From: Chen Ridong <chenridong@huaweicloud.com>
To: Chen Ridong <chenridong@huaweicloud.com>,
dhowells@redhat.com, jarkko@kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] security/keys: fix slab-out-of-bounds in key_task_permission
Date: Wed, 16 Oct 2024 09:33:47 +0800 [thread overview]
Message-ID: <d3fb6263-b1f3-4bcd-b28e-abd81fbbd711@huaweicloud.com> (raw)
In-Reply-To: <20241008124639.70000-1-chenridong@huaweicloud.com>
On 2024/10/8 20:46, Chen Ridong wrote:
> From: Chen Ridong <chenridong@huawei.com>
>
> KASAN reports an out of bounds read:
> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
> security/keys/permission.c:54
> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
>
> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
> Call Trace:
> __dump_stack lib/dump_stack.c:82 [inline]
> dump_stack+0x107/0x167 lib/dump_stack.c:123
> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
> kasan_report+0x3a/0x50 mm/kasan/report.c:585
> __kuid_val include/linux/uidgid.h:36 [inline]
> uid_eq include/linux/uidgid.h:63 [inline]
> key_task_permission+0x394/0x410 security/keys/permission.c:54
> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
>
> This issue was also reported by syzbot [1].
>
> It can be reproduced by following these steps(more details [2]):
> 1. Obtain more than 32 inputs that have similar hashes, which ends with the
> pattern '0xxxxxxxe6'.
> 2. Reboot and add the keys obtained in step 1.
>
> The reproducer demonstrates how this issue happened:
> 1. In the search_nested_keyrings function, when it iterates through the
> slots in a node(below tag ascend_to_node), if the slot pointer is meta
> and node->back_pointer != NULL(it means a root), it will proceed to
> descend_to_node. However, there is an exception. If node is the root,
> and one of the slots points to a shortcut, it will be treated as a
> keyring.
> 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
> However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
> ASSOC_ARRAY_PTR_SUBTYPE_MASK.
> 3. When 32 keys with the similar hashes are added to the tree, the ROOT
> has keys with hashes that are not similar (e.g. slot 0) and it splits
> NODE A without using a shortcut. When NODE A is filled with keys that
> all hashes are xxe6, the keys are similar, NODE A will split with a
> shortcut. Finally, it forms the tree as shown below, where slot 6 points
> to a shortcut.
>
> NODE A
> +------>+---+
> ROOT | | 0 | xxe6
> +---+ | +---+
> xxxx | 0 | shortcut : : xxe6
> +---+ | +---+
> xxe6 : : | | | xxe6
> +---+ | +---+
> | 6 |---+ : : xxe6
> +---+ +---+
> xxe6 : : | f | xxe6
> +---+ +---+
> xxe6 | f |
> +---+
>
> 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
> it may be mistakenly transferred to a key*, leading to a read
> out-of-bounds read.
>
> To fix this issue, one should jump to descend_to_node if the ptr is a
> shortcut, regardless of whether the node is root or not.
>
> [1] https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/
> [2] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/
>
> Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
> Reported-by: syzbot+5b415c07907a2990d1a3@syzkaller.appspotmail.com
> Signed-off-by: Chen Ridong <chenridong@huawei.com>
> ---
> security/keys/keyring.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/keyring.c b/security/keys/keyring.c
> index 4448758f643a..f331725d5a37 100644
> --- a/security/keys/keyring.c
> +++ b/security/keys/keyring.c
> @@ -772,8 +772,11 @@ static bool search_nested_keyrings(struct key *keyring,
> for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
> ptr = READ_ONCE(node->slots[slot]);
>
> - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
> - goto descend_to_node;
> + if (assoc_array_ptr_is_meta(ptr)) {
> + if (node->back_pointer ||
> + assoc_array_ptr_is_shortcut(ptr))
> + goto descend_to_node;
> + }
>
> if (!keyring_ptr_is_keyring(ptr))
> continue;
Friendly ping.
Best regards,
Ridong
next prev parent reply other threads:[~2024-10-16 1:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-08 12:46 [PATCH v2] security/keys: fix slab-out-of-bounds in key_task_permission Chen Ridong
2024-10-16 1:33 ` Chen Ridong [this message]
2024-10-16 5:08 ` Jarkko Sakkinen
2024-10-16 5:14 ` Jarkko Sakkinen
2024-10-17 1:19 ` Chen Ridong
2024-10-17 8:39 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3fb6263-b1f3-4bcd-b28e-abd81fbbd711@huaweicloud.com \
--to=chenridong@huaweicloud.com \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).