New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 644068 link

Starred by 2 users
Status: Assigned
Owner:
adudani@chromium.org
User never visited
Cc:
dvyukov@chromium.org
jlarimer@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Bug



Sign in to add a comment

More OOB reads in /dev/tlk_device driver

Project Member Reported by glider@chromium.org, Sep 5 2016 
Found with syzkaller on Pixel C, no repro so far.

==================================================================
BUG: KASAN: slab-out-of-bounds in copy_params_from_user.isra.0.part.1+0x80/0x154 at addr ffffffc0720bb258
Read of size 8 by task syz-executor/383
CPU: 1 PID: 383 Comm: syz-executor Tainted: G     U         3.18.0 #89
te_handle_ss_ioctl: copy from user space failed
te_handle_ss_ioctl: copy from user space failed
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020b064>] dump_backtrace+0x0/0x17c arch/arm64/kernel/traps.c:91
[<ffffffc00020b1f8>] show_stack+0x18/0x24 arch/arm64/kernel/traps.c:173
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc00118b540>] dump_stack+0x94/0x100 lib/dump_stack.c:50
[<     inline     >] object_err mm/kasan/report.c:136
[<     inline     >] print_address_description mm/kasan/report.c:180
[<     inline     >] kasan_report_error mm/kasan/report.c:277
[<ffffffc0003cf854>] kasan_report+0x308/0x554 mm/kasan/report.c:300
[<     inline     >] check_memory_region_inline mm/kasan/kasan.c:292
[<ffffffc0003cf334>] __asan_load8+0x74/0x80 mm/kasan/kasan.c:730
[<ffffffc0005ee7e8>] copy_params_from_user.isra.0.part.1+0x7c/0x154 security/tlk_driver/ote_device.c:300
[<     inline     >] copy_params_from_user security/tlk_driver/ote_device.c:281
[<     inline     >] te_handle_trustedapp_ioctl security/tlk_driver/ote_device.c:434
[<ffffffc0005eeca8>] tlk_device_ioctl+0x3e8/0x6f0 security/tlk_driver/ote_device.c:482
te_handle_ss_ioctl: copy from user space failed
[<     inline     >] vfs_ioctl fs/ioctl.c:43
[<ffffffc0003f4d04>] do_vfs_ioctl+0x818/0x854 fs/ioctl.c:598
[<     inline     >] SYSC_ioctl fs/ioctl.c:613
[<ffffffc0003f4dac>] SyS_ioctl+0x6c/0xb0 fs/ioctl.c:604
Object at ffffffc0720b8240, in cache kmalloc-16384
Object allocated with size 12288 bytes.
Allocation:
PID = 1
 [<ffffffc00020acac>] save_stack_trace_tsk+0x0/0x128 arch/arm64/kernel/stacktrace.c:69
 [<ffffffc00020ae00>] save_stack_trace+0x2c/0x3c arch/arm64/kernel/stacktrace.c:127
 [<     inline     >] save_stack mm/kasan/kasan.c:476
 [<     inline     >] set_track mm/kasan/kasan.c:488
 [<ffffffc0003ce450>] kasan_kmalloc.part.4+0x68/0x118 mm/kasan/kasan.c:586
 [<ffffffc0003cec48>] kasan_kmalloc+0x90/0xa8 mm/kasan/kasan.c:580
 [<     inline     >] static_key_count include/linux/jump_label.h:88
 [<     inline     >] static_key_false include/linux/jump_label.h:153
 [<     inline     >] trace_kmalloc include/trace/events/kmem.h:45
 [<ffffffc0003cbf1c>] kmem_cache_alloc_trace+0x118/0x358 mm/slab.c:3410
 [<     inline     >] kmalloc include/linux/slab.h:437
 [<     inline     >] te_create_free_cmd_list security/tlk_driver/ote_device.c:54
 [<ffffffc0016286e4>] tlk_init+0x94/0x334 security/tlk_driver/ote_device.c:544
 [<ffffffc001600f28>] do_one_initcall+0x144/0x20c init/main.c:791
 [<     inline     >] do_initcall_level init/main.c:856
 [<     inline     >] do_initcalls init/main.c:864
 [<     inline     >] do_basic_setup init/main.c:883
 [<ffffffc001601320>] kernel_init_freeable+0x330/0x3e8 init/main.c:1004
 [<ffffffc001186c0c>] kernel_init+0x18/0x12c init/main.c:939
 [<ffffffc0002043fc>] ret_from_fork+0xc/0x50 arch/arm64/kernel/entry.S:660
Memory state around the buggy address:
 ffffffc0720bb100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0720bb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0720bb200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                                    ^
 ffffffc0720bb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffffffc0720bb300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

==================================================================
BUG: KASAN: slab-out-of-bounds in tlk_device_ioctl+0x564/0x6f0 at addr ffffffc0720bb244
Read of size 4 by task syz-executor/383
CPU: 1 PID: 383 Comm: syz-executor Tainted: G    BU         3.18.0 #89
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020b064>] dump_backtrace+0x0/0x17c arch/arm64/kernel/traps.c:91
[<ffffffc00020b1f8>] show_stack+0x18/0x24 arch/arm64/kernel/traps.c:173
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc00118b540>] dump_stack+0x94/0x100 lib/dump_stack.c:50
[<     inline     >] object_err mm/kasan/report.c:136
[<     inline     >] print_address_description mm/kasan/report.c:180
[<     inline     >] kasan_report_error mm/kasan/report.c:277
[<ffffffc0003cf854>] kasan_report+0x308/0x554 mm/kasan/report.c:300
[<     inline     >] check_memory_region_inline mm/kasan/kasan.c:292
[<ffffffc0003cf230>] __asan_load4+0x78/0x84 mm/kasan/kasan.c:729
[<     inline     >] copy_params_to_user security/tlk_driver/ote_device.c:325
[<     inline     >] te_handle_trustedapp_ioctl security/tlk_driver/ote_device.c:458
[<ffffffc0005eee20>] tlk_device_ioctl+0x560/0x6f0 security/tlk_driver/ote_device.c:482
[<     inline     >] vfs_ioctl fs/ioctl.c:43
[<ffffffc0003f4d04>] do_vfs_ioctl+0x818/0x854 fs/ioctl.c:598
[<     inline     >] SYSC_ioctl fs/ioctl.c:613
[<ffffffc0003f4dac>] SyS_ioctl+0x6c/0xb0 fs/ioctl.c:604
Object at ffffffc0720b8240, in cache kmalloc-16384
Object allocated with size 12288 bytes.
Allocation:
PID = 1
 [<ffffffc00020acac>] save_stack_trace_tsk+0x0/0x128 arch/arm64/kernel/stacktrace.c:69
 [<ffffffc00020ae00>] save_stack_trace+0x2c/0x3c arch/arm64/kernel/stacktrace.c:127
 [<     inline     >] save_stack mm/kasan/kasan.c:476
 [<     inline     >] set_track mm/kasan/kasan.c:488
 [<ffffffc0003ce450>] kasan_kmalloc.part.4+0x68/0x118 mm/kasan/kasan.c:586
 [<ffffffc0003cec48>] kasan_kmalloc+0x90/0xa8 mm/kasan/kasan.c:580
 [<     inline     >] static_key_count include/linux/jump_label.h:88
 [<     inline     >] static_key_false include/linux/jump_label.h:153
 [<     inline     >] trace_kmalloc include/trace/events/kmem.h:45
 [<ffffffc0003cbf1c>] kmem_cache_alloc_trace+0x118/0x358 mm/slab.c:3410
 [<     inline     >] kmalloc include/linux/slab.h:437
 [<     inline     >] te_create_free_cmd_list security/tlk_driver/ote_device.c:54
 [<ffffffc0016286e4>] tlk_init+0x94/0x334 security/tlk_driver/ote_device.c:544
 [<ffffffc001600f28>] do_one_initcall+0x144/0x20c init/main.c:791
 [<     inline     >] do_initcall_level init/main.c:856
 [<     inline     >] do_initcalls init/main.c:864
 [<     inline     >] do_basic_setup init/main.c:883
 [<ffffffc001601320>] kernel_init_freeable+0x330/0x3e8 init/main.c:1004
 [<ffffffc001186c0c>] kernel_init+0x18/0x12c init/main.c:939
 [<ffffffc0002043fc>] ret_from_fork+0xc/0x50 arch/arm64/kernel/entry.S:660
Memory state around the buggy address:
 ffffffc0720bb100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0720bb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0720bb200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffffffc0720bb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffffffc0720bb300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Ajay, can you please help to find a proper owner for this bug?

Comment 1 by dtapu...@chromium.org, Jan 8 2018

Components: OS>Kernel

Sign in to add a comment