezosba2kn@altlinux.org> References: <20240415162852.517293-1-kovalev@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20240415162852.517293-1-kovalev@altlinux.org> Subject: Re: [d-kernel] [PATCH all] kiosk: fix incorrect KIOSK_MAX_ATTR value X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2024 20:11:44 -0000 Archived-At: List-Archive: List-Post: On Mon, Apr 15, 2024 at 07:28:52PM +0300, kovalev@altlinux.org wrote: > From: Vasiliy Kovalev > > The KIOSK_MAX_ATTR value should correspond to the index of the last > available member of the structure, not their total number. > > Found by Syzkaller: > > [ 52.512896] =================================================== > [ 52.512907] BUG: KASAN: global-out-of-bounds in > __nla_validate_parse+0x2317/0x2560 > [ 52.512921] Read of size 1 at addr ffffffff85205b90 by task > global_out_boun/3776 > > [ 52.512932] CPU: 0 PID: 3776 Comm: global_out_boun Not tainted > 6.1.81-std-def-alt1.kasan #1 > [ 52.512940] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), > BIOS 1.16.0-alt1 04/01/2014 > [ 52.512945] Call Trace: > [ 52.512951] > [ 52.512954] dump_stack_lvl+0x14f/0x1be > [ 52.512969] print_report+0x171/0x47b > [ 52.512980] ? __virt_addr_valid+0x60/0x560 > [ 52.512992] ? __nla_validate_parse+0x2317/0x2560 > [ 52.512999] kasan_report+0xbb/0x160 > [ 52.513011] ? __nla_validate_parse+0x2317/0x2560 > [ 52.513020] __nla_validate_parse+0x2317/0x2560 > [ 52.513031] ? nla_get_range_signed+0x520/0x520 > [ 52.513040] __nla_parse+0x3e/0x50 > [ 52.513048] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b5/0x290 > [ 52.513061] genl_family_rcv_msg_doit+0xdf/0x330 > [ 52.513070] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 > [ 52.513078] ? mutex_lock_io_nested+0x1650/0x1650 > [ 52.513088] ? __lock_acquire+0x15c1/0x5530 > [ 52.513098] ? cap_capable+0x1dc/0x270 > [ 52.513106] ? safesetid_security_capable+0xe3/0x170 > [ 52.513116] ? bpf_lsm_capable+0xa/0x20 > [ 52.513125] ? security_capable+0x9a/0xd0 > [ 52.513132] ? ns_capable+0xe7/0x110 > [ 52.513140] genl_rcv_msg+0x446/0x780 > [ 52.513148] ? genl_start+0x670/0x670 > [ 52.513155] ? kiosk_nl_send_msg.constprop.0+0x2f0/0x2f0 > [ 52.513163] ? lock_release+0x7a0/0x7a0 > [ 52.513170] ? netlink_deliver_tap+0x10d/0xcd0 > [ 52.513178] netlink_rcv_skb+0x14d/0x440 > [ 52.513185] ? genl_start+0x670/0x670 > [ 52.513193] ? netlink_ack+0x1340/0x1340 > [ 52.513205] ? netlink_deliver_tap+0x1a6/0xcd0 > [ 52.513215] genl_rcv+0x29/0x40 > [ 52.513221] netlink_unicast+0x550/0x810 > [ 52.513241] ? netlink_attachskb+0x8a0/0x8a0 > [ 52.513248] ? __check_object_size+0x2f8/0x650 > [ 52.513258] netlink_sendmsg+0x924/0xe20 > [ 52.513266] ? netlink_unicast+0x810/0x810 > [ 52.513274] ? bpf_lsm_socket_sendmsg+0xa/0x20 > [ 52.513282] ? netlink_unicast+0x810/0x810 > [ 52.513289] __sock_sendmsg+0x157/0x190 > [ 52.513300] ____sys_sendmsg+0x75f/0x950 > [ 52.513307] ? copy_msghdr_from_user+0x101/0x160 > [ 52.513314] ? kernel_sendmsg+0x50/0x50 > [ 52.513323] ? lock_chain_count+0x20/0x20 > [ 52.513330] ? lock_acquire+0x1fb/0x580 > [ 52.513338] ___sys_sendmsg+0x115/0x1b0 > [ 52.513344] ? __ia32_sys_recvmmsg+0x270/0x270 > [ 52.513352] ? __lock_acquire+0x15c1/0x5530 > [ 