Re: Out-of-bounds access in nfnetlink_bind
2014-12-02 10:53 GMT+03:00 Dmitry Vyukov : > Hi, > > I am working on Kernel AddressSanitizer, a fast memory error detector > for kernel: > https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel > > Here is an error report that I got while running trinity: > > == > BUG: AddressSanitizer: out of bounds access in > nfnetlink_bind+0xbf/0xe0 at addr 82eef710 > Read of size 4 by task trinity-main/2533 > Out-of-bounds access to the global variable 'nfnl_group2type' > [82eef6e0-82eef704) defined at > net/netfilter/nfnetlink.c:43:18 > CPU: 0 PID: 2533 Comm: trinity-main Not tainted 3.18.0-rc1+ #44 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > 835173e8 8800b989fd18 82a3d66f 0007 > 8800b989fdc0 8800b989fda8 813a3826 0012 > 00010018 0296 8800b989fd88 > Call Trace: > [] __asan_report_load4_noabort+0x41/0x50 > mm/kasan/report.c:236 > [] nfnetlink_bind+0xbf/0xe0 net/netfilter/nfnetlink.c:467 > [] netlink_bind+0x221/0x7e0 net/netlink/af_netlink.c:1472 > [] SYSC_bind+0x117/0x170 net/socket.c:1541 > [] SyS_bind+0x9/0x10 net/socket.c:1527 > [] system_call_fastpath+0x12/0x17 > arch/x86/kernel/entry_64.S:422 > Memory state around the buggy address: > 82eef480: 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f8 f8 > 82eef500: f8 f8 f8 f8 00 00 00 00 f8 f8 f8 f8 00 00 00 01 > 82eef580: f8 f8 f8 f8 00 00 00 00 05 f8 f8 f8 f8 f8 f8 f8 > 82eef600: 00 00 04 f8 f8 f8 f8 f8 00 00 f8 f8 f8 f8 f8 f8 > 82eef680: 00 00 00 00 07 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 >>82eef700: 04 f8 f8 f8 f8 f8 f8 f8 00 06 f8 f8 f8 f8 f8 f8 > ^ > 82eef780: 00 00 00 05 f8 f8 f8 f8 00 00 00 00 00 f8 f8 f8 > 82eef800: f8 f8 f8 f8 00 00 00 00 02 f8 f8 f8 f8 f8 f8 f8 > 82eef880: 00 00 00 00 06 f8 f8 f8 f8 f8 f8 f8 00 00 00 04 > 82eef900: f8 f8 f8 f8 00 00 00 00 00 04 f8 f8 f8 f8 f8 f8 > 82eef980: 00 00 00 07 f8 f8 f8 f8 00 00 00 06 f8 f8 f8 f8 > == > > My source is on revision f114040e3ea6e07372334ade75d1ee0 > > As far as I see netlink_bind just calls nfnetlink_bind with whatever > groups user has requested; nfnetlink_bind in turn do not do any checks > before indexing the global nfnl_group2type array with the group. I've reported this few weeks ago: https://lkml.org/lkml/2014/11/13/65 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Out-of-bounds access in nfnetlink_bind
2014-12-02 10:53 GMT+03:00 Dmitry Vyukov dvyu...@google.com: Hi, I am working on Kernel AddressSanitizer, a fast memory error detector for kernel: https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Here is an error report that I got while running trinity: == BUG: AddressSanitizer: out of bounds access in nfnetlink_bind+0xbf/0xe0 at addr 82eef710 Read of size 4 by task trinity-main/2533 Out-of-bounds access to the global variable 'nfnl_group2type' [82eef6e0-82eef704) defined at net/netfilter/nfnetlink.c:43:18 CPU: 0 PID: 2533 Comm: trinity-main Not tainted 3.18.0-rc1+ #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 835173e8 8800b989fd18 82a3d66f 0007 8800b989fdc0 8800b989fda8 813a3826 0012 00010018 0296 8800b989fd88 Call Trace: [813a39c1] __asan_report_load4_noabort+0x41/0x50 mm/kasan/report.c:236 [824769cf] nfnetlink_bind+0xbf/0xe0 net/netfilter/nfnetlink.c:467 [82469b71] netlink_bind+0x221/0x7e0 net/netlink/af_netlink.c:1472 [8238bf77] SYSC_bind+0x117/0x170 net/socket.c:1541 [8238dc29] SyS_bind+0x9/0x10 net/socket.c:1527 [82a522a9] system_call_fastpath+0x12/0x17 arch/x86/kernel/entry_64.S:422 Memory state around the buggy address: 82eef480: 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f8 f8 82eef500: f8 f8 f8 f8 00 00 00 00 f8 f8 f8 f8 00 00 00 01 82eef580: f8 f8 f8 f8 00 00 00 00 05 f8 f8 f8 f8 f8 f8 f8 82eef600: 00 00 04 f8 f8 f8 f8 f8 00 00 f8 f8 f8 f8 f8 f8 82eef680: 00 00 00 00 07 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 82eef700: 04 f8 f8 f8 f8 f8 f8 f8 00 06 f8 f8 f8 f8 f8 f8 ^ 82eef780: 00 00 00 05 f8 f8 f8 f8 00 00 00 00 00 f8 f8 f8 82eef800: f8 f8 f8 f8 00 00 00 00 02 f8 f8 f8 f8 f8 f8 f8 82eef880: 00 00 00 00 06 f8 f8 f8 f8 f8 f8 f8 00 00 00 04 82eef900: f8 f8 f8 f8 00 00 00 00 00 04 f8 f8 f8 f8 f8 f8 82eef980: 00 00 00 07 f8 f8 f8 f8 00 00 00 06 f8 f8 f8 f8 == My source is on revision f114040e3ea6e07372334ade75d1ee0 As far as I see netlink_bind just calls nfnetlink_bind with whatever groups user has requested; nfnetlink_bind in turn do not do any checks before indexing the global nfnl_group2type array with the group. I've reported this few weeks ago: https://lkml.org/lkml/2014/11/13/65 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Out-of-bounds access in nfnetlink_bind
Hi, I am working on Kernel AddressSanitizer, a fast memory error detector for kernel: https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Here is an error report that I got while running trinity: == BUG: AddressSanitizer: out of bounds access in nfnetlink_bind+0xbf/0xe0 at addr 82eef710 Read of size 4 by task trinity-main/2533 Out-of-bounds access to the global variable 'nfnl_group2type' [82eef6e0-82eef704) defined at net/netfilter/nfnetlink.c:43:18 CPU: 0 PID: 2533 Comm: trinity-main Not tainted 3.18.0-rc1+ #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 835173e8 8800b989fd18 82a3d66f 0007 8800b989fdc0 8800b989fda8 813a3826 0012 00010018 0296 8800b989fd88 Call Trace: [] __asan_report_load4_noabort+0x41/0x50 mm/kasan/report.c:236 [] nfnetlink_bind+0xbf/0xe0 net/netfilter/nfnetlink.c:467 [] netlink_bind+0x221/0x7e0 net/netlink/af_netlink.c:1472 [] SYSC_bind+0x117/0x170 net/socket.c:1541 [] SyS_bind+0x9/0x10 net/socket.c:1527 [] system_call_fastpath+0x12/0x17 arch/x86/kernel/entry_64.S:422 Memory state around the buggy address: 82eef480: 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f8 f8 82eef500: f8 f8 f8 f8 00 00 00 00 f8 f8 f8 f8 00 00 00 01 82eef580: f8 f8 f8 f8 00 00 00 00 05 f8 f8 f8 f8 f8 f8 f8 82eef600: 