NACK: [SRU][Focal][PATCH 1/1] relayfs: fix out-of-bounds access in relay_file_read
Yuxuan Luo
yuxuan.luo at canonical.com
Tue Jul 11 22:08:22 UTC 2023
v2 incoming.
On 7/11/23 10:16, Yuxuan Luo wrote:
> From: Zhang Zhengming <zhang.zhengming at h3c.com>
>
> There is a crash in relay_file_read, as the var from
> point to the end of last subbuf.
>
> The oops looks something like:
> pc : __arch_copy_to_user+0x180/0x310
> lr : relay_file_read+0x20c/0x2c8
> Call trace:
> __arch_copy_to_user+0x180/0x310
> full_proxy_read+0x68/0x98
> vfs_read+0xb0/0x1d0
> ksys_read+0x6c/0xf0
> __arm64_sys_read+0x20/0x28
> el0_svc_common.constprop.3+0x84/0x108
> do_el0_svc+0x74/0x90
> el0_svc+0x1c/0x28
> el0_sync_handler+0x88/0xb0
> el0_sync+0x148/0x180
>
> We get the condition by analyzing the vmcore:
>
> 1). The last produced byte and last consumed byte
> both at the end of the last subbuf
>
> 2). A softirq calls function(e.g __blk_add_trace)
> to write relay buffer occurs when an program is calling
> relay_file_read_avail().
>
> relay_file_read
> relay_file_read_avail
> relay_file_read_consume(buf, 0, 0);
> //interrupted by softirq who will write subbuf
> ....
> return 1;
> //read_start point to the end of the last subbuf
> read_start = relay_file_read_start_pos
> //avail is equal to subsize
> avail = relay_file_read_subbuf_avail
> //from points to an invalid memory address
> from = buf->start + read_start
> //system is crashed
> copy_to_user(buffer, from, avail)
>
> Link: https://lkml.kernel.org/r/20230419040203.37676-1-zhang.zhengming@h3c.com
> Fixes: 8d62fdebdaf9 ("relay file read: start-pos fix")
> Signed-off-by: Zhang Zhengming <zhang.zhengming at h3c.com>
> Reviewed-by: Zhao Lei <zhao_lei1 at hoperun.com>
> Reviewed-by: Zhou Kete <zhou.kete at h3c.com>
> Reviewed-by: Pengcheng Yang <yangpc at wangsu.com>
> Cc: Jens Axboe <axboe at kernel.dk>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> (backported from commit 43ec16f1450f4936025a9bdf1a273affdb9732c1)
> [yuxuan.luo: modify the read_pos = consumed * subbuf_size +
> buf->bytes_consumed; line directly.
> ]
> CVE-2023-3268
> Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
> ---
> kernel/relay.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/relay.c b/kernel/relay.c
> index 9b1cfcd8dc6b1..29ac38e42a297 100644
> --- a/kernel/relay.c
> +++ b/kernel/relay.c
> @@ -1081,7 +1081,8 @@ static size_t relay_file_read_start_pos(size_t read_pos,
> size_t consumed = buf->subbufs_consumed % n_subbufs;
>
> if (!read_pos)
> - read_pos = consumed * subbuf_size + buf->bytes_consumed;
> + read_pos = (consumed * subbuf_size + buf->bytes_consumed)
> + % (n_subbufs * subbuf_size);
> read_subbuf = read_pos / subbuf_size;
> padding = buf->padding[read_subbuf];
> padding_start = (read_subbuf + 1) * subbuf_size - padding;
More information about the kernel-team
mailing list