From patchwork Tue Aug 22 19:01:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Helge Deller X-Patchwork-Id: 9915921 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9E78460381 for ; Tue, 22 Aug 2017 19:02:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 970BD28066 for ; Tue, 22 Aug 2017 19:02:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8BC5F2892D; Tue, 22 Aug 2017 19:02:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 645C328921 for ; Tue, 22 Aug 2017 19:02:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752518AbdHVTBq (ORCPT ); Tue, 22 Aug 2017 15:01:46 -0400 Received: from mout.gmx.net ([212.227.17.21]:57009 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752516AbdHVTBo (ORCPT ); Tue, 22 Aug 2017 15:01:44 -0400 Received: from p100.box ([193.159.18.72]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M9OMc-1dqESA1woo-00ClKg; Tue, 22 Aug 2017 21:01:40 +0200 Date: Tue, 22 Aug 2017 21:01:37 +0200 From: Helge Deller To: Helge Deller Cc: Al Viro , linux-fsdevel@vger.kernel.org, John David Anglin , linux-kernel@vger.kernel.org, linux-parisc List Subject: [PATCH] fs/select: Fix kernel panic due to memory corruption in compat_get_fd_set() Message-ID: <20170822190137.GA14164@p100.box> References: <887D24D5-832C-409A-83AF-646E4937E87E@bell.net> <20170820183903.GA23618@ls3530.fritz.box> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20170820183903.GA23618@ls3530.fritz.box> User-Agent: Mutt/1.5.23 (2014-03-12) X-Provags-ID: V03:K0:SFB8LM5p3jkNdKsY5uY8R7vWTP5MGaGvg8qaqn4D5TwAqYMwlgK iYmEiMtiZv5Hm+lUKMCY8eJ1RrYc9r4GNKcYWRVyamD3CNlRJTXs42DrRGxfB27redBhHqQ fWOg5pfSNn3wKUZrRLNT06CLFojGXZ77M0Ayq+E2hTln5xGrjt9IIfBxM1VeUWsNlUVYFcU JxT5JMHoQjRFtnSi6Pl6A== X-UI-Out-Filterresults: notjunk:1; V01:K0:kfeFArqxrNs=:Nm757f/5X1xJ5E8N1RBY53 JlOo0ihae8ffcLWZZnrTUYmd5iPyUKesdNQ6V14r0NLqi7/rEKWmIQ7Xc0lAHUq67F244QS9r ds6MBtzl4cL/xYNKsu+J3k71PWvRWVHZBCSfKTKtQ7hOGRTrsXzikY5rYoG73PzTnYlt35cd0 bxugPKv1GFtQsUKsL0l63Z6hEu+6oTanPKaN/qjVt6JuruBoI6E83pKZMmgOQi03Ef3X7zyGR mYw+2RUOYahaI/bn50Ju9Ms2MAC865DXaJDZ3iw2k7bJ1uluy+vB3mmOk+L5CtLgmzlXOPqhP Reu5nw+w0pX9RzNvifJl5LYZEJ8xNoEbbsQ945TK2vdXQ2P5frcUY5UtCjAEzxRsuiqCQNIFG ywWQts6PUwDiLY271ZQSmzcN2ObLixWOXD3hnes2PsWRYjlixO+mHzsOiJTRP6UgchoNUkcmS 4okWJNVlSxqFK/HpjPrWM6pYLNN1TOL9eJAZX1fdlREXgtc8htZch0162w0m9RMDfiN+JnuQ8 Stn7jv3jo+s3Pp6e4yhOd1tq4LyX42UUG6teKVpDU7xteE8Y5UYe/WyUNvzzYaF4Jw4aL1nfi shQ3xX2r7V0l9AGtDhySruxlPoSGye2g3/yVlliUStuq8VVeSteWhbBVExcIbOJzoia+EPPLh AIXN3ij1DLObw6AsIvBHdxkoYZdGjM/xiv8GgfSUm2pxC00XmoYaAdtH0OTthdo8qIGkq37h1 EOeM219efrr9RLv0RIWMAm3qclwUhq4j5tOeQpLfzai1Rg84e97POU1oMWbpzet3wUFTX+pvz pMOqGAN+GCGSNYMdIdvFrj0WR4NZw== Sender: linux-parisc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-parisc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Dave, can you test this patch? Helge ------ [PATCH] Fix kernel panic due to memory corruption in compat_get_fd_set() Dave faced this kernel crash in the select() compat syscall on the parisc architecture: Kernel Fault: Code=26 (Data memory access rights trap) regs=00000002234b84e0 (Addr=0000000000000000) CPU: 1 PID: 21167 Comm: polyimport Not tainted 4.13.0-rc5+ #1 task: 0000000223d74b50 task.stack: 00000002234b8000 IAOQ[0]: memset+0x68/0xd8 IAOQ[1]: memset+0x6c/0xd8 RP(r2): compat_get_fd_set+0x5c/0x78 Backtrace: [<00000000402f316c>] compat_get_fd_set+0x5c/0x78 [<00000000402f3cac>] compat_core_sys_select+0x1cc/0x300 [<00000000402f52dc>] compat_SyS_select+0x144/0x1a0 [<0000000040155fe4>] syscall_exit+0x0/0x14 Kernel panic - not syncing: Kernel Fault It seems commit 464d62421cb8 ("select: switch compat_{get,put}_fd_set() to compat_{get,put}_bitmap()") broke the calculation on how many bytes need to be zeroed in case of fdset beeing NULL. This leads to memory overwrites and crashes. Fixes: 464d62421cb8 ("select: switch compat_{get,put}_fd_set() to compat_{get,put}_bitmap()" Cc: Al Viro Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Helge Deller --- To unsubscribe from this list: send the line "unsubscribe linux-parisc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/select.c b/fs/select.c index 9d5f15e..c6362e3 100644 --- a/fs/select.c +++ b/fs/select.c @@ -1164,11 +1164,7 @@ int compat_get_fd_set(unsigned long nr, compat_ulong_t __user *ufdset, if (ufdset) { return compat_get_bitmap(fdset, ufdset, nr); } else { - /* Tricky, must clear full unsigned long in the - * kernel fdset at the end, ALIGN makes sure that - * actually happens. - */ - memset(fdset, 0, ALIGN(nr, BITS_PER_LONG)); + zero_fd_set(nr, fdset); return 0; } }