From: Kees Cook <keescook@chromium.org>
To: herbert@gondor.apana.org.au
Cc: syzbot <syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, linux-hardening@vger.kernel.org,
Elena Petrova <lenaptr@google.com>
Subject: Re: UBSAN: array-index-out-of-bounds in alg_bind
Date: Fri, 16 Oct 2020 20:49:38 -0700 [thread overview]
Message-ID: <202010162042.7C51549A16@keescook> (raw)
In-Reply-To: <00000000000014370305b1c55370@google.com>
On Fri, Oct 16, 2020 at 01:12:24AM -0700, syzbot wrote:
> dashboard link: https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e
> [...]
> Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com
> [...]
> UBSAN: array-index-out-of-bounds in crypto/af_alg.c:166:2
> index 91 is out of range for type '__u8 [64]'
This seems to be an "as intended", if very odd. false positive (the actual
memory area is backed by the on-stack _K_SS_MAXSIZE-sized sockaddr_storage
"address" variable in __sys_bind. But yes, af_alg's salg_name member
size here doesn't make sense. The origin appears to be that 3f69cc60768b
("crypto: af_alg - Allow arbitrarily long algorithm names") intentionally
didn't extend the kernel structure (which is actually just using the UAPI
structure). I don't see a reason the UAPI couldn't have been extended:
it's a sockaddr implementation, so the size is always passed in as part
of the existing API.
At the very least the kernel needs to switch to using a correctly-sized
structure: I expected UBSAN_BOUNDS to be enabled globally by default at
some point in the future (with the minimal runtime -- the
instrumentation is tiny and catches real issues).
Reproduction:
struct sockaddr_alg sa = {
.salg_family = AF_ALG,
.salg_type = "skcipher",
.salg_name = "cbc(aes)"
};
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&sa, sizeof(sa));
Replace "sizeof(sa)" with x where 64<x<=128.
--
Kees Cook
next prev parent reply other threads:[~2020-10-17 6:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 8:12 UBSAN: array-index-out-of-bounds in alg_bind syzbot
2020-10-17 3:49 ` Kees Cook [this message]
2020-10-17 6:20 ` Jann Horn
2020-10-17 10:50 ` Dmitry Vyukov
2020-10-17 11:02 ` Jann Horn
2020-10-17 14:41 ` Dmitry Vyukov
2020-10-26 20:07 ` [PATCH] crypto: af_alg - avoid undefined behavior accessing salg_name Eric Biggers
2020-10-26 21:21 ` Gustavo A. R. Silva
2020-10-26 23:10 ` Gustavo A. R. Silva
2020-10-26 23:40 ` Eric Biggers
2020-10-26 21:23 ` Jann Horn
2020-10-26 21:56 ` Eric Biggers
2020-10-26 22:40 ` Jann Horn
2020-11-06 7:01 ` Herbert Xu
2020-11-02 2:17 ` UBSAN: array-index-out-of-bounds in alg_bind syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202010162042.7C51549A16@keescook \
--to=keescook@chromium.org \
--cc=herbert@gondor.apana.org.au \
--cc=lenaptr@google.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox