Re: [PATCH upstream] KASAN: slab-out-of-bounds Read in getname_kernel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, thanks. Please use my full name, Tomas Bortoli.

Cheers


On 07/02/2018 12:20 PM, Ian Kent wrote:
> On Mon, 2018-07-02 at 10:31 +0200, tomas wrote:
>> Hi Ian,
>>
>> you are welcome!
>>
>> yes your patch is much better. You should just put the "_IOC_NR" macro
>> around "cmd" in the lines added to "validate_dev_ioctl" to make it work.
> LOL, yes, that was a dumb mistake.
>
> I'll send it to Andrew Morton, after some fairly simple sanity testing,
> with both our Signed-off-by added.
>
>> Tomas
>>
>>
>> On 07/02/2018 03:42 AM, Ian Kent wrote:
>>> On Mon, 2018-07-02 at 09:10 +0800, Ian Kent wrote:
>>>> On Mon, 2018-07-02 at 00:04 +0200, tomas wrote:
>>>>> Hi,
>>>>>
>>>>> I've looked into this issue found by Syzbot and I made a patch:
>>>>>
>>>>> https://syzkaller.appspot.com/bug?id=d03abd8b42847f7f69b1d1d7f97208ae425
>>>>> b116
>>>>> 3
>>>> Umm ... oops!
>>>>
>>>> Thanks for looking into this Tomas.
>>>>
>>>>> The autofs subsystem does not check that the "path" parameter is present
>>>>> within the "param" struct passed by the userspace in case the
>>>>> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD command is passed. Indeed, it assumes a
>>>>> path is always provided (though a path is not always present, as per how
>>>>> the struct is defined:
>>>>> https://github.com/torvalds/linux/blob/master/include/uapi/linux/auto_de
>>>>> v-io
>>>>> ct
>>>>> l.h#L89).
>>>>> Skipping the check provokes an oob read in "strlen", called by
>>>>> "getname_kernel", in turn called by the autofs to assess the length of
>>>>> the non-existing path.
>>>>>
>>>>> To solve it, modify the "validate_dev_ioctl" function to check also that
>>>>> a path has been provided if the command is
>>>>> AUTOFS_DEV_IOCTL_OPENMOUNT_CMD.
>>>>>
>>>>>
>>>>> --- b/fs/autofs/dev-ioctl.c    2018-07-01 23:10:16.059728621 +0200around
>>>>> +++ a/fs/autofs/dev-ioctl.c    2018-07-01 23:10:24.311792133 +0200
>>>>> @@ -136,6 +136,9 @@ static int validate_dev_ioctl(int cmd, s
>>>>>              goto out;
>>>>>          }
>>>>>      }
>>>>> +    /* AUTOFS_DEV_IOCTL_OPENMOUNT_CMD without path */
>>>>> +    else if(_IOC_NR(cmd) == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD)
>>>>> +        return -EINVAL;
>>>> My preference is to put the comment inside the else but ...
>>>>
>>>> There's another question, should the check be done in
>>>> autofs_dev_ioctl_openmount() in the same way it's checked in other
>>>> ioctls that need a path, such as in autofs_dev_ioctl_requester()
>>>> and autofs_dev_ioctl_ismountpoint()?
>>>>
>>>> For consistency I'd say it should.
>>>>
>>>>>  
>>>>>      err = 0;You should just put the "_IOC_NR" directive around "cmd" in
>>>>> the lines added to "validate_dev_ioctl" to make it work.
>>>>>  out:
>>>>>
>>>>>
>>>>> Tested and solves the issue on Linus' main git tree.
>>>>>
>>>>>
>>> Or perhaps this (not even compile tested) patch would be better?
>>>
>>> autofs - fix slab out of bounds read in getname_kernel()
>>>
>>> From: Ian Kent <raven@xxxxxxxxxx>
>>>
>>> The autofs subsystem does not check that the "path" parameter is
>>> present for all cases where it is required when it is passed in
>>> via the "param" struct.
>>>
>>> In particular it isn't checked for the AUTOFS_DEV_IOCTL_OPENMOUNT_CMD
>>> ioctl command.
>>>
>>> To solve it, modify validate_dev_ioctl() function to check that a
>>> path has been provided for ioctl commands that require it.
>>> ---
>>>  fs/autofs/dev-ioctl.c |   15 +++++++--------
>>>  1 file changed, 7 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c
>>> index ea4ca1445ab7..61c63715c3fb 100644
>>> --- a/fs/autofs/dev-ioctl.c
>>> +++ b/fs/autofs/dev-ioctl.c
>>> @@ -135,6 +135,11 @@ static int validate_dev_ioctl(int cmd, struct
>>> autofs_dev_ioctl *param)
>>>  				cmd);
>>>  			goto out;
>>>  		}
>>> +	} else if (cmd == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
>>> +		   cmd == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
>>> +		   cmd == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
>>> +		err = -EINVAL;
>>> +		goto out;
>>>  	}
>>>  
>>>  	err = 0;
>>> @@ -433,10 +438,7 @@ static int autofs_dev_ioctl_requester(struct file *fp,
>>>  	dev_t devid;
>>>  	int err = -ENOENT;
>>>  
>>> -	if (param->size <= AUTOFS_DEV_IOCTL_SIZE) {
>>> -		err = -EINVAL;
>>> -		goto out;
>>> -	}
>>> +	/* param->path has already been checked */
>>>  
>>>  	devid = sbi->sb->s_dev;
>>>  
>>> @@ -521,10 +523,7 @@ static int autofs_dev_ioctl_ismountpoint(struct file
>>> *fp,
>>>  	unsigned int devid, magic;
>>>  	int err = -ENOENT;
>>>  
>>> -	if (param->size <= AUTOFS_DEV_IOCTL_SIZE) {
>>> -		err = -EINVAL;
>>> -		goto out;
>>> -	}
>>> +	/* param->path has already been checked */
>>>  
>>>  	name = param->path;
>>>  	type = param->ismountpoint.in.type;
>>

--
To unsubscribe from this list: send the line "unsubscribe autofs" in



[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux