Re: [PATCH] swapfile: fix memory corruption via malformed swapfile
On Mon, Oct 31, 2016 at 10:32:13PM +0100, Jann Horn wrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): [...] > Cc: sta...@vger.kernel.org > Signed-off-by: Jann HornAcked-by: Johannes Weiner
Re: [PATCH] swapfile: fix memory corruption via malformed swapfile
On Mon, Oct 31, 2016 at 10:32:13PM +0100, Jann Horn wrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): [...] > Cc: sta...@vger.kernel.org > Signed-off-by: Jann Horn Acked-by: Johannes Weiner
Re: [PATCH] swapfile: fix memory corruption via malformed swapfile
On 10/31/2016 10:32 PM, Jann Horn wrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): > = > #include > #include > #include > #include > #include > #include > #include > > #define PAGE_SIZE 4096 > #define __u32 unsigned int > > > // from include/linux/swap.h > union swap_header { > struct { > char reserved[PAGE_SIZE - 10]; > char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ > } magic; > struct { > charbootbits[1024]; /* Space for disklabel etc. */ > __u32 version; > __u32 last_page; > __u32 nr_badpages; > unsigned char sws_uuid[16]; > unsigned char sws_volume[16]; > __u32 padding[117]; > __u32 badpages[1]; > } info; > }; > > int main(void) { > char file[] = "/tmp/swapfile.XX"; > int file_fd = mkstemp(file); > if (file_fd == -1) > err(1, "mkstemp"); > if (ftruncate(file_fd, PAGE_SIZE)) > err(1, "ftruncate"); > union swap_header swap_header = { > .info = { > .version = __builtin_bswap32(1), > .nr_badpages = __builtin_bswap32(INT_MAX) > } > }; > memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); > if (write(file_fd, _header, sizeof(swap_header)) != > sizeof(swap_header)) > err(1, "write"); > > // not because the attack needs it, just in case you forgot to > // sync yourself before crashing your machine > sync(); > > // now die > if (swapon(file, 0)) > err(1, "swapon"); > puts("huh, we survived"); > if (swapoff(file)) > err(1, "swapoff"); > unlink(file); > } > = > > Cc: sta...@vger.kernel.org > Signed-off-by: Jann Horn> --- > mm/swapfile.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/mm/swapfile.c b/mm/swapfile.c > index 2210de290b54..f30438970cd1 100644 > --- a/mm/swapfile.c > +++ b/mm/swapfile.c > @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct > swap_info_struct *p, > swab32s(_header->info.version); > swab32s(_header->info.last_page); > swab32s(_header->info.nr_badpages); > + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) > + return 0; > for (i = 0; i < swap_header->info.nr_badpages; i++) > swab32s(_header->info.badpages[i]); > } > Nice catch! Acked-by: Jerome Marchand signature.asc Description: OpenPGP digital signature
Re: [PATCH] swapfile: fix memory corruption via malformed swapfile
On 10/31/2016 10:32 PM, Jann Horn wrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): > = > #include > #include > #include > #include > #include > #include > #include > > #define PAGE_SIZE 4096 > #define __u32 unsigned int > > > // from include/linux/swap.h > union swap_header { > struct { > char reserved[PAGE_SIZE - 10]; > char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ > } magic; > struct { > charbootbits[1024]; /* Space for disklabel etc. */ > __u32 version; > __u32 last_page; > __u32 nr_badpages; > unsigned char sws_uuid[16]; > unsigned char sws_volume[16]; > __u32 padding[117]; > __u32 badpages[1]; > } info; > }; > > int main(void) { > char file[] = "/tmp/swapfile.XX"; > int file_fd = mkstemp(file); > if (file_fd == -1) > err(1, "mkstemp"); > if (ftruncate(file_fd, PAGE_SIZE)) > err(1, "ftruncate"); > union swap_header swap_header = { > .info = { > .version = __builtin_bswap32(1), > .nr_badpages = __builtin_bswap32(INT_MAX) > } > }; > memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); > if (write(file_fd, _header, sizeof(swap_header)) != > sizeof(swap_header)) > err(1, "write"); > > // not because the attack needs it, just in case you forgot to > // sync yourself before crashing your machine > sync(); > > // now die > if (swapon(file, 0)) > err(1, "swapon"); > puts("huh, we survived"); > if (swapoff(file)) > err(1, "swapoff"); > unlink(file); > } > = > > Cc: sta...@vger.kernel.org > Signed-off-by: Jann Horn > --- > mm/swapfile.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/mm/swapfile.c b/mm/swapfile.c > index 2210de290b54..f30438970cd1 100644 > --- a/mm/swapfile.c > +++ b/mm/swapfile.c > @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct > swap_info_struct *p, > swab32s(_header->info.version); > swab32s(_header->info.last_page); > swab32s(_header->info.nr_badpages); > + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) > + return 0; > for (i = 0; i < swap_header->info.nr_badpages; i++) > swab32s(_header->info.badpages[i]); > } > Nice catch! Acked-by: Jerome Marchand signature.asc Description: OpenPGP digital signature
Re: [PATCH] swapfile: fix memory corruption via malformed swapfile
On Mon, Oct 31, 2016 at 2:32 PM, Jann Hornwrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): > = > #include > #include > #include > #include > #include > #include > #include > > #define PAGE_SIZE 4096 > #define __u32 unsigned int > > > // from include/linux/swap.h > union swap_header { > struct { > char reserved[PAGE_SIZE - 10]; > char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ > } magic; > struct { > charbootbits[1024]; /* Space for disklabel etc. */ > __u32 version; > __u32 last_page; > __u32 nr_badpages; > unsigned char sws_uuid[16]; > unsigned char sws_volume[16]; > __u32 padding[117]; > __u32 badpages[1]; > } info; > }; > > int main(void) { > char file[] = "/tmp/swapfile.XX"; > int file_fd = mkstemp(file); > if (file_fd == -1) > err(1, "mkstemp"); > if (ftruncate(file_fd, PAGE_SIZE)) > err(1, "ftruncate"); > union swap_header swap_header = { > .info = { > .version = __builtin_bswap32(1), > .nr_badpages = __builtin_bswap32(INT_MAX) > } > }; > memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); > if (write(file_fd, _header, sizeof(swap_header)) != > sizeof(swap_header)) > err(1, "write"); > > // not because the attack needs it, just in case you forgot to > // sync yourself before crashing your machine > sync(); > > // now die > if (swapon(file, 0)) > err(1, "swapon"); > puts("huh, we survived"); > if (swapoff(file)) > err(1, "swapoff"); > unlink(file); > } > = > > Cc: sta...@vger.kernel.org > Signed-off-by: Jann Horn > --- > mm/swapfile.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/mm/swapfile.c b/mm/swapfile.c > index 2210de290b54..f30438970cd1 100644 > --- a/mm/swapfile.c > +++ b/mm/swapfile.c > @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct > swap_info_struct *p, > swab32s(_header->info.version); > swab32s(_header->info.last_page); > swab32s(_header->info.nr_badpages); > + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) > + return 0; > for (i = 0; i < swap_header->info.nr_badpages; i++) > swab32s(_header->info.badpages[i]); > } > -- > 2.1.4 > Eww. Nice find. :) At least it's only init_ns CAP_SYS_ADMIN. :P Acked-by: Kees Cook -Kees -- Kees Cook Nexus Security
Re: [PATCH] swapfile: fix memory corruption via malformed swapfile
On Mon, Oct 31, 2016 at 2:32 PM, Jann Horn wrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): > = > #include > #include > #include > #include > #include > #include > #include > > #define PAGE_SIZE 4096 > #define __u32 unsigned int > > > // from include/linux/swap.h > union swap_header { > struct { > char reserved[PAGE_SIZE - 10]; > char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ > } magic; > struct { > charbootbits[1024]; /* Space for disklabel etc. */ > __u32 version; > __u32 last_page; > __u32 nr_badpages; > unsigned char sws_uuid[16]; > unsigned char sws_volume[16]; > __u32 padding[117]; > __u32 badpages[1]; > } info; > }; > > int main(void) { > char file[] = "/tmp/swapfile.XX"; > int file_fd = mkstemp(file); > if (file_fd == -1) > err(1, "mkstemp"); > if (ftruncate(file_fd, PAGE_SIZE)) > err(1, "ftruncate"); > union swap_header swap_header = { > .info = { > .version = __builtin_bswap32(1), > .nr_badpages = __builtin_bswap32(INT_MAX) > } > }; > memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); > if (write(file_fd, _header, sizeof(swap_header)) != > sizeof(swap_header)) > err(1, "write"); > > // not because the attack needs it, just in case you forgot to > // sync yourself before crashing your machine > sync(); > > // now die > if (swapon(file, 0)) > err(1, "swapon"); > puts("huh, we survived"); > if (swapoff(file)) > err(1, "swapoff"); > unlink(file); > } > = > > Cc: sta...@vger.kernel.org > Signed-off-by: Jann Horn > --- > mm/swapfile.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/mm/swapfile.c b/mm/swapfile.c > index 2210de290b54..f30438970cd1 100644 > --- a/mm/swapfile.c > +++ b/mm/swapfile.c > @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct > swap_info_struct *p, > swab32s(_header->info.version); > swab32s(_header->info.last_page); > swab32s(_header->info.nr_badpages); > + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) > + return 0; > for (i = 0; i < swap_header->info.nr_badpages; i++) > swab32s(_header->info.badpages[i]); > } > -- > 2.1.4 > Eww. Nice find. :) At least it's only init_ns CAP_SYS_ADMIN. :P Acked-by: Kees Cook -Kees -- Kees Cook Nexus Security
[PATCH] swapfile: fix memory corruption via malformed swapfile
When root activates a swap partition whose header has the wrong endianness, nr_badpages elements of badpages are swabbed before nr_badpages has been checked, leading to a buffer overrun of up to 8GB. This normally is not a security issue because it can only be exploited by root (more specifically, a process with CAP_SYS_ADMIN or the ability to modify a swap file/partition), and such a process can already e.g. modify swapped-out memory of any other userspace process on the system. Testcase for reproducing the bug (must be run as root, should crash your kernel): = #include #include #include #include #include #include #include #define PAGE_SIZE 4096 #define __u32 unsigned int // from include/linux/swap.h union swap_header { struct { char reserved[PAGE_SIZE - 10]; char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ } magic; struct { charbootbits[1024]; /* Space for disklabel etc. */ __u32 version; __u32 last_page; __u32 nr_badpages; unsigned char sws_uuid[16]; unsigned char sws_volume[16]; __u32 padding[117]; __u32 badpages[1]; } info; }; int main(void) { char file[] = "/tmp/swapfile.XX"; int file_fd = mkstemp(file); if (file_fd == -1) err(1, "mkstemp"); if (ftruncate(file_fd, PAGE_SIZE)) err(1, "ftruncate"); union swap_header swap_header = { .info = { .version = __builtin_bswap32(1), .nr_badpages = __builtin_bswap32(INT_MAX) } }; memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); if (write(file_fd, _header, sizeof(swap_header)) != sizeof(swap_header)) err(1, "write"); // not because the attack needs it, just in case you forgot to // sync yourself before crashing your machine sync(); // now die if (swapon(file, 0)) err(1, "swapon"); puts("huh, we survived"); if (swapoff(file)) err(1, "swapoff"); unlink(file); } = Cc: sta...@vger.kernel.org Signed-off-by: Jann Horn--- mm/swapfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/swapfile.c b/mm/swapfile.c index 2210de290b54..f30438970cd1 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct swap_info_struct *p, swab32s(_header->info.version); swab32s(_header->info.last_page); swab32s(_header->info.nr_badpages); + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) + return 0; for (i = 0; i < swap_header->info.nr_badpages; i++) swab32s(_header->info.badpages[i]); } -- 2.1.4
[PATCH] swapfile: fix memory corruption via malformed swapfile
When root activates a swap partition whose header has the wrong endianness, nr_badpages elements of badpages are swabbed before nr_badpages has been checked, leading to a buffer overrun of up to 8GB. This normally is not a security issue because it can only be exploited by root (more specifically, a process with CAP_SYS_ADMIN or the ability to modify a swap file/partition), and such a process can already e.g. modify swapped-out memory of any other userspace process on the system. Testcase for reproducing the bug (must be run as root, should crash your kernel): = #include #include #include #include #include #include #include #define PAGE_SIZE 4096 #define __u32 unsigned int // from include/linux/swap.h union swap_header { struct { char reserved[PAGE_SIZE - 10]; char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ } magic; struct { charbootbits[1024]; /* Space for disklabel etc. */ __u32 version; __u32 last_page; __u32 nr_badpages; unsigned char sws_uuid[16]; unsigned char sws_volume[16]; __u32 padding[117]; __u32 badpages[1]; } info; }; int main(void) { char file[] = "/tmp/swapfile.XX"; int file_fd = mkstemp(file); if (file_fd == -1) err(1, "mkstemp"); if (ftruncate(file_fd, PAGE_SIZE)) err(1, "ftruncate"); union swap_header swap_header = { .info = { .version = __builtin_bswap32(1), .nr_badpages = __builtin_bswap32(INT_MAX) } }; memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); if (write(file_fd, _header, sizeof(swap_header)) != sizeof(swap_header)) err(1, "write"); // not because the attack needs it, just in case you forgot to // sync yourself before crashing your machine sync(); // now die if (swapon(file, 0)) err(1, "swapon"); puts("huh, we survived"); if (swapoff(file)) err(1, "swapoff"); unlink(file); } = Cc: sta...@vger.kernel.org Signed-off-by: Jann Horn --- mm/swapfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/swapfile.c b/mm/swapfile.c index 2210de290b54..f30438970cd1 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct swap_info_struct *p, swab32s(_header->info.version); swab32s(_header->info.last_page); swab32s(_header->info.nr_badpages); + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) + return 0; for (i = 0; i < swap_header->info.nr_badpages; i++) swab32s(_header->info.badpages[i]); } -- 2.1.4