From: Dan Carpenter <dan.carpenter@oracle.com>
To: "程君(成淼)" <chengmiao.cj@alibaba-inc.com>
Cc: security <security@kernel.org>, throber3 <throber3@gmail.com>,
"James E.J. Bottomley" <JBottomley@odin.com>,
linux-scsi@vger.kernel.org
Subject: Re: linux kernel security issuses at ses_enclosure_data_process , ses_intf_remove_enclosure, irlmp_seq_hb_idx report
Date: Mon, 19 Oct 2015 13:15:29 +0300 [thread overview]
Message-ID: <20151019101528.GV7289@mwanda> (raw)
In-Reply-To: <----An------QYmAn$4202951b-482d-4d92-98c2-3466de737b40@alibaba-inc.com>
Thanks Berry,
James, the first two issues are SCSI things. I'm sending patches for
them but I can't test them myself. Especially, I'm not positive that
[patch 2/2] ses: invalid free in ses_intf_remove_enclosure() is a
complete fix. Berry, would it be possible to test that one?
regards,
dan carpenter
On Mon, Oct 19, 2015 at 01:05:48PM +0800, 程君(成淼) wrote:
>
> Deal all: we find there security issuses in kernel 4.2,aslo check the lastest code,please check them。
> 1. ses_enclosure_data_process heap access overflow
> code:
> static void ses_enclosure_data_process(struct enclosure_device *edev,
> struct scsi_device *sdev,
> int create)
> {
> u32 result;
> unsigned char *buf = NULL, *type_ptr, *desc_ptr, *addl_desc_ptr = NULL;
> int i, j, page7_len, len, components;
> struct ses_device *ses_dev = edev->scratch;
> int types = ses_dev->page1_num_types;
> unsigned char *hdr_buf = kzalloc(INIT_ALLOC_SIZE, GFP_KERNEL);
>
> if (!hdr_buf)
> goto simple_populate;
>
> /* re-read page 10 */
> if (ses_dev->page10)
> ses_recv_diag(sdev, 10, ses_dev->page10, ses_dev->page10_len);
> /* Page 7 for the descriptors is optional */
> result = ses_recv_diag(sdev, 7, hdr_buf, INIT_ALLOC_SIZE);
> if (result)
> goto simple_populate;
>
> page7_len = len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
> /* add 1 for trailing '\0' we'll use */
> buf = kzalloc(len + 1, GFP_KERNEL);
> if (!buf)
> goto simple_populate;
> result = ses_recv_diag(sdev, 7, buf, len);
> if (result) {
> simple_populate:
> kfree(buf);
> buf = NULL;
> desc_ptr = NULL;
> len = 0;
> page7_len = 0;
> } else {
> desc_ptr = buf + 8; // if buf len == 4, heap access overflow
> len = (desc_ptr[2] << 8) + desc_ptr[3];
> /* skip past overall descriptor */
> desc_ptr += len + 4;
> }
> crash info:
>
> ==================================================================
> BUG: KASan: use after free in ses_enclosure_data_process+0xe3a/0xe60 [ses] at addr ffff8800ab03897b
> Read of size 1 by task systemd-udevd/2580
> =============================================================================
> BUG kmalloc-8 (Tainted: G B ): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> INFO: Slab 0xffffea0002ac0e00 objects=512 used=488 fp=0xffff8800ab038f80 flags=0x1ffff0000000080
> INFO: Object 0xffff8800ab038978 @offset=2424 fp=0xffff8800ab038990
>
> Bytes b4 ffff8800ab038968: 69 64 00 ab 00 88 ff ff 08 00 00 00 00 00 00 00 id..............
> Object ffff8800ab038978: 90 89 03 ab 00 88 ff ff ........
