out of bounds strscpy from seccomp_actions_logged_handler

From: Dave Jones
Date: Tue Oct 24 2017 - 19:46:23 EST


(Triggered with trinity, but it seems just a 'cat
/proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).


BUG: KASAN: global-out-of-bounds in strscpy+0x133/0x2d0
Read of size 8 at addr ffffffff824b0028 by task trinity-c63/6883

CPU: 3 PID: 6883 Comm: trinity-c63 Not tainted 4.14.0-rc6-think+ #1
Call Trace:
dump_stack+0xbc/0x145
? dma_virt_map_sg+0xfb/0xfb
print_address_description+0x2d/0x260
kasan_report+0x277/0x360
? strscpy+0x133/0x2d0
strscpy+0x133/0x2d0
? strcasecmp+0xb0/0xb0
seccomp_actions_logged_handler+0x2c5/0x440
? seccomp_send_sigsys+0xd0/0xd0
? lock_downgrade+0x310/0x310
? lock_release+0x890/0x890
? do_raw_spin_unlock+0x147/0x220
? do_raw_spin_trylock+0x100/0x100
? do_raw_spin_trylock+0x40/0x100
? do_raw_spin_lock+0x110/0x110
proc_sys_call_handler+0x1b1/0x1f0
? seccomp_send_sigsys+0xd0/0xd0
? proc_sys_readdir+0x6d0/0x6d0
do_iter_read+0x23b/0x280
vfs_readv+0x107/0x180
? compat_rw_copy_check_uvector+0x1d0/0x1d0
? native_sched_clock+0xf9/0x1a0
? cyc2ns_read_end+0x10/0x10
? __fget_light+0x181/0x200
? fget_raw+0x10/0x10
? __lock_is_held+0x2e/0xd0
? rcu_read_lock_sched_held+0x90/0xa0
? __context_tracking_exit.part.4+0x223/0x290
? context_tracking_recursion_enter+0x50/0x50
? __task_pid_nr_ns+0x1c4/0x300
? do_preadv+0xb0/0xf0
do_preadv+0xb0/0xf0
? SyS_preadv+0x10/0x10
do_syscall_64+0x182/0x400
? syscall_return_slowpath+0x270/0x270
? rcu_read_lock_sched_held+0x90/0xa0
? __context_tracking_exit.part.4+0x223/0x290
? mark_held_locks+0x1b/0xa0
? return_from_SYSCALL_64+0x2d/0x7a
? trace_hardirqs_on_caller+0x17a/0x250
? trace_hardirqs_on_thunk+0x1a/0x1c
entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x7f52d5f45219
RSP: 002b:00007fff8a422838 EFLAGS: 00000246
ORIG_RAX: 0000000000000147
RAX: ffffffffffffffda RBX: 0000000000000147 RCX: 00007f52d5f45219
RDX: 00000000000000f3 RSI: 000055d6d5b413d0 RDI: 00000000000000b2
RBP: 00007fff8a4228e0 R08: 0000316c1272491c R09: 0000000000000000
R10: 00000000725c3dd7 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f52d645b058 R14: 00007f52d661b698 R15: 00007f52d645b000

The buggy address belongs to the variable:
kdb_rwtypes+0x1268/0x1320

Memory state around the buggy address:
ffffffff824aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff824aff80: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
>ffffffff824b0000: fa fa fa fa 00 05 fa fa fa fa fa fa 02 fa fa fa
^
ffffffff824b0080: fa fa fa fa 00 00 01 fa fa fa fa fa 00 00 04 fa
ffffffff824b0100: fa fa fa fa 00 06 fa fa fa fa fa fa 00 07 fa fa
==================================================================
Disabling lock debugging due to kernel taint