Re: KASAN: slab-out-of-bounds Read in vsscanf

From: Casey Schaufler
Date: Fri Mar 27 2020 - 12:16:42 EST

On 3/27/2020 1:27 AM, Hillf Danton wrote:
> On Thu, 26 Mar 2020 18:20:14 -0700
>> syzbot found the following crash on:
>>
>> HEAD commit: 1b649e0b Merge git://git.kernel.org/pub/scm/linux/kernel/g..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=11044405e00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
>> dashboard link: https://syzkaller.appspot.com/bug?extid=bfdd4a2f07be52351350
>> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13819303e00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eaed4be00000
>>
>> Bisection is inconclusive: the bug happens on the oldest tested release.
>>
>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=150e6ac5e00000
>> final crash: https://syzkaller.appspot.com/x/report.txt?x=170e6ac5e00000
>> console output: https://syzkaller.appspot.com/x/log.txt?x=130e6ac5e00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+bfdd4a2f07be52351350@xxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
>> Read of size 1 at addr ffff888093622f42 by task syz-executor055/7117
>>
>> CPU: 1 PID: 7117 Comm: syz-executor055 Not tainted 5.6.0-rc7-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>> print_address_description+0x74/0x5c0 mm/kasan/report.c:374
>> __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
>> kasan_report+0x25/0x50 mm/kasan/common.c:641
>> vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
>> sscanf+0x6c/0x90 lib/vsprintf.c:3481
>> smk_set_cipso+0x1ac/0x6a0 security/smack/smackfs.c:881
>> __vfs_write+0xa7/0x710 fs/read_write.c:494
>> vfs_write+0x271/0x570 fs/read_write.c:558
>> ksys_write+0x115/0x220 fs/read_write.c:611
>> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x4401b9
>> Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
>> RSP: 002b:00007ffd20456888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
>> RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9
>> RDX: 0000000000000001 RSI: 00000000200005c0 RDI: 0000000000000003
>> RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
>> R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a40
>> R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
>>
>> Allocated by task 7117:
>> save_stack mm/kasan/common.c:72 [inline]
>> set_track mm/kasan/common.c:80 [inline]
>> __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
>> __do_kmalloc mm/slab.c:3656 [inline]
>> __kmalloc_track_caller+0x249/0x320 mm/slab.c:3671
>> memdup_user_nul+0x26/0xf0 mm/util.c:259
>> smk_set_cipso+0xff/0x6a0 security/smack/smackfs.c:859
>> __vfs_write+0xa7/0x710 fs/read_write.c:494
>> vfs_write+0x271/0x570 fs/read_write.c:558
>> ksys_write+0x115/0x220 fs/read_write.c:611
>> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Freed by task 1:
>> save_stack mm/kasan/common.c:72 [inline]
>> set_track mm/kasan/common.c:80 [inline]
>> kasan_set_free_info mm/kasan/common.c:337 [inline]
>> __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
>> __cache_free mm/slab.c:3426 [inline]
>> kfree+0x10a/0x220 mm/slab.c:3757
>> tomoyo_path_perm+0x59b/0x740 security/tomoyo/file.c:842
>> security_inode_getattr+0xc0/0x140 security/security.c:1254
>> vfs_getattr+0x27/0x6e0 fs/stat.c:117
>> vfs_statx fs/stat.c:201 [inline]
>> vfs_lstat include/linux/fs.h:3277 [inline]
>> __do_sys_newlstat fs/stat.c:364 [inline]
>> __se_sys_newlstat+0x85/0x140 fs/stat.c:358
>> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> The buggy address belongs to the object at ffff888093622f40
>> which belongs to the cache kmalloc-32 of size 32
>> The buggy address is located 2 bytes inside of
>> 32-byte region [ffff888093622f40, ffff888093622f60)
>> The buggy address belongs to the page:
>> page:ffffea00024d8880 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888093622fc1
>> flags: 0xfffe0000000200(slab)
>> raw: 00fffe0000000200 ffffea000271b988 ffffea00028ae488 ffff8880aa4001c0
>> raw: ffff888093622fc1 ffff888093622000 0000000100000039 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff888093622e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>> ffff888093622e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
>>> ffff888093622f00: fb fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc
>> ^
>> ffff888093622f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff888093623000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ==================================================================
>
> Add barrier to soob.
>
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -878,11 +878,21 @@ static ssize_t smk_set_cipso(struct file
> else
> rule += strlen(skp->smk_known) + 1;
>
> + if (rule > data + count) {
> + rc = -EOVERFLOW;
> + goto out;
> + }
> +
> ret = sscanf(rule, "%d", &maplevel);
> if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
> goto out;
>
> rule += SMK_DIGITLEN;
> + if (rule > data + count) {
> + rc = -EOVERFLOW;
> + goto out;
> + }
> +
> ret = sscanf(rule, "%d", &catlen);
> if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
> goto out;

Thank you.