From patchwork Wed Apr 3 15:34:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 161695 Delivered-To: patch@linaro.org Received: by 2002:a02:c6d8:0:0:0:0:0 with SMTP id r24csp470284jan; Wed, 3 Apr 2019 08:34:17 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQsbkTD7ZuqFY4qjiuRRw+KyqKkK3SCPwwrCdphger1Om2ncXjlUuK4cZuqo7ulND1Jv0r X-Received: by 2002:a63:500f:: with SMTP id e15mr326318pgb.198.1554305657243; Wed, 03 Apr 2019 08:34:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554305657; cv=none; d=google.com; s=arc-20160816; b=hMdl7Y7vkeRg/lY3K7KtcqP9WaDQ/RjYq3S8qp6WLBYGk8mnMGtqBQYchI4Oy/q/CJ QLhLO7UorhGy16mCxKGGgz0rsawNRwB/62n6C+qtNQhe292Jn4amMhRCDYF1T8OHiLQq ud41aU6X5F00eNzZ2pQy58eOhH/z8HI6SCGzDl9Ftfewb+KvVayTkvhR9J/nYOH7Scs1 BpO4QD1tNUTZGZVCIXQTlomg5OsXd1J5BdtLagA2lzCg69N46qSYqtCliWnbZl5x5IgK YXjzOpjKiUbNXw35crXIbZ6JtGgaSN7yV3FGPEsJHBBUe6XWnmE2LDmZ0UmlLZTm76Qt U+hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=H3PgQ10Z/BofRUnrZuKa8owoWoBWvT1vEdsAI/xVyNU=; b=sfu7eWR1f6nzLrLeThvEzYsC0i/TBYy1XnjbpJEITUwbC7+f4cUrUn5CXO7DlF6kfy 4MC17YkeV+opOm/6ct6RtYtEenCVaQQt4Y8BKZBeXUO5AX9TDv8ca/S1MQ+/UYdn8qTG RndXa61GLWIMhyUhDInUuID2IP2jKnsKaxM5FgU4gW45l7PZXIAwD37r6x3eSybYMC6j 86/HeBe+on210Eu4+AvU2djJVxJRtaUVSw/PbyJtaP4Z7nbrM5RDM7NCpw3o68N4l2KU zyXETUoKhfGhXXs6uxphWVoaNzchuXwBkoTXAvqKCmXx600//rnvsFZByn2Gil2tFH9o xADA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b15si13860452pge.349.2019.04.03.08.34.16; Wed, 03 Apr 2019 08:34:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726436AbfDCPeP (ORCPT + 31 others); Wed, 3 Apr 2019 11:34:15 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:43208 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725990AbfDCPeP (ORCPT ); Wed, 3 Apr 2019 11:34:15 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 645A880D; Wed, 3 Apr 2019 08:34:14 -0700 (PDT) Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 52EF93F68F; Wed, 3 Apr 2019 08:34:13 -0700 (PDT) From: Will Deacon To: linux-kernel@vger.kernel.org Cc: Will Deacon , Christian Brauner , Kees Cook , Andrew Morton Subject: [PATCH] kernel/sysctl.c: Fix out-of-bounds access when setting file-max Date: Wed, 3 Apr 2019 16:34:09 +0100 Message-Id: <20190403153409.17307-1-will.deacon@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 32a5ad9c2285 ("sysctl: handle overflow for file-max") hooked up min/max values for the file-max sysctl parameter via the .extra1 and .extra2 fields in the corresponding struct ctl_table entry. Unfortunately, the minimum value points at the global 'zero' variable, which is an int. This results in a KASAN splat when accessed as a long by proc_doulongvec_minmax on 64-bit architectures: | BUG: KASAN: global-out-of-bounds in __do_proc_doulongvec_minmax+0x5d8/0x6a0 | Read of size 8 at addr ffff2000133d1c20 by task systemd/1 | | CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc3-00012-g40b114779944 #2 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0x0/0x228 | show_stack+0x14/0x20 | dump_stack+0xe8/0x124 | print_address_description+0x60/0x258 | kasan_report+0x140/0x1a0 | __asan_report_load8_noabort+0x18/0x20 | __do_proc_doulongvec_minmax+0x5d8/0x6a0 | proc_doulongvec_minmax+0x4c/0x78 | proc_sys_call_handler.isra.19+0x144/0x1d8 | proc_sys_write+0x34/0x58 | __vfs_write+0x54/0xe8 | vfs_write+0x124/0x3c0 | ksys_write+0xbc/0x168 | __arm64_sys_write+0x68/0x98 | el0_svc_common+0x100/0x258 | el0_svc_handler+0x48/0xc0 | el0_svc+0x8/0xc | | The buggy address belongs to the variable: | zero+0x0/0x40 | | Memory state around the buggy address: | ffff2000133d1b00: 00 00 00 00 00 00 00 00 fa fa fa fa 04 fa fa fa | ffff2000133d1b80: fa fa fa fa 04 fa fa fa fa fa fa fa 04 fa fa fa | >ffff2000133d1c00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 | ^ | ffff2000133d1c80: fa fa fa fa 00 fa fa fa fa fa fa fa 00 00 00 00 | ffff2000133d1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Fix the splat by introducing a unsigned long 'zero_ul' and using that instead. Fixes: 32a5ad9c2285 ("sysctl: handle overflow for file-max") Cc: Christian Brauner Cc: Kees Cook Cc: Andrew Morton Signed-off-by: Will Deacon --- kernel/sysctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.11.0 Acked-by: Christian Brauner diff --git a/kernel/sysctl.c b/kernel/sysctl.c index e5da394d1ca3..c9ec050bcf46 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -128,6 +128,7 @@ static int zero; static int __maybe_unused one = 1; static int __maybe_unused two = 2; static int __maybe_unused four = 4; +static unsigned long zero_ul; static unsigned long one_ul = 1; static unsigned long long_max = LONG_MAX; static int one_hundred = 100; @@ -1750,7 +1751,7 @@ static struct ctl_table fs_table[] = { .maxlen = sizeof(files_stat.max_files), .mode = 0644, .proc_handler = proc_doulongvec_minmax, - .extra1 = &zero, + .extra1 = &zero_ul, .extra2 = &long_max, }, {