> CPU: 0 PID: 2580 Comm: systemd-udevd Tainted: G B 4.2.3 #2
> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
> ffff8800ab038000 ffff88009bcaf678 ffffffff8280e5b9 0000000000000008
> ffff880118c07e00 ffff88009bcaf6a8 ffffffff8151a739 ffff880118c07e00
> ffffea0002ac0e00 ffff8800ab038978 0000000000000000 ffff88009bcaf6d8
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff8280e5b9>] dump_stack+0x45/0x57 lib/dump_stack.c:50
> [<ffffffff8151a739>] print_trailer+0xf9/0x150 mm/slub.c:650
> [<ffffffff8151f8e8>] object_err+0x38/0x50 mm/slub.c:657
> [< inline >] print_address_description mm/kasan/report.c:120
> [<ffffffff81522288>] kasan_report_error+0x1e8/0x3f0 mm/kasan/report.c:193
> [< inline >] kasan_report mm/kasan/report.c:230
> [<ffffffff815224d3>] __asan_report_load1_noabort+0x43/0x50 mm/kasan/report.c:248
> [<ffffffff81ee8be0>] ? device_private_init+0x190/0x190 drivers/base/core.c:947
> [<ffffffffc0ec33ca>] ? ses_enclosure_data_process+0xe3a/0xe60 [ses] drivers/scsi/ses.c:493
> [<ffffffffc0ec33ca>] ses_enclosure_data_process+0xe3a/0xe60 [ses] drivers/scsi/ses.c:493
> [<ffffffff8281ab34>] ? mutex_lock+0x14/0x60 kernel/locking/mutex.c:97
> [<ffffffffc0ec41ee>] ses_intf_add+0x9ae/0xded [ses] drivers/scsi/ses.c:712
> [<ffffffff81b04100>] ? bust_spinlocks+0xa0/0xa0 ??:?
> [<ffffffff81ef50fe>] class_interface_register+0x21e/0x370 drivers/base/class.c:458
> [<ffffffff81ef4ee0>] ? class_dev_iter_exit+0x10/0x10 drivers/base/class.c:344
> [<ffffffff81b041f0>] ? kvasprintf+0xf0/0xf0 lib/kasprintf.c:31
> [<ffffffffc0ea8000>] ? 0xffffffffc0ea8000
> [<ffffffff81ffcf5c>] scsi_register_interface+0x3c/0x50 drivers/scsi/scsi_sysfs.c:1191
> [<ffffffffc0ea8013>] ses_init+0x13/0x1000 [ses]
> [<ffffffff810021b1>] do_one_initcall+0x141/0x2f0 init/main.c:794
> [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40 init/main.c:924
> [< inline >] ? kasan_poison_shadow mm/kasan/kasan.c:49
> [<ffffffff81521976>] ? kasan_unpoison_shadow+0x36/0x50 mm/kasan/kasan.c:54
> [< inline >] ? kasan_poison_shadow mm/kasan/kasan.c:49
> [<ffffffff81521976>] ? kasan_unpoison_shadow+0x36/0x50 mm/kasan/kasan.c:54
> [< inline >] ? kasan_poison_shadow mm/kasan/kasan.c:49
> [<ffffffff81521976>] ? kasan_unpoison_shadow+0x36/0x50 mm/kasan/kasan.c:54
> [< inline >] ? register_global mm/kasan/kasan.c:49
> [<ffffffff81521a87>] ? __asan_register_globals+0x87/0xa0 mm/kasan/kasan.c:462
> [<ffffffff8280bf94>] do_init_module+0x1d0/0x5a8 kernel/module.c:3231
> [<ffffffff812c84f8>] load_module+0x6c48/0x9570 kernel/module.c:3535
> [<ffffffff812bce00>] ? __symbol_put+0x90/0x90 kernel/module.c:1051
> [<ffffffff812c18b0>] ? module_frob_arch_sections+0x20/0x20 kernel/module.c:3141
> [<ffffffff81575990>] ? open_exec+0x50/0x50 fs/exec.c:808
> [<ffffffff812bd505>] ? copy_module_from_fd.isra.49+0x1b5/0x2c0 kernel/module.c:2721
> [< inline >] SYSC_finit_module kernel/module.c:3618
> [<ffffffff812cb0f8>] SyS_finit_module+0x108/0x130 kernel/module.c:3599
> [<ffffffff812caff0>] ? SyS_init_module+0x1d0/0x1d0 kernel/module.c:3579
> [< inline >] ? trace_sys_exit include/trace/events/syscalls.h:42
> [<ffffffff8105b4f6>] ? syscall_trace_leave+0x246/0x2d0 arch/x86/kernel/ptrace.c:1620
> [<ffffffff8281f59d>] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:265
> Memory state around the buggy address:
> ffff8800ab038800: fb fb fb fb fb fb fb 00 00 fb fb 00 fb fb fb fb
> ffff8800ab038880: fb fb fb 02 02 02 02 fb 02 02 02 02 fb 00 fb 00