52.513363] ? lockdep_hardirqs_on_prepare+0x410/0x410 > [ 52.513372] ? __fget_light+0x217/0x280 > [ 52.513381] __sys_sendmsg+0xf8/0x1d0 > [ 52.513387] ? __sys_sendmsg_sock+0x40/0x40 > [ 52.513393] ? lock_downgrade+0x820/0x820 > [ 52.513403] ? syscall_enter_from_user_mode+0x21/0x90 > [ 52.513411] ? lockdep_hardirqs_on_prepare+0x239/0x410 > [ 52.513421] ? trace_hardirqs_on+0x2d/0x110 > [ 52.513423] do_syscall_64+0x59/0x90 > [ 52.513423] ? __ct_user_enter+0xe1/0x160 > [ 52.513423] ? exc_page_fault+0x109/0x1f0 > [ 52.513423] entry_SYSCALL_64_after_hwframe+0x64/0xce > [ 52.513423] RIP: 0033:0x7fdbe798ad49 > [ 52.513423] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 > f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 > 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 > d8 64 89 01 48 > [ 52.513423] RSP: 002b:00007ffef36c9aa8 EFLAGS: 00000292 > ORIG_RAX:000000000000002e > [ 52.513423] RAX: ffffffffffffffda RBX: 00000000200007d6 RCX: 00007fdbe798ad49 > [ 52.513423] RDX: 0000000000000000 RSI: 0000000020000600 RDI: 0000000000000003 > [ 52.513423] RBP: 00007ffef36c9ad0 R08: 00007ffef36c9aa7 R09: 0000000000000000 > [ 52.513423] R10: 0000000000000000 R11: 0000000000000292 R12: 000055a5c5352060 > [ 52.513423] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 52.513423] > > [ 52.513423] The buggy address belongs to the variable: > [ 52.513423] kiosk_policy+0x30/0x60 > > [ 52.513423] The buggy address belongs to the physical page: > [ 52.513423] page:000000009fbf94f1 refcount:1 mapcount:0 > mapping:0000000000000000 index:0x0 pfn:0x5205 > [ 52.513423] flags: 0x1fffff80001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) > [ 52.513423] raw: 001fffff80001000 ffffea0000148148 ffffea0000148148 > 0000000000000000 > [ 52.513423] raw: 0000000000000000 0000000000000000 00000001ffffffff > 0000000000000000 > [ 52.513423] page dumped because: kasan: bad access detected > > [ 52.513423] Memory state around the buggy address: > [ 52.513423] ffffffff85205a80: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 > [ 52.513423] ffffffff85205b00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 > [ 52.513423] >ffffffff85205b80: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 > [ 52.513423] ^ > [ 52.513423] ffffffff85205c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > [ 52.513423] ffffffff85205c80: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > [ 52.513423] ================================================================== > > Fixes: 35d97fb708d5 ("kiosk: Implement kiosk module") > Signed-off-by: Vasiliy Kovalev Applied, thanks > --- > security/kiosk/kiosk_lsm.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c > index cf7a7df6599582..ffd0ca3a8867d6 100644 > --- a/security/kiosk/kiosk_lsm.c > +++ b/security/kiosk/kiosk_lsm.c > @@ -62,10 +62,11 @@ enum kiosk_attrs { > KIOSK_NOATTR = 0, > KIOSK_ACTION, > KIOSK_DATA, > - KIOSK_MAX_ATTR, > + __KIOSK_MAX_ATTR, > + KIOSK_MAX_ATTR = __KIOSK_MAX_ATTR - 1, > }; > > -static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR] = { > +static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR + 1] = { > [KIOSK_ACTION] = { > .type = NLA_S16, > }, > -- > 2.33.8 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel