From: Eric Biggers <ebiggers@kernel.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-security-module@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
Date: Tue, 23 Jul 2019 22:00:29 -0700 [thread overview]
Message-ID: <20190724050029.GD643@sol.localdomain> (raw)
In-Reply-To: <737a46de-cfb0-6220-c796-563ffd3ff325@i-love.sakura.ne.jp>
On Wed, Jul 24, 2019 at 01:54:40PM +0900, Tetsuo Handa wrote:
> On 2019/07/24 13:34, Eric Biggers wrote:
> > On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
> >>> --------------------------------------------------------------------------------
> >>> Title: KASAN: invalid-free in tomoyo_realpath_from_path
> >>> Last occurred: 57 days ago
> >>> Reported: 56 days ago
> >>> Branches: net-next
> >>> Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
> >>> Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
> >>
> >> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
> >> no crash occurred since then. Maybe it is time to close as invalid.
> >
> > Maybe. Did you check for stack buffer overflows in the functions that
> > tomoyo_realpath_from_path() calls? Perhaps something is corrupting the 'buf'
> > variable in the parent's stack frame.
> >
>
> What do you mean? If this crash were a stack buffer overflow, this crash
> should have already occurred again.
>
Well not necessarily, it could be very rare.
That being said, it was only seen on net-next and only once; so it could have
been caused by some broken patch elsewhere in the kernel that was only present
for a short time.
So if you aren't going to do anything else with this, please just go ahead and
invalidate it.
> Since the "buf" variable is a local variable, it cannot be shared between
> two threads. Since "buf" is assigned as
>
> buf = kmalloc(buf_len, GFP_NOFS);
>
> and nobody else is reassigning "buf",
>
> kfree(buf);
>
> can't become an invalid free.
>
- Eric
next prev parent reply other threads:[~2019-07-24 5:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-24 2:42 Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem Eric Biggers
2019-07-24 3:18 ` Tetsuo Handa
2019-07-24 4:34 ` Eric Biggers
2019-07-24 4:54 ` Tetsuo Handa
2019-07-24 5:00 ` Eric Biggers [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-07-02 5:14 Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190724050029.GD643@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).