> >ffff8800ab038900: 00 fb 00 fb fb 00 fb 00 00 00 00 00 00 00 05 fb
> ^
> ffff8800ab038980: fb fb fb fb fb fb fb fb fb 00 fb 00 00 fb 00 fb
> ffff8800ab038a00: fb fb 00 00 00 00 fb fb fb fb fb fb fb fb fb fb the same issuse may be exsit in ses_intf_add
>
> result = ses_recv_diag(sdev, 1, hdr_buf, INIT_ALLOC_SIZE);
> if (result)
> goto recv_failed;
>
> len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
> buf = kzalloc(len, GFP_KERNEL);
> if (!buf)
> goto err_free;
>
> result = ses_recv_diag(sdev, 1, buf, len);
> if (result)
> goto recv_failed;
>
> types = 0;
>
> /* we always have one main enclosure and the rest are referred
> * to as secondary subenclosures */
> num_enclosures = buf[1] + 1;
>
> /* begin at the enclosure descriptor */
> type_ptr = buf + 8; // // if len == 4, heap access overflow
>
> 2. out of bounds access in ses_intf_remove_enclosure
>
> 783 static void ses_intf_remove(struct device *cdev,
> 784 struct class_interface *intf)
> 785 {
> 786 struct scsi_device *sdev = to_scsi_device(cdev->parent);
> 787
> 788 if (!scsi_device_enclosure(sdev))
> 789 ses_intf_remove_component(sdev);
> 790 else
> 791 ses_intf_remove_enclosure(sdev); // this branch
> 792 }
>
> 759 static void ses_intf_remove_enclosure(struct scsi_device *sdev)
> 760 {
> 761 struct enclosure_device *edev;
> 762 struct ses_device *ses_dev;
> 763
> 764 /* exact match to this enclosure */
> 765 edev = enclosure_find(&sdev->sdev_gendev, NULL);
> 766 if (!edev)
> 767 return;
> 768
> 769 ses_dev = edev->scratch;
> 770 edev->scratch = NULL;
> 771
> 772 kfree(ses_dev->page10);
> 773 kfree(ses_dev->page1);
> 774 kfree(ses_dev->page2);
> 775 kfree(ses_dev);
> 776
> 777 kfree(edev->component[0].scratch); // bad
> 778
> 779 put_device(&edev->edev);
> 780 enclosure_unregister(edev);
> 781 }
>
>
> crash info:
>
> ==================================================================
> BUG: KASan: out of bounds access in ses_intf_remove+0x25d/0x270 [ses] at addr ffff88006545b6e8
> Read of size 8 by task pool/17977
> =============================================================================
> BUG kmalloc-1024 (Tainted: G B ): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> INFO: Slab 0xffffea0001951600 objects=32 used=13 fp=0xffff88006545f400 flags=0x1ffff0000004080
> INFO: Object 0xffff88006545b400 @offset=13312 fp=0x (null)
>
> Bytes b4 ffff88006545b3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b400: 00 00 00 00 00 00 00 00 60 c4 e4 c0 ff ff ff ff ........`.......
> Object ffff88006545b410: 60 c4 e4 c0 ff ff ff ff 68 29 9a a4 00 88 ff ff `.......h)......
> Object ffff88006545b420: 40 54 19 2c 00 88 ff ff 30 ea d0 a4 00 88 ff ff @T.,....0.......
> Object ffff88006545b430: c0 24 06 85 00 88 ff ff 40 2c 9a a4 00 88 ff ff .$......@,......
> Object ffff88006545b440: e0 21 f0 b4 00 88 ff ff 80 f7 ec 17 01 88 ff ff .!..............
> Object ffff88006545b450: 80 fd 4d 83 ff ff ff ff 30 8c 6d 57 00 88 ff ff ..M.....0.mW....
> Object ffff88006545b460: 04 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b470: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
> Object ffff88006545b480: 80 b4 45 65 00 88 ff ff 80 b4 45 65 00 88 ff ff ..Ee......Ee....
> Object ffff88006545b490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b4c0: 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b4d0: 60 25 06 85 00 88 ff ff e0 2c 9a a4 00 88 ff ff `%.......,......
> Object ffff88006545b4e0: ff ff ff 7f 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b4f0: f0 b4 45 65 00 88 ff ff f0 b4 45 65 00 88 ff ff ..Ee......Ee....
> Object ffff88006545b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b520: 00 00 00 00 00 00 00 00 90 c8 f0 81 ff ff ff ff ................
> Object ffff88006545b530: 18 b4 45 65 00 88 ff ff 00 00 00 00 ff ff ff ff ..Ee............
> Object ffff88006545b540: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b560: 00 00 00 00 00 00 00 00 e0 ff ff ff 0f 00 00 00 ................
> Object ffff88006545b570: 70 b5 45 65 00 88 ff ff 70 b5 45 65 00 88 ff ff p.Ee....p.Ee....
> Object ffff88006545b580: b0 d8 f0 81 ff ff ff ff 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b590: 90 b5 45 65 00 88 ff ff 90 b5 45 65 00 88 ff ff ..Ee......Ee....
> Object ffff88006545b5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b5b0: 81 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................
> Object ffff88006545b5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b5e0: 83 c2 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b610: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b630: 00 00 00 00 00 00 00 00 38 b6 45 65 00 88 ff ff ........8.Ee....
> Object ffff88006545b640: 38 b6 45 65 00 88 ff ff 00 00 00 00 00 00 00 00 8.Ee............
> Object ffff88006545b650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b680: 80 b6 45 65 00 88 ff ff 80 b6 45 65 00 88 ff ff ..Ee......Ee....
> Object ffff88006545b690: a8 2e 28 5c 00 88 ff ff b0 2e 28 5c 00 88 ff ff ..(\......(\....
> Object ffff88006545b6a0: b0 2e 28 5c 00 88 ff ff 01 00 00 00 00 00 00 00 ..(\............
> Object ffff88006545b6b0: 60 c3 e4 c0 ff ff ff ff 00 00 00 00 00 00 00 00 `...............
> Object ffff88006545b6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b6d0: 00 00 00 00 00 00 00 00 20 61 ec c0 ff ff ff ff ........ a......
> Object ffff88006545b6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Object ffff88006545b7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> CPU: 3 PID: 17977 Comm: pool Tainted: G B 4.2.3 #2
> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
> ffff880065458000 ffff8800a50674b8 ffffffff8280e5b9 0000000000000400
> ffff880118c07500 ffff8800a50674e8 ffffffff8151a739 ffff880118c07500
> ffffea0001951600 ffff88006545b400 ffffffffc0ec60c0 ffff8800a5067518
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff8280e5b9>] dump_stack+0x45/0x57 lib/dump_stack.c:50
> [<ffffffff8151a739>] print_trailer+0xf9/0x150 mm/slub.c:650
> [<ffffffff8151f8e8>] object_err+0x38/0x50 mm/slub.c:657
> [< inline >] print_address_description mm/kasan/report.c:120
> [<ffffffff81522288>] kasan_report_error+0x1e8/0x3f0 mm/kasan/report.c:193
> [<ffffffff82025dec>] ? sg_device_destroy+0xec/0x190 drivers/scsi/sg.c:1551
> [< inline >] kasan_report mm/kasan/report.c:230