00 00 04 f8 f8 f8 f8 f8 00 00 f8 f8 f8 f8 f8 f8 82eef680: 00 00 00 00 07 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 >82eef700: 04 f8 f8 f8 f8 f8 f8 f8 00 06 f8 f8 f8 f8 f8 f8 ^ 82eef780: 00 00 00 05 f8 f8 f8 f8 00 00 00 00 00 f8 f8 f8 82eef800: f8 f8 f8 f8 00 00 00 00 02 f8 f8 f8 f8 f8 f8 f8 82eef880: 00 00 00 00 06 f8 f8 f8 f8 f8 f8 f8 00 00 00 04 82eef900: f8 f8 f8 f8 00 00 00 00 00 04 f8 f8 f8 f8 f8 f8 82eef980: 00 00 00 07 f8 f8 f8 f8 00 00 00 06 f8 f8 f8 f8 == My source is on revision f114040e3ea6e07372334ade75d1ee0 As far as I see netlink_bind just calls nfnetlink_bind with whatever groups user has requested; nfnetlink_bind in turn do not do any checks before indexing the global nfnl_group2type array with the group. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Out-of-bounds access in nfnetlink_bind
Hi, I am working on Kernel AddressSanitizer, a fast memory error detector for kernel: https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Here is an error report that I got while running trinity: == BUG: AddressSanitizer: out of bounds access in nfnetlink_bind+0xbf/0xe0 at addr 82eef710 Read of size 4 by task trinity-main/2533 Out-of-bounds access to the global variable 'nfnl_group2type' [82eef6e0-82eef704) defined at net/netfilter/nfnetlink.c:43:18 CPU: 0 PID: 2533 Comm: trinity-main Not tainted 3.18.0-rc1+ #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 835173e8 8800b989fd18 82a3d66f 0007 8800b989fdc0 8800b989fda8 813a3826 0012 00010018 0296 8800b989fd88 Call Trace: [813a39c1] __asan_report_load4_noabort+0x41/0x50 mm/kasan/report.c:236 [824769cf] nfnetlink_bind+0xbf/0xe0 net/netfilter/nfnetlink.c:467 [82469b71] netlink_bind+0x221/0x7e0 net/netlink/af_netlink.c:1472 [8238bf77] SYSC_bind+0x117/0x170 net/socket.c:1541 [8238dc29] SyS_bind+0x9/0x10 net/socket.c:1527 [82a522a9] system_call_fastpath+0x12/0x17 arch/x86/kernel/entry_64.S:422 Memory state around the buggy address: 82eef480: 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f8 f8 82eef500: f8 f8 f8 f8 00 00 00 00 f8 f8 f8 f8 00 00 00 01 82eef580: f8 f8 f8 f8 00 00 00 00 05 f8 f8 f8 f8 f8 f8 f8 82eef600: 00 00 04 f8 f8 f8 f8 f8 00 00 f8 f8 f8 f8 f8 f8 82eef680: 00 00 00 00 07 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 82eef700: 04 f8 f8 f8 f8 f8 f8 f8 00 06 f8 f8 f8 f8 f8 f8 ^ 82eef780: 00 00 00 05 f8 f8 f8 f8 00 00 00 00 00 f8 f8 f8 82eef800: f8 f8 f8 f8 00 00 00 00 02 f8 f8 f8 f8 f8 f8 f8 82eef880: 00 00 00 00 06 f8 f8 f8 f8 f8 f8 f8 00 00 00 04 82eef900: f8 f8 f8 f8 00 00 00 00 00 04 f8 f8 f8 f8 f8 f8 82eef980: 00 00 00 07 f8 f8 f8 f8 00 00 00 06 f8 f8 f8 f8 == My source is on revision f114040e3ea6e07372334ade75d1ee0 As far as I see netlink_bind just calls nfnetlink_bind with whatever groups user has requested; nfnetlink_bind in turn do not do any checks before indexing the global nfnl_group2type array with the group. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
