From: Kees Cook <keescook@chromium.org>
To: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: oliver.sang@intel.com, davem@davemloft.net, edumazet@google.com,
gustavoars@kernel.org, kuba@kernel.org, kuni1840@gmail.com,
leitao@debian.org, lkp@intel.com, netdev@vger.kernel.org,
oe-lkp@lists.linux.dev, pabeni@redhat.com,
syzkaller@googlegroups.com, willemdebruijn.kernel@gmail.com
Subject: Re: [PATCH v3 net 1/2] af_unix: Fix fortify_panic() in unix_bind_bsd().
Date: Wed, 26 Jul 2023 15:02:33 -0700 [thread overview]
Message-ID: <202307261501.C836EED808@keescook> (raw)
In-Reply-To: <20230726161933.26778-1-kuniyu@amazon.com>
On Wed, Jul 26, 2023 at 09:19:33AM -0700, Kuniyuki Iwashima wrote:
> From: kernel test robot <oliver.sang@intel.com>
> Date: Wed, 26 Jul 2023 21:52:45 +0800
> > Hello,
> >
> > kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in_strlen" on:
> >
> > commit: 33652e138afbe3f7c814567c4ffdf57492664220 ("[PATCH v3 net 1/2] af_unix: Fix fortify_panic() in unix_bind_bsd().")
> > url: https://github.com/intel-lab-lkp/linux/commits/Kuniyuki-Iwashima/af_unix-Fix-fortify_panic-in-unix_bind_bsd/20230725-053836
> > base: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git 22117b3ae6e37d07225653d9ae5ae86b3a54f99c
> > patch link: https://lore.kernel.org/all/20230724213425.22920-2-kuniyu@amazon.com/
> > patch subject: [PATCH v3 net 1/2] af_unix: Fix fortify_panic() in unix_bind_bsd().
> >
> > in testcase: boot
> >
> > compiler: gcc-12
> > test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> >
> >
> > [ 33.452659][ T68] ==================================================================
> > [ 33.453726][ T68] BUG: KASAN: slab-out-of-bounds in strlen+0x35/0x4f
> > [ 33.454515][ T68] Read of size 1 at addr ffff88812ff65577 by task udevd/68
> > [ 33.455352][ T68]
> > [ 33.455644][ T68] CPU: 0 PID: 68 Comm: udevd Not tainted 6.5.0-rc2-00197-g33652e138afb #1
> > [ 33.456627][ T68] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > [ 33.457802][ T68] Call Trace:
> > [ 33.458184][ T68] <TASK>
> > [ 33.458521][ T68] print_address_description+0x4d/0x2dd
> > [ 33.459259][ T68] print_report+0x139/0x241
> > [ 33.459783][ T68] ? __phys_addr+0x91/0xa3
> > [ 33.460290][ T68] ? virt_to_folio+0x5/0x27
> > [ 33.460800][ T68] ? strlen+0x35/0x4f
> > [ 33.461241][ T68] kasan_report+0xaf/0xda
> > [ 33.461756][ T68] ? strlen+0x35/0x4f
> > [ 33.462218][ T68] strlen+0x35/0x4f
> > [ 33.462657][ T68] getname_kernel+0xe/0x234
>
> Ok, we still need to terminate the string with unix_mkname_bsd().. so
> I perfer using strlen() here as well to warn about this situation.
>
> I'll post a patch soon.
>
> ---8<---
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index bbacf4c60fe3..6056c3bad54e 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1208,7 +1208,8 @@ static int unix_bind_bsd(struct sock *sk, struct sockaddr_un *sunaddr,
> struct path parent;
> int err;
>
> - addr_len = strnlen(sunaddr->sun_path, sizeof(sunaddr->sun_path))
> + unix_mkname_bsd(sunaddr->sun_path, addr_len);
> + addr_len = strlen(((struct sockaddr_storage *)sunaddr)->__data)
> + offsetof(struct sockaddr_un, sun_path) + 1;
> addr = unix_create_addr(sunaddr, addr_len);
> if (!addr)
> ---8<---
Oh! I missed that you removed the unix_mkname_bsd() in the patch:
https://lore.kernel.org/all/20230724213425.22920-2-kuniyu@amazon.com/
If you just add that back in, you should be fine. (There is no need for
the casting here, strnlen() will still do the right thing from what I
can see.)
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-07-26 22:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-24 21:34 [PATCH v3 net 0/2] net: Fix error/warning by -fstrict-flex-arrays=3 Kuniyuki Iwashima
2023-07-24 21:34 ` [PATCH v3 net 1/2] af_unix: Fix fortify_panic() in unix_bind_bsd() Kuniyuki Iwashima
2023-07-26 13:52 ` kernel test robot
2023-07-26 16:19 ` Kuniyuki Iwashima
2023-07-26 22:02 ` Kees Cook [this message]
2023-07-24 21:34 ` [PATCH v3 net 2/2] af_packet: Fix warning of fortified memcpy() in packet_getname() Kuniyuki Iwashima
2023-07-25 17:25 ` [PATCH v3 net 0/2] net: Fix error/warning by -fstrict-flex-arrays=3 Simon Horman
2023-07-25 18:05 ` Kees Cook
2023-07-26 3:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202307261501.C836EED808@keescook \
--to=keescook@chromium.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavoars@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@amazon.com \
--cc=leitao@debian.org \
--cc=lkp@intel.com \
--cc=netdev@vger.kernel.org \
--cc=oe-lkp@lists.linux.dev \
--cc=oliver.sang@intel.com \
--cc=pabeni@redhat.com \
--cc=syzkaller@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.