> [<ffffffff815225c3>] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:251
> [< inline >] ? ses_intf_remove_enclosure drivers/scsi/ses.c:777
> [<ffffffffc0ec02ed>] ? ses_intf_remove+0x25d/0x270 [ses] drivers/scsi/ses.c:791
> [< inline >] ses_intf_remove_enclosure drivers/scsi/ses.c:777
> [<ffffffffc0ec02ed>] ses_intf_remove+0x25d/0x270 [ses] drivers/scsi/ses.c:791
> [<ffffffff81ee5f5a>] device_del+0x2ba/0x6b0 drivers/base/core.c:1210
> [<ffffffff81ee5ca0>] ? cleanup_device_parent+0xf0/0xf0 drivers/base/core.c:793
> [< inline >] ? kobject_cleanup lib/kobject.c:635
> [<ffffffff81ad6239>] ? kobject_release+0x139/0x3a0 lib/kobject.c:658
> [<ffffffff81ee6372>] device_unregister+0x22/0xb0 drivers/base/core.c:1250
> [<ffffffff81ffdf6a>] __scsi_remove_device+0x1aa/0x210 drivers/scsi/scsi_sysfs.c:1075
> [<ffffffff81ffa16f>] scsi_forget_host+0x10f/0x1c0 drivers/scsi/scsi_scan.c:1862
> [< inline >] ? spin_unlock_irqrestore include/linux/spinlock.h:372
> [<ffffffff81f0ca15>] ? __pm_runtime_resume+0x85/0xa0 drivers/base/power/runtime.c:962
> [<ffffffff81fd2635>] scsi_remove_host+0xd5/0x210 drivers/scsi/hosts.c:173
> [<ffffffffc0e7cbe1>] usb_stor_disconnect+0xe1/0x200 [usb_storage]
> [<ffffffff82134d81>] usb_unbind_interface+0x161/0x830 drivers/usb/core/driver.c:411
> [<ffffffff81f09929>] ? rpm_idle+0x29/0x5b0 drivers/base/power/runtime.c:305
> [<ffffffff81ef149a>] __device_release_driver+0x17a/0x3c0 drivers/base/dd.c:662
> [<ffffffff81eee180>] ? unbind_store+0x270/0x270 drivers/base/bus.c:189
> [<ffffffff81ef1703>] device_release_driver+0x23/0x30 drivers/base/dd.c:693
> [<ffffffff81eefce4>] bus_remove_device+0x2d4/0x590 drivers/base/bus.c:601
> [<ffffffff81ee6026>] device_del+0x386/0x6b0 drivers/base/core.c:1217
> [< inline >] ? kref_sub include/linux/kref.h:74
> [< inline >] ? kref_put include/linux/kref.h:99
> [<ffffffff81ad5e66>] ? kobject_put+0x56/0xa0 lib/kobject.c:675
> [<ffffffff81ee5ca0>] ? cleanup_device_parent+0xf0/0xf0 drivers/base/core.c:793
> [<ffffffff82140f9c>] ? usb_remove_ep_devs+0x3c/0x80 drivers/usb/core/endpoint.c:214
> [<ffffffff8212bcaa>] ? remove_intf_ep_devs+0xfa/0x1a0 drivers/usb/core/message.c:1047
> [<ffffffff8212d2e5>] usb_disable_device+0x1d5/0x6e0 drivers/usb/core/message.c:1172
> [<ffffffff816c6fc0>] ? sysfs_kf_bin_read+0x2d0/0x2d0 fs/sysfs/file.c:86
> [<ffffffff8212eee6>] usb_set_configuration+0x236/0x1600 drivers/usb/core/message.c:1766
> [<ffffffff8144b840>] ? __alloc_pages_direct_compact+0x280/0x280 include/linux/mm.h:881
> [< inline >] ? perf_event_mmap_event kernel/events/core.c:5923
> [<ffffffff81415da0>] ? perf_event_mmap+0x510/0x9d0 kernel/events/core.c:5957
> [<ffffffff816c6fc0>] ? sysfs_kf_bin_read+0x2d0/0x2d0 fs/sysfs/file.c:86
> [<ffffffff8213ef55>] remove_store+0x75/0x90 drivers/usb/core/sysfs.c:669
> [<ffffffff81ee3fa0>] ? component_add+0x350/0x350 ??:?
