KASAN: stack-out-of-bounds Write in mpol_to_str

Entropy Moe <3ntr0py1337@xxxxxxxxx> · Sun, 15 Mar 2020 23:57:17 +0400

Hello team, 
how are you ? 
I wanted to report a bug on mempolicy.c. I found the bug on the latest version of the kernel. 

which is stack out of bound vulnerability. 

I am attaching  report. 

If you need the POC crash code, I can provide. 

==================================================================
BUG: KASAN: stack-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: stack-out-of-bounds in __node_set include/linux/nodemask.h:130 [inline]
BUG: KASAN: stack-out-of-bounds in mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
Write of size 8 at addr ffff88806715fb58 by task systemd/1

CPU: 1 PID: 1 Comm: systemd Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xc6/0x11e lib/dump_stack.c:118
 print_address_description.constprop.5+0x16/0x310 mm/kasan/report.c:374
 __kasan_report+0x158/0x1c0 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
 __node_set include/linux/nodemask.h:130 [inline]
 mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
 shmem_show_mpol mm/shmem.c:1406 [inline]
 shmem_show_options+0x37c/0x540 mm/shmem.c:3611
 show_mountinfo+0x5b4/0x870 fs/proc_namespace.c:187
 seq_read+0x9fb/0x1030 fs/seq_file.c:268
 __vfs_read+0x7a/0x100 fs/read_write.c:425
 vfs_read+0x15e/0x370 fs/read_write.c:461
 ksys_read+0x17b/0x210 fs/read_write.c:587
 do_syscall_64+0x9b/0x520 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f67a589a910
Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 9b 01 00 48 89 04 24
RSP: 002b:00007ffefbf89888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b4a3ba9c00 RCX: 00007f67a589a910
RDX: 0000000000000400 RSI: 000055b4a3bba200 RDI: 0000000000000013
RBP: 0000000000000d68 R08: 00007f67a72cf500 R09: 00000000000000e0
R10: 000055b4a3bba5e3 R11: 0000000000000246 R12: 00007f67a5b55440
R13: 00007f67a5b54900 R14: 000000000000001d R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea00019c57c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 ffffea00019c57c8 ffffea00019c57c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

addr ffff88806715fb58 is located in stack of task systemd/1 at offset 40 in frame:
 mpol_to_str+0x0/0x380 mm/mempolicy.c:2926

this frame has 1 object:
 [32, 40) 'nodes'

Memory state around the buggy address:
 ffff88806715fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88806715fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806715fb00: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00
                                                    ^
 ffff88806715fb80: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
 ffff88806715fc00: 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00
==================================================================