Re: out of bounds strscpy from seccomp_actions_logged_handler
From: Tyler Hicks
Date: Tue Oct 24 2017 - 19:54:42 EST
On 10/24/2017 06:46 PM, Dave Jones wrote:
> (Triggered with trinity, but it seems just a 'cat
> /proc/sys/kernel/seccomp/actions_logged' reproduces just as easily).
Hi Dave - Thanks for the report. This is a false positive that was
previously discussed here:
https://lkml.kernel.org/r/<20171010182805.52b9b2af@xxxxxxxxxxxxxxxxxxxx>
Tyler
>
>
> BUG: KASAN: global-out-of-bounds in strscpy+0x133/0x2d0
> Read of size 8 at addr ffffffff824b0028 by task trinity-c63/6883
>
> CPU: 3 PID: 6883 Comm: trinity-c63 Not tainted 4.14.0-rc6-think+ #1
> Call Trace:
> dump_stack+0xbc/0x145
> ? dma_virt_map_sg+0xfb/0xfb
> print_address_description+0x2d/0x260
> kasan_report+0x277/0x360
> ? strscpy+0x133/0x2d0
> strscpy+0x133/0x2d0
> ? strcasecmp+0xb0/0xb0
> seccomp_actions_logged_handler+0x2c5/0x440
> ? seccomp_send_sigsys+0xd0/0xd0
> ? lock_downgrade+0x310/0x310
> ? lock_release+0x890/0x890
> ? do_raw_spin_unlock+0x147/0x220
> ? do_raw_spin_trylock+0x100/0x100
> ? do_raw_spin_trylock+0x40/0x100
> ? do_raw_spin_lock+0x110/0x110
> proc_sys_call_handler+0x1b1/0x1f0
> ? seccomp_send_sigsys+0xd0/0xd0
> ? proc_sys_readdir+0x6d0/0x6d0
> do_iter_read+0x23b/0x280
> vfs_readv+0x107/0x180
> ? compat_rw_copy_check_uvector+0x1d0/0x1d0
> ? native_sched_clock+0xf9/0x1a0
> ? cyc2ns_read_end+0x10/0x10
> ? __fget_light+0x181/0x200
> ? fget_raw+0x10/0x10
> ? __lock_is_held+0x2e/0xd0
> ? rcu_read_lock_sched_held+0x90/0xa0
> ? __context_tracking_exit.part.4+0x223/0x290
> ? context_tracking_recursion_enter+0x50/0x50
> ? __task_pid_nr_ns+0x1c4/0x300
> ? do_preadv+0xb0/0xf0
> do_preadv+0xb0/0xf0
> ? SyS_preadv+0x10/0x10
> do_syscall_64+0x182/0x400
> ? syscall_return_slowpath+0x270/0x270
> ? rcu_read_lock_sched_held+0x90/0xa0
> ? __context_tracking_exit.part.4+0x223/0x290
> ? mark_held_locks+0x1b/0xa0
> ? return_from_SYSCALL_64+0x2d/0x7a
> ? trace_hardirqs_on_caller+0x17a/0x250
> ? trace_hardirqs_on_thunk+0x1a/0x1c
> entry_SYSCALL64_slow_path+0x25/0x25
> RIP: 0033:0x7f52d5f45219
> RSP: 002b:00007fff8a422838 EFLAGS: 00000246
> ORIG_RAX: 0000000000000147
> RAX: ffffffffffffffda RBX: 0000000000000147 RCX: 00007f52d5f45219
> RDX: 00000000000000f3 RSI: 000055d6d5b413d0 RDI: 00000000000000b2
> RBP: 00007fff8a4228e0 R08: 0000316c1272491c R09: 0000000000000000
> R10: 00000000725c3dd7 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f52d645b058 R14: 00007f52d661b698 R15: 00007f52d645b000
>
> The buggy address belongs to the variable:
> kdb_rwtypes+0x1268/0x1320
>
> Memory state around the buggy address:
> ffffffff824aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff824aff80: 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa
>> ffffffff824b0000: fa fa fa fa 00 05 fa fa fa fa fa fa 02 fa fa fa
> ^
> ffffffff824b0080: fa fa fa fa 00 00 01 fa fa fa fa fa 00 00 04 fa
> ffffffff824b0100: fa fa fa fa 00 06 fa fa fa fa fa fa 00 07 fa fa
> ==================================================================
> Disabling lock debugging due to kernel taint
>
Attachment:
signature.asc
Description: OpenPGP digital signature