| Message ID | 20240119153906.4367-1-n.zhandarovich@fintech.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-31318-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2bc4:b0:101:a8e8:374 with SMTP id hx4csp1091590dyb;
Fri, 19 Jan 2024 07:41:25 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IGFeCOoWe+J4GW4nd1e1xA7ZPatPwG+ZwF/w/kzmlXZnRx9dBqQhLZeHK+/75JFiYroI865
X-Received: by 2002:a05:6a20:7353:b0:19b:20e9:300c with SMTP id
v19-20020a056a20735300b0019b20e9300cmr3687pzc.6.1705678884970;
Fri, 19 Jan 2024 07:41:24 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1705678884; cv=pass;
d=google.com; s=arc-20160816;
b=v48JXDB8yvY22o1xTcTSF6YqRwUYbVvgv1ZvN0C3YGaHjnu433WxGxF0DHZ3iQofLq
w3PTFJbiHyHDs3O7IRaIuyQdQoRaijWCu8ecnrVM7nE0ID/9Amk3J3kQTovRfYNZHdKC
aW2HqY0lzH/6z9F0pP6Bl1pGfiaA1aiztNuOJpweXjE6yyuseA0RoQfJjnGAGgKjE+7W
GnCBNLBIFNhETv1gZIKTIjmI2FrUpwg1DbNKXijjEDVchjPSE+iIUJlET2DCe3LPpW2g
tbneDWRO7SqRtOtneqvJXadpuVaj5hNwfMXJQgeqtEpmsqlEAQYn5drigcnTlLzm3Vp+
WhLQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from;
bh=Bm6FQoIxc8CKzv1n+QClBbpnXbXFV9M48KnUa9RN6UQ=;
fh=zKKdULBiV0R41iHUI2UPZKpQsshZZqzzuhRmV9tDAFI=;
b=s6ZLnNZl6JD8I31FaAnCKmUex8Umgmqt6lipwoSEtnEBkfNap2n57KodR0ktLbQksM
p8wl6cY1/otZTD6xngnNMJBE0mnfKb79dcPuZo1rcTuA9MwZAmq2aeuqtz2DQ6z1IT9O
B5ADCm8JfP140ZA2WYPrWD7qCoc7XqrGtjj3wwauK0CO3/ak5UqNgd9RDWsul1qY2vDJ
h0n2Sdu5tah19vPc0NCStBMcLx6BGpKaloFk6urH340H4MkLwmwWuZjM3Ke3QBrVGujR
MhbMHg1ov0jlhmU/TEOv5WmBfyHQZahclyQN1ToGJgunEI2yMV2tH6z4+tGlogc5ZQXO
+itQ==
ARC-Authentication-Results: i=2; mx.google.com;
arc=pass (i=1 spf=pass spfdomain=fintech.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-31318-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-31318-ouuuleilei=gmail.com@vger.kernel.org"
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
by mx.google.com with ESMTPS id
b20-20020a056a000cd400b006dbafa17667si2540018pfv.268.2024.01.19.07.41.24
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 19 Jan 2024 07:41:24 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-31318-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
arc=pass (i=1 spf=pass spfdomain=fintech.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-31318-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-31318-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3B497B2441D
for <ouuuleilei@gmail.com>; Fri, 19 Jan 2024 15:39:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id C8DBA54BF8;
Fri, 19 Jan 2024 15:39:30 +0000 (UTC)
Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 506E13C465;
Fri, 19 Jan 2024 15:39:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=195.54.195.159
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1705678769; cv=none;
b=CiVPM4j9xmZUW5/YKDf4tLlOuvn9vcSGL3kS5cLNmvO7HUdKaiAB4fiBwX9EkhaSnJv5aqQbmfJ6M+eGHgKk5Hv8TCiQKWCkUdXpIBSQRWKoTunM5qU5GdMs6gQfCS6emkhCNcM6ZMoeA1eQUzmk042EoD5/2xZqc3Lp5nbU+yk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1705678769; c=relaxed/simple;
bh=VtiMxsi1+ub0qW/r114MxUAGi/pPUxucnebfcw3ezbc=;
h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=Eipn1GW45z0naebRbgewEbW+CK/Yax+LhBYdfOhd3Ma9j5gf5KmCvUZr3tRJ/NRN4vrdpKNpzWmbSND/e2RPlAseCwRkrU+qEQauw1l5zsqPbLP/arZPF2R4Htuci3iRISEEc3dhI1ywHUoBNt8odIZ3c8iEABeXaWowIUMelho=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=fintech.ru;
spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159
Authentication-Results: smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=fintech.ru
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=fintech.ru
Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru
(195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 19 Jan
2024 18:39:17 +0300
Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 19 Jan
2024 18:39:16 +0300
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
To: Chuck Lever <chuck.lever@oracle.com>
CC: Nikita Zhandarovich <n.zhandarovich@fintech.ru>, Jeff Layton
<jlayton@kernel.org>, Amir Goldstein <amir73il@gmail.com>, Alexander Viro
<viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, Jan Kara
<jack@suse.cz>, <linux-fsdevel@vger.kernel.org>, <linux-nfs@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
<syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com>
Subject: [PATCH] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
Date: Fri, 19 Jan 2024 07:39:06 -0800
Message-ID: <20240119153906.4367-1-n.zhandarovich@fintech.ru>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru
(10.0.10.18)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1788533942810944807
X-GMAIL-MSGID: 1788533942810944807
|
| Series |
do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
|
|
Commit Message
Nikita Zhandarovich
Jan. 19, 2024, 3:39 p.m. UTC
syzbot identified a kernel information leak vulnerability in
do_sys_name_to_handle() and issued the following report [1].
[1]
"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
_copy_to_user+0xbc/0x100 lib/usercopy.c:40
copy_to_user include/linux/uaccess.h:191 [inline]
do_sys_name_to_handle fs/fhandle.c:73 [inline]
__do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
__se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94
__x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
...
Uninit was created at:
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0x121/0x3c0 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
do_sys_name_to_handle fs/fhandle.c:39 [inline]
__do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
__se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94
__x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
...
Bytes 18-19 of 20 are uninitialized
Memory access of size 20 starts at ffff888128a46380
Data copied to user address 0000000020000240"
Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to
solve the problem.
Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support")
Suggested-by: Chuck Lever III <chuck.lever@oracle.com>
Reported-and-tested-by: syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
Link to Chuck's suggestion:
https://lore.kernel.org/all/B4A8D625-6997-49C8-B105-B2DCFE8C6DDA@oracle.com/
fs/fhandle.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Fri 19-01-24 07:39:06, Nikita Zhandarovich wrote: > syzbot identified a kernel information leak vulnerability in > do_sys_name_to_handle() and issued the following report [1]. > > [1] > "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] > BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 > instrument_copy_to_user include/linux/instrumented.h:114 [inline] > _copy_to_user+0xbc/0x100 lib/usercopy.c:40 > copy_to_user include/linux/uaccess.h:191 [inline] > do_sys_name_to_handle fs/fhandle.c:73 [inline] > __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] > __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 > __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 > ... > > Uninit was created at: > slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 > slab_alloc_node mm/slub.c:3478 [inline] > __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 > __do_kmalloc_node mm/slab_common.c:1006 [inline] > __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 > kmalloc include/linux/slab.h:604 [inline] > do_sys_name_to_handle fs/fhandle.c:39 [inline] > __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] > __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 > __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 > ... > > Bytes 18-19 of 20 are uninitialized > Memory access of size 20 starts at ffff888128a46380 > Data copied to user address 0000000020000240" > > Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to > solve the problem. > > Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support") > Suggested-by: Chuck Lever III <chuck.lever@oracle.com> > Reported-and-tested-by: syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com > Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Makes sense. Feel free to add: Reviewed-by: Jan Kara <jack@suse.cz> Honza > --- > Link to Chuck's suggestion: > https://lore.kernel.org/all/B4A8D625-6997-49C8-B105-B2DCFE8C6DDA@oracle.com/ > > fs/fhandle.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/fhandle.c b/fs/fhandle.c > index 18b3ba8dc8ea..57a12614addf 100644 > --- a/fs/fhandle.c > +++ b/fs/fhandle.c > @@ -36,7 +36,7 @@ static long do_sys_name_to_handle(const struct path *path, > if (f_handle.handle_bytes > MAX_HANDLE_SZ) > return -EINVAL; > > - handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, > + handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, > GFP_KERNEL); > if (!handle) > return -ENOMEM; > -- > 2.25.1 >
On Fri, 19 Jan 2024 07:39:06 -0800, Nikita Zhandarovich wrote: > syzbot identified a kernel information leak vulnerability in > do_sys_name_to_handle() and issued the following report [1]. > > [1] > "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] > BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 > instrument_copy_to_user include/linux/instrumented.h:114 [inline] > _copy_to_user+0xbc/0x100 lib/usercopy.c:40 > copy_to_user include/linux/uaccess.h:191 [inline] > do_sys_name_to_handle fs/fhandle.c:73 [inline] > __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] > __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 > __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 > ... > > [...] Applied to the vfs.misc branch of the vfs/vfs.git tree. Patches in the vfs.misc branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. It's encouraged to provide Acked-bys and Reviewed-bys even though the patch has now been applied. If possible patch trailers will be updated. Note that commit hashes shown below are subject to change due to rebase, trailer updates or similar. If in doubt, please check the listed branch. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.misc [1/1] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak https://git.kernel.org/vfs/vfs/c/1b380b340f19
diff --git a/fs/fhandle.c b/fs/fhandle.c index 18b3ba8dc8ea..57a12614addf 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -36,7 +36,7 @@ static long do_sys_name_to_handle(const struct path *path, if (f_handle.handle_bytes > MAX_HANDLE_SZ) return -EINVAL; - handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, + handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, GFP_KERNEL); if (!handle) return -ENOMEM;