Re: tun oops dereferencing garbage nsproxy-> address.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dave Jones <davej@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org, Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: tun oops dereferencing garbage nsproxy-> address.
Date: Tue, 13 Mar 2012 16:23:38 -0400	[thread overview]
Message-ID: <20120313202338.GA23737@redhat.com> (raw)
In-Reply-To: <m1wr6oclep.fsf@fess.ebiederm.org>

On Tue, Mar 13, 2012 at 01:10:06PM -0700, Eric W. Biederman wrote:

 > >  > > My guess is the fuzzer called some syscall that set current->nsproxy
 > >  > > to garbage (0x0000000100000001), which later got dereferenced when it
 > >  > > subsequently randomly did an open() on tun.
 > >  > 
 > >  > It smells like a memory stomp.  current->nsproxy is always supposed to
 > >  > have a valid value, and it never would have an odd value.  The value
 > >  > should always be at least 8 byte aligned.
 > >  > 
 > >  > Since the value is impossible this doesn't feel like a path where the
 > >  > error handling is wrong.
 > >
 > > 0x0000000100000001 looks like one of strange values my fuzzer passes syscalls
 > > when they ask for an address.
 > >
 > > So something managed to get that set as nsproxy.  The fuzzer avoids calling
 > > clone(), so are there other syscalls that might set this ?
 > 
 > setns and unshare might touch the nsproxy for the same reasons as clone,
 > but the rules are very similar to clone.

Hmm, the only way that seems possible to set nsproxy is if the process was run
with CAP_SYS_ADMIN, which it wasn't.

Maybe your theory holds water, and something else wrote that value to the
current thread at a random offset. Fun.

	Dave

next prev parent reply	other threads:[~2012-03-13 20:23 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-13  3:42 tun oops dereferencing garbage nsproxy-> address Dave Jones
2012-03-13  3:42 ` Dave Jones
2012-03-13 18:19 ` Eric W. Biederman
2012-03-13 18:19   ` Eric W. Biederman
2012-03-13 18:26   ` Dave Jones
2012-03-13 20:10     ` Eric W. Biederman
2012-03-13 20:23       ` Dave Jones [this message]
2012-03-18 20:02 ` Maciej Rutecki
2012-03-22  3:58   ` Eric W. Biederman
2012-03-22 19:29     ` Maciej Rutecki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120313202338.GA23737@redhat.com \
    --to=davej@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.