From patchwork Fri Jun 28 08:24:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 1124042
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 45ZqZJ4zsRz9s3C;
	Fri, 28 Jun 2019 18:24:56 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1hgmBh-0004iX-17; Fri, 28 Jun 2019 08:24:53 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <po-hsu.lin@canonical.com>)
	id 1hgmBd-0004hK-VL
	for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2019 08:24:49 +0000
Received: from mail-pl1-f200.google.com ([209.85.214.200])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1hgmBd-0000Os-GX
	for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2019 08:24:49 +0000
Received: by mail-pl1-f200.google.com with SMTP id t2so3105871plo.10
	for <kernel-team@lists.ubuntu.com>;
	Fri, 28 Jun 2019 01:24:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=0L50p/MVw/lOB5KQDmntpuzzcgfiUAOUUiqVlK5ionQ=;
	b=NX/nuOkE8teS+5Q5/LGIPe2VyDlrD/xDpxnhPebU3i4qsO1s470QcadHGJ9Ojedwrp
	C/1zI9WBP2DgFrDnd8wbBwtP7tmFmgTdF5D8YoOzWorp4mVg7I75bOKRZ6OE5f5oGtUj
	AT0zpk61ZCNGAwQ0QfgNOIGVF7L1+i10XbEjw1aC5tm2t0mkPZ36Ok6oPCbEmJUK2Qe8
	Zdb0FflDT1i+RQWg19Pb0i6jLXv57/LmqoaVNLUi/OqWN9mGoActMbQLTgwi0rhYkh+K
	4Ca4csNC1tOq87KIR1GWrU17sRO5UE0ypvhxXfKWHW1A+Zb64OVjP/WeMv2Nz4nroAJ+
	7kSg==
X-Gm-Message-State: APjAAAVfCJkGJX/41AV1dYYJHBZwHjhNu8GSK2YmdjOWSRDUXf15SM23
	uy/8hgd10c0cCccFNqiroGFG764UIjF6R/mUzX4Rn6sRS54TstHEgzpgkLeLA1jVaAKgjGDyra+
	w0mLtJYC8lLNIMXYosoLEMhuzRcPWgMdLTEzHAtD8
X-Received: by 2002:a17:90b:d8b:: with SMTP id
	bg11mr11610001pjb.30.1561710287991;
	Fri, 28 Jun 2019 01:24:47 -0700 (PDT)
X-Google-Smtp-Source: 
 APXvYqxq6XYlTrqS6d6HvVbVL+3BG/LLDccnuemLMMHtirFNKuzR7Wz+bujcLL/T8aAtUKu6nYQfrw==
X-Received: by 2002:a17:90b:d8b:: with SMTP id
	bg11mr11609969pjb.30.1561710287692;
	Fri, 28 Jun 2019 01:24:47 -0700 (PDT)
Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net.
	[61.220.137.37]) by smtp.gmail.com with ESMTPSA id
	w7sm1564777pfb.117.2019.06.28.01.24.46
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Fri, 28 Jun 2019 01:24:47 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [B][C][SRU][PATCH v2 2/2] kernel/sysctl.c: fix out-of-bounds access
	when setting file-max
Date: Fri, 28 Jun 2019 16:24:38 +0800
Message-Id: <20190628082438.3124-3-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190628082438.3124-1-po-hsu.lin@canonical.com>
References: <20190628082438.3124-1-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Will Deacon <will.deacon@arm.com>

BugLink: https://bugs.launchpad.net/bugs/1834310

Commit 32a5ad9c2285 ("sysctl: handle overflow for file-max") hooked up
min/max values for the file-max sysctl parameter via the .extra1 and
.extra2 fields in the corresponding struct ctl_table entry.

Unfortunately, the minimum value points at the global 'zero' variable,
which is an int.  This results in a KASAN splat when accessed as a long
by proc_doulongvec_minmax on 64-bit architectures:

  | BUG: KASAN: global-out-of-bounds in __do_proc_doulongvec_minmax+0x5d8/0x6a0
  | Read of size 8 at addr ffff2000133d1c20 by task systemd/1
  |
  | CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc3-00012-g40b114779944 #2
  | Hardware name: linux,dummy-virt (DT)
  | Call trace:
  |  dump_backtrace+0x0/0x228
  |  show_stack+0x14/0x20
  |  dump_stack+0xe8/0x124
  |  print_address_description+0x60/0x258
  |  kasan_report+0x140/0x1a0
  |  __asan_report_load8_noabort+0x18/0x20
  |  __do_proc_doulongvec_minmax+0x5d8/0x6a0
  |  proc_doulongvec_minmax+0x4c/0x78
  |  proc_sys_call_handler.isra.19+0x144/0x1d8
  |  proc_sys_write+0x34/0x58
  |  __vfs_write+0x54/0xe8
  |  vfs_write+0x124/0x3c0
  |  ksys_write+0xbc/0x168
  |  __arm64_sys_write+0x68/0x98
  |  el0_svc_common+0x100/0x258
  |  el0_svc_handler+0x48/0xc0
  |  el0_svc+0x8/0xc
  |
  | The buggy address belongs to the variable:
  |  zero+0x0/0x40
  |
  | Memory state around the buggy address:
  |  ffff2000133d1b00: 00 00 00 00 00 00 00 00 fa fa fa fa 04 fa fa fa
  |  ffff2000133d1b80: fa fa fa fa 04 fa fa fa fa fa fa fa 04 fa fa fa
  | >ffff2000133d1c00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
  |                                ^
  |  ffff2000133d1c80: fa fa fa fa 00 fa fa fa fa fa fa fa 00 00 00 00
  |  ffff2000133d1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Fix the splat by introducing a unsigned long 'zero_ul' and using that
instead.

Link: http://lkml.kernel.org/r/20190403153409.17307-1-will.deacon@arm.com
Fixes: 32a5ad9c2285 ("sysctl: handle overflow for file-max")
Signed-off-by: Will Deacon <will.deacon@arm.com>
Acked-by: Christian Brauner <christian@brauner.io>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 9002b21465fa4d829edfc94a5a441005cffaa972)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 kernel/sysctl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 39ea0c1..df6492b 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -128,6 +128,7 @@ static int zero;
 static int __maybe_unused one = 1;
 static int __maybe_unused two = 2;
 static int __maybe_unused four = 4;
+static unsigned long zero_ul;
 static unsigned long one_ul = 1;
 static unsigned long long_max = LONG_MAX;
 static int one_hundred = 100;
@@ -1699,7 +1700,7 @@ static struct ctl_table fs_table[] = {
 		.maxlen		= sizeof(files_stat.max_files),
 		.mode		= 0644,
 		.proc_handler	= proc_doulongvec_minmax,
-		.extra1		= &zero,
+		.extra1		= &zero_ul,
 		.extra2		= &long_max,
 	},
 	{