> [<ffffffff81ee3fdc>] dev_attr_store+0x3c/0x70 drivers/base/core.c:137
> [< inline >] ? kasan_poison_shadow mm/kasan/kasan.c:49
> [<ffffffff815219ee>] ? kasan_kmalloc+0x5e/0x70 mm/kasan/kasan.c:353
> [<ffffffff816c70f1>] sysfs_kf_write+0x131/0x200 fs/sysfs/file.c:131
> [<ffffffff816c4bed>] kernfs_fop_write+0x1fd/0x3a0 fs/kernfs/file.c:312
> [<ffffffff815651e0>] __vfs_write+0xe0/0x3e0 fs/read_write.c:489
> [< inline >] ? set_pte_at ./arch/x86/include/asm/paravirt.h:524
> [< inline >] ? do_anonymous_page mm/memory.c:2721
> [< inline >] ? handle_pte_fault mm/memory.c:3258
> [< inline >] ? __handle_mm_fault mm/memory.c:3379
> [<ffffffff814b654a>] ? handle_mm_fault+0x160a/0x3470 mm/memory.c:3408
> [<ffffffff81565100>] ? __vfs_read+0x3d0/0x3d0 fs/read_write.c:419
> [<ffffffff819b5470>] ? common_perm+0x160/0x160 security/apparmor/lsm.c:159
> [< inline >] ? percpu_counter_add include/linux/percpu_counter.h:53
> [< inline >] ? percpu_counter_inc include/linux/percpu_counter.h:177
> [<ffffffff8156d3bb>] ? __sb_start_write+0xfb/0x2a0 fs/super.c:1204
> [<ffffffff814b4f40>] ? copy_page_range+0x12b0/0x12b0 mm/memory.c:1024
> [<ffffffff8156d2c0>] ? __sb_end_write+0xc0/0xc0 include/linux/list.h:189
> [<ffffffff819b6c18>] ? apparmor_file_permission+0x18/0x20 security/apparmor/lsm.c:446
> [<ffffffff818fb8bf>] ? security_file_permission+0x6f/0x1b0 security/security.c:738
> [<ffffffff815665fc>] ? rw_verify_area+0xbc/0x290 fs/read_write.c:404
> [<ffffffff81566be9>] vfs_write+0x139/0x4c0 fs/read_write.c:538
> [< inline >] SYSC_write fs/read_write.c:585
> [<ffffffff815699fe>] SyS_write+0x10e/0x230 fs/read_write.c:577
> [<ffffffff815698f0>] ? SyS_read+0x230/0x230 fs/read_write.c:559
> [<ffffffff8110dc1f>] ? do_page_fault+0x2f/0x80 arch/x86/mm/fault.c:1298
> [<ffffffff8281f472>] entry_SYSCALL_64_fastpath+0x16/0x75 arch/x86/entry/entry_64.S:186
> Memory state around the buggy address:
> ffff88006545b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88006545b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff88006545b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
> ^
> ffff88006545b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88006545b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>
> 3. out of bounds on stack in irlmp_seq_hb_idx
> irlmp_seq_start-> v = irlmp_seq_hb_idx(iter, &off);->irlmp_seq_hb_idx
> static void *irlmp_seq_start(struct seq_file *seq, loff_t *pos)
> {
> struct irlmp_iter_state *iter = seq->private;
> void *v;
> loff_t off = *pos;
>
> iter->hashbin = NULL;
> if (off-- == 0)
> return LSAP_START_TOKEN;
>
> iter->hashbin = irlmp->unconnected_lsaps;
> v = irlmp_seq_hb_idx(iter, &off); // local var stack address
> if (v)
> return v;
>
> if (off-- == 0)
> return LINK_START_TOKEN;
>
> iter->hashbin = irlmp->links;
> return irlmp_seq_hb_idx(iter, &off);
> }
>
> static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
> {
> void *element;
>
> spin_lock_irq(&iter->hashbin->hb_spinlock);
> for (element = hashbin_get_first(iter->hashbin);
> element != NULL;
> element = hashbin_get_next(iter->hashbin)) {
> if (!off || *off-- == 0) { // out of on stack
> /* NB: hashbin left locked */
> return element;
> }
> }
> spin_unlock_irq(&iter->hashbin->hb_spinlock);
> iter->hashbin = NULL;
> return NULL;
> }
>
> carsh info:
>
> BUG: KASan: out of bounds on stack in irlmp_seq_hb_idx+0x16c/0x1a0 [irda] at addr ffff880022c4f248
> Read of size 8 by task trinity-c6/19325
