Message ID | 20220523140403.2361040-1-vincent.whitchurch@axis.com |
---|---|
State | Accepted |
Headers | show
Return-Path: <linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=IthIOpM/; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=axis.com header.i=@axis.com header.a=rsa-sha256 header.s=axis-central1 header.b=iw5g7RKy; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L6Jx16g1Wz9sGk for <incoming@patchwork.ozlabs.org>; Tue, 24 May 2022 00:04:37 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=KjyhTUuAAn3KvRVuxu5uS/sG1DpPrZp4oq4OJID58NA=; b=IthIOpM/PxfOgX smw2NFgAOhXpj7a/dQN8gkGSpGtxgKdvhLMQUKoLK2hTG7DICJAyOV07zDyj7mWN4xPVcT/+uVtUN gLW/0sSEaKfD/nm9WDNAC6+KzuAPyw4ujwr7Nj1xBJj81UfiA16TWK1cL92SuuAlxz0gqDwrYSLZV zSecFKlzG4hEMhL+jwZCP14mzpmXoeYTFBYOimc4yFYBPADgCavYgsKRPRWuv8rvNXuu8lMx8ThUI JdzJ3w5/pKVB+ou5FyyuKij7DcEbOGhXqPJADmXpf3Lm95bYRptXt7RMW0rbxSuKaczbhA/I+rgiI 3+E1TnaOcktKbRZd1w9g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nt8fb-004dGo-18; Mon, 23 May 2022 14:04:27 +0000 Received: from smtp2.axis.com ([195.60.68.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nt8fX-004dCu-IM for linux-um@lists.infradead.org; Mon, 23 May 2022 14:04:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; q=dns/txt; s=axis-central1; t=1653314664; x=1684850664; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=jmA5B4dvI7xazBJLNO/gm5LrfVmN7fBAWkoDxCERPj0=; b=iw5g7RKyZeucIigGsQM5Q646QbAfwkOEvKrG3qDCl0G7snXC9C8kNWwb 0Ujze6Eh8cVjG32Im/UklY2O9XfJU0GwcwC0p78QnOorW+2eIafKRWAm6 wPfuPIoesTLn58P5iEaip5FxfDp+KIb3gRxHPxAejndtC5IJ2KPeJPgIH 3qImXHbsMbVRmj7HyhatalbWC0I/67s+Bw60xRkS0klu9uT+Z4tqhaG2J EdDsWd9OPQsyzoSvRC1WjHUNQcJHPW6QDV+94iL2vk9PlkpChU4OTkFy4 pAVSMQBtWjRoOsx11tKEf2qM7tyyPwJWyFxbsfvIqvf/rb0010DkVEDUl w==; From: Vincent Whitchurch <vincent.whitchurch@axis.com> To: <richard@nod.at>, <anton.ivanov@cambridgegreys.com>, <johannes@sipsolutions.net> CC: <kernel@axis.com>, <x86@kernel.org>, <linux-um@lists.infradead.org>, <linux-kernel@vger.kernel.org>, Vincent Whitchurch <vincent.whitchurch@axis.com> Subject: [PATCH] um: Fix out-of-bounds read in LDT setup Date: Mon, 23 May 2022 16:04:03 +0200 Message-ID: <20220523140403.2361040-1-vincent.whitchurch@axis.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220523_070424_101212_C5061409 X-CRM114-Status: UNSURE ( 7.86 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.5 (--) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: syscall_stub_data() expects the data_count parameter to be the number of longs, not bytes. ================================================================== BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0 Read of size 128 at addr 000000006411f6f0 by task swapper/1 Content analysis details: (-2.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [195.60.68.18 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: linux-um@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: <linux-um.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-um>, <mailto:linux-um-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/linux-um/> List-Post: <mailto:linux-um@lists.infradead.org> List-Help: <mailto:linux-um-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-um>, <mailto:linux-um-request@lists.infradead.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-um" <linux-um-bounces@lists.infradead.org> Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
um: Fix out-of-bounds read in LDT setup
|
expand
|
diff --git a/arch/x86/um/ldt.c b/arch/x86/um/ldt.c index 3ee234b6234d..255a44dd415a 100644 --- a/arch/x86/um/ldt.c +++ b/arch/x86/um/ldt.c @@ -23,9 +23,11 @@ static long write_ldt_entry(struct mm_id *mm_idp, int func, { long res; void *stub_addr; + + BUILD_BUG_ON(sizeof(*desc) % sizeof(long)); + res = syscall_stub_data(mm_idp, (unsigned long *)desc, - (sizeof(*desc) + sizeof(long) - 1) & - ~(sizeof(long) - 1), + sizeof(*desc) / sizeof(long), addr, &stub_addr); if (!res) { unsigned long args[] = { func,
syscall_stub_data() expects the data_count parameter to be the number of longs, not bytes. ================================================================== BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0 Read of size 128 at addr 000000006411f6f0 by task swapper/1 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18 Call Trace: show_stack.cold+0x166/0x2a7 __dump_stack+0x3a/0x43 dump_stack_lvl+0x1f/0x27 print_report.cold+0xdb/0xf81 kasan_report+0x119/0x1f0 kasan_check_range+0x3a3/0x440 memcpy+0x52/0x140 syscall_stub_data+0x70/0xe0 write_ldt_entry+0xac/0x190 init_new_ldt+0x515/0x960 init_new_context+0x2c4/0x4d0 mm_init.constprop.0+0x5ed/0x760 mm_alloc+0x118/0x170 0x60033f48 do_one_initcall+0x1d7/0x860 0x60003e7b kernel_init+0x6e/0x3d4 new_thread_handler+0x1e7/0x2c0 The buggy address belongs to stack of task swapper/1 and is located at offset 64 in frame: init_new_ldt+0x0/0x960 This frame has 2 objects: [32, 40) 'addr' [64, 80) 'desc' ================================================================== Fixes: 858259cf7d1c443c83 ("uml: maintain own LDT entries") Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> --- arch/x86/um/ldt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)