> page:ffffea00008b13c0 count:0 mapcount:0 mapping: (null) index:0x0
> flags: 0x1ffff0000000000()
> page dumped because: kasan: bad access detected
> CPU: 0 PID: 19325 Comm: trinity-c6 Tainted: G B 4.2.3 #2
> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
> ffff8801128089e0 ffff880022c4f108 ffffffff8280e5b9 1ffffd400011627f
> ffff880022c4f1a0 ffff880022c4f188 ffffffff81522458 0000000000000010
> 0000000000000000 0000000000000046 ffffed0004589e4a 666666208106f6c0
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff8280e5b9>] dump_stack+0x45/0x57 lib/dump_stack.c:50
> [< inline >] print_address_description mm/kasan/report.c:132
> [<ffffffff81522458>] kasan_report_error+0x3b8/0x3f0 mm/kasan/report.c:193
> [< inline >] kasan_report mm/kasan/report.c:230
> [<ffffffff815225c3>] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:251
> [<ffffffffc0af6bac>] ? irlmp_seq_hb_idx+0x16c/0x1a0 [irda] net/irda/irlmp.c:1842
> [<ffffffffc0af6bac>] irlmp_seq_hb_idx+0x16c/0x1a0 [irda] net/irda/irlmp.c:1842
> [<ffffffffc0af6fb7>] irlmp_seq_start+0x147/0x230 [irda] net/irda/irlmp.c:1864
> [<ffffffffc0af6e70>] ? irlmp_seq_next+0x290/0x290 [irda] net/irda/irlmp.c:1888
> [<ffffffff815cd4b0>] seq_read+0x280/0x1150 fs/seq_file.c:225
> [<ffffffff81521bb8>] ? kasan_alloc_pages+0x38/0x40 mm/kasan/kasan.c:292
> [<ffffffff815cd230>] ? seq_lseek+0x370/0x370 fs/seq_file.c:321
> [<ffffffff81621010>] ? __fsnotify_inode_delete+0x10/0x10 fs/notify/fsnotify.c:37
> [< inline >] ? copy_from_user ./arch/x86/include/asm/uaccess.h:718
> [<ffffffff81569e60>] ? rw_copy_check_uvector+0x80/0x270 fs/read_write.c:733
> [<ffffffff816957d1>] proc_reg_read+0xc1/0x180 fs/proc/inode.c:202
> [<ffffffff81b0b91d>] ? import_iovec+0x9d/0x420 lib/iov_iter.c:802
> [<ffffffff81565608>] do_loop_readv_writev+0x128/0x1e0 fs/read_write.c:680
> [< inline >] ? fsnotify_perm include/linux/fsnotify.h:60
> [<ffffffff818fb99d>] ? security_file_permission+0x14d/0x1b0 security/security.c:742
> [<ffffffff81695710>] ? proc_reg_write+0x180/0x180 fs/proc/internal.h:82
> [<ffffffff81695710>] ? proc_reg_write+0x180/0x180 fs/proc/internal.h:82
> [<ffffffff815674f0>] do_readv_writev+0x580/0x690 fs/read_write.c:810
> [<ffffffff81566f70>] ? vfs_write+0x4c0/0x4c0 include/linux/sched.h:3096
> [<ffffffff817a448c>] ? __ext4_handle_dirty_metadata+0x4c/0x5d0 fs/ext4/ext4_jbd2.c:264
> [< inline >] ? touch_buffer fs/buffer.c:64
> [<ffffffff81602f1a>] ? __find_get_block+0x1ca/0x2a0 fs/buffer.c:1375
> [< inline >] ? brelse include/linux/buffer_head.h:287
> [< inline >] ? ext4_do_update_inode fs/ext4/inode.c:4503
> [<ffffffff816f7b60>] ? ext4_mark_iloc_dirty+0x13c0/0x24d0 fs/ext4/inode.c:4937
> [<ffffffff81567669>] vfs_readv+0x69/0xa0 fs/read_write.c:834
> [< inline >] kernel_readv fs/splice.c:582
> [<ffffffff815f7010>] default_file_splice_read+0x470/0x8f0 fs/splice.c:658
> [<ffffffff815f6ba0>] ? generic_file_splice_read+0x1e0/0x1e0 fs/splice.c:531
> [<ffffffff817f6220>] ? jbd2_buffer_abort_trigger+0x80/0x80 fs/jbd2/transaction.c:1277
> [<ffffffff815f2140>] ? page_cache_pipe_buf_release+0x70/0x70 fs/splice.c:91
> [<ffffffff815e9eb0>] ? __mark_inode_dirty+0x440/0x9e0 fs/fs-writeback.c:2015
> [<ffffffff816ffcd8>] ? ext4_da_write_end+0x378/0x820 fs/ext4/inode.c:2782
> [<ffffffff816fdd10>] ? ext4_write_begin+0x980/0x980 fs/ext4/ext4_jbd2.h:399
> [< inline >] ? kasan_poison_shadow mm/kasan/kasan.c:49
> [<ffffffff815219ee>] ? kasan_kmalloc+0x5e/0x70 mm/kasan/kasan.c:353
> [<ffffffff81430cfc>] ? generic_perform_write+0x31c/0x500 mm/filemap.c:2527
> [< inline >] ? spin_lock include/linux/spinlock.h:312
> [< inline >] ? __fsnotify_d_instantiate include/linux/fsnotify_backend.h:289
> [< inline >] ? fsnotify_d_instantiate include/linux/fsnotify.h:25
> [<ffffffff815a8b4f>] ? __d_instantiate+0x18f/0x390 fs/dcache.c:1763
> [<ffffffff815665fc>] ? rw_verify_area+0xbc/0x290 fs/read_write.c:404
> [<ffffffff815f4349>] do_splice_to+0xd9/0x120 fs/splice.c:1142
> [<ffffffff815f45cd>] splice_direct_to_actor+0x23d/0x7b0 fs/splice.c:1214
> [<ffffffff815f1af0>] ? generic_pipe_buf_nosteal+0x10/0x10 fs/splice.c:560
> [<ffffffff815f4390>] ? do_splice_to+0x120/0x120 fs/splice.c:1137
> [<ffffffff818fb8bf>] ? security_file_permission+0x6f/0x1b0 security/security.c:738
> [<ffffffff815665fc>] ? rw_verify_area+0xbc/0x290 fs/read_write.c:404
> [<ffffffff81aed4cd>] ? timerqueue_add+0x12d/0x2f0 lib/timerqueue.c:57
> [<ffffffff815f4c99>] do_splice_direct+0x159/0x270 fs/splice.c:1325
> [<ffffffff812824ab>] ? enqueue_hrtimer+0xdb/0x1e0 kernel/time/hrtimer.c:877
> [<ffffffff815f4b40>] ? splice_direct_to_actor+0x7b0/0x7b0 include/linux/fs.h:1920
> [<ffffffff815665fc>] ? rw_verify_area+0xbc/0x290 fs/read_write.c:404
> [<ffffffff81568a61>] do_sendfile+0x5f1/0x1250 fs/read_write.c:1227
> [<ffffffff81283f60>] ? hrtimer_init+0x100/0x100 include/trace/events/timer.h:134
> [<ffffffff81568470>] ? __compat_sys_pwritev64+0xc0/0xc0 fs/read_write.c:1128
> [< inline >] ? hrtimer_start include/linux/hrtimer.h:370
> [<ffffffff812878f6>] ? do_setitimer+0x4b6/0x610 kernel/time/itimer.c:222
> [< inline >] SYSC_sendfile64 fs/read_write.c:1288
> [<ffffffff8156b031>] SyS_sendfile64+0xf1/0x100 fs/read_write.c:1274
> [<ffffffff8156af40>] ? SyS_sendfile+0xd0/0xd0 fs/read_write.c:1271
> [<ffffffff8110dc1f>] ? do_page_fault+0x2f/0x80 arch/x86/mm/fault.c:1298
> [<ffffffff8281f472>] entry_SYSCALL_64_fastpath+0x16/0x75 arch/x86/entry/entry_64.S:186
> Memory state around the buggy address:
> ffff880022c4f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff880022c4f180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff880022c4f200: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f3
> ^
> ffff880022c4f280: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff880022c4f300: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
> ==================================================================
> ==================================================================
>
> Sorry for webmail format. Hope to receive your reply as soon as possible. Best regards
> Berry Cheng @ Alibaba mobile security Team
>
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next parent reply other threads:[~2015-10-19 10:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <----An------QYmAn$4202951b-482d-4d92-98c2-3466de737b40@alibaba-inc.com>
2015-10-19 10:15 ` Dan Carpenter [this message]
2015-10-19 10:15 ` [patch 1/2] ses: tighten range checking in ses_enclosure_data_process() Dan Carpenter
2015-10-19 10:16 ` [patch 2/2] ses: invalid free in ses_intf_remove_enclosure() Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151019101528.GV7289@mwanda \
--to=dan.carpenter@oracle.com \
--cc=JBottomley@odin.com \
--cc=chengmiao.cj@alibaba-inc.com \
--cc=linux-scsi@vger.kernel.org \
--cc=security@kernel.org \
--cc=throber3@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox