From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44E4FC61DA4 for ; Fri, 3 Mar 2023 22:07:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B36436B0071; Fri, 3 Mar 2023 17:07:09 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id AE6386B0073; Fri, 3 Mar 2023 17:07:09 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9AE7E6B0074; Fri, 3 Mar 2023 17:07:09 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 8C6956B0071 for ; Fri, 3 Mar 2023 17:07:09 -0500 (EST) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 3B2DA1C00E2 for ; Fri, 3 Mar 2023 22:07:09 +0000 (UTC) X-FDA: 80528973378.22.6BD1E39 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by imf13.hostedemail.com (Postfix) with ESMTP id 539702001D for ; Fri, 3 Mar 2023 22:07:07 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=ogFgXxz0; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf13.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1677881227; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vT4hCln+8AUzjma0yQmnpAKI/3bKxubNTph4cCGtpoI=; b=cjuiRej/PTQZE1xN5vdOMSgA8zgN5X+asqLhkPK3692mpA4SqrP99ewsmZsG+7HMsf6Vjs ibNXhjcaDcAouUJMsLkxobLKGOhnJgevoQrKMmFqtsH0PUz8gN0RE+Xp65/IjJ5L6OwU3d LfrIN2EQ0/M4VFh+bbeh5NdRH58JWSw= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=ogFgXxz0; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf13.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1677881227; a=rsa-sha256; cv=none; b=yLaDggSS81S1sYAONBvHAThg7hcftoqz/9YHLKKu5ksodueMjzRgAnL/IYQg7+U6C0hygk DEO64yKrG+Xwpm1HgdQkhUaLd/RQYrTpyRZwUdfNZzMvJnGe2uGrVZzvBXMV8jBHAdEwOT gAchv1Yoniy4CbUTt6AyTQqC3Q7V6p0= Received: by mail-pj1-f43.google.com with SMTP id ce8-20020a17090aff0800b0023a61cff2c6so3162873pjb.0 for ; Fri, 03 Mar 2023 14:07:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1677881226; h=in-reply-to:content-disposition:mime-version:references:subject:cc :to:from:date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=vT4hCln+8AUzjma0yQmnpAKI/3bKxubNTph4cCGtpoI=; b=ogFgXxz00FIm6asu3dQlANu8RUWyqwvJL/9nUc1w2tCnzF0esKKSbodptm44l97lZq CgCURXaWpFFaNXXQmMoHY6rBe3bLBgus2xx7kRyDw0yly1WdS2VPuPlRJzHWvw4mmYBK eGFQCQvaWkIekkhrT0HGCcBLURGHON/fVImAY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677881226; h=in-reply-to:content-disposition:mime-version:references:subject:cc :to:from:date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vT4hCln+8AUzjma0yQmnpAKI/3bKxubNTph4cCGtpoI=; b=kKkPzRCSpJ0CCxu78yFgD6CgXFfeu3AcsDjNkhQCX8HtC14r/Vr8mp/jDcECGY5jm9 iq2XArEpwwHeAonQPc8TXf/79Ddt6+NTmhq6AJRzVpeHTZywHk+e3yjzeph32M3JyPb6 YUozhlMR+xyNMidyCbv8OhubpVJhVnk7Sj1StxDVILICG51TQzb5HjuiGPtIapNkPnj2 +9rhFHppiqQCkxNJEsFI4DxYW5bAsr22d0VIBIPh2F4KdBPIShh0REgreGZesCJ3Wfat 9ewOr0OaNdSXnpZWMT0O3zFc+VUA2fj1960El0363iNAB2HThtFfJKQqpzlZ2WGeWcy6 GBGA== X-Gm-Message-State: AO0yUKWEVuPLtkTEfV18b/F3biV+PPWw+DkvxovRizbn5xuVULgXSVtX 7x9Dy17LsUfVXN5MYV8z0gxCOQ== X-Google-Smtp-Source: AK7set8F0Mg3W7yv3pN3PXL0Nvx7efTKhij6Ak9k9e4QcdPLEg88vQP7bgYLo6RV0siSel2o43lPBA== X-Received: by 2002:a17:902:cec1:b0:19a:8866:921f with SMTP id d1-20020a170902cec100b0019a8866921fmr4364993plg.54.1677881226043; Fri, 03 Mar 2023 14:07:06 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id e13-20020a170902cf4d00b0019aa8149cc9sm1976029plg.35.2023.03.03.14.07.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 14:07:05 -0800 (PST) Message-ID: <64026f89.170a0220.7940.49ff@mx.google.com> X-Google-Original-Message-ID: <202303031356.@keescook> Date: Fri, 3 Mar 2023 14:07:04 -0800 From: Kees Cook To: Samuel Thibault , syzbot Cc: akpm@linux-foundation.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Jiri Slaby , Greg Kroah-Hartman Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in con_font_op References: <0000000000001d1fb505f605c295@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0000000000001d1fb505f605c295@google.com> X-Rspamd-Queue-Id: 539702001D X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: mitfhc8u6hizxaocmcnxt649rr9w4mru X-HE-Tag: 1677881227-964981 X-HE-Meta: U2FsdGVkX1+T6M2lo7RcQsP4R0v9eS/0p8s2SzzqwpenhA2q4X3LaVSFvgKSctd8YhUOyLytfJ9xHrhzw4rY/nLHVvspma0k5vSc0Flp+uFVT11wMXkQLxBDoI5UzgL75KI7U9YtqUM1nEBjVtmZwK/DjvnrmxrLbd3N4wEZdujQpKiT1+PkvQb8z1j7pRGEDq2JoikZdZsXfJTFPgG6hGEOjVTFuxHpjLVZLDwVsiTBYjd9b1K1At5y23VAY9NYlbc2cWLTn+v+H7zsYkzmzTsLd/cS1TRlhiJraTSxOJkLiatykLwvWCLXwJTnfLlfANem8yumIffpAoSE+dCh/qdjKm70r6/qN4s9GmBfYQLmr/z7hCxDtHJBA6rv7VtcYMppprgLwCR6zk0XWoVd1B2KU8HxB0XUjZU7gaoqBvbrZ8QG7S/rqAGVuCAoeyWnJqgdRnQLwQQ3x4231pE9YrxK7rUeib8mXGLZ0G7+IHG8AGARW2bnkedy88Nq+c9f4mkmhsV8hSEAZ4KwO/Hsvpz8qe0HpdRKiF2HBOsrd9Nvk9y32tMoz31QOB/+a/zsLsWOPGWGzF+GHI+hBH2NjEXIVZeAjNyfQjO+BFzBUWqBzlxtSeMRYoWj5UBwJRNbrHbPGyAdW18MFXaGWNdrTwY7E9IuH7OeJOpUcXXhCLv8634lsfemT/skwIFp1freJ/xnKRt2e1+RLcfu7p0Yu1T5KLFylCgbXyzTa3Y75LqHEbXKuyvPIUyxzs8lKWn6LmevPA0U4VoplnWlSz6tqfJjRLllsSEQxc7c4VWH+wAI+ou/Hg7KO8zwD/GjxjSN0flWYGKjoLtrK7m6tIvgFHRRDjxAfbOk2/hqxGMSPKRQcB/+Z7+3ZsqRgUUs+r0R90R+6RZLRckqIGcOyKhTQa/DGaMAJzc+mC6jQiCVOksKgP7TXeb7RTdAnMsYkcOiG1Df6PDZpIXpnikG/R2 lDFWE2Ia GE9BEhHxhA/bcNqo6xORzFsx2VcCsjBrKuGg8SV/wxFvhHqsRXNu9OL0BAmOp0QUssJ8ItEwj4xpF6S8M3m2nSV4zy/Av9RciQnrACI/X57YYuQvHUV9FKdTbZ3L3+5WaJrvzBP7jj9/qqT/+CJ4FWKIbc9aiV2QyZ3GBh6LwNJeTsGMeFiofC1jDyGL0RCBrC2zS6Ys7Xpro+J7uaxXCR4ShIFqMCZcQqXVcQZU2Ez+Bx2QK2c1m2NJ4SVZME80Ry/WU0OD8oILIweQHIJPiT1lZMSHbdri4A8tFaCTUM083nJlsUYB/XeOB5x75ixN/R7vi+JLP/QspL0qdEtmwqY2wT4CxyylficRpIqCFxpEZVxYId5cxHUOe1Fb2iImy/rPmzNfHpx9E2lsOS+RqKUYwD2BiMmcJTLfAjjLe4b5wpM5T0ka6WhTwMRlUNMAjT0hh77puVmAik0ExfWDP4oTtp5TCpZicEtQf1VVy0mBtwLVOEbcpC53vQn51PZ5oazkOUzpltxpPYF09tn4suvTDDWHwdnYBpqIXJt5tvaem2mnB+iqt/S2R4PXmJUUqRx2/ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Mar 03, 2023 at 01:37:55PM -0800, syzbot wrote: > dashboard link: https://syzkaller.appspot.com/bug?extid=3af17071816b61e807ed > [...] > usercopy: Kernel memory exposure attempt detected from page alloc (offset 0, size 4194560)! > [...] > Call Trace: > > check_heap_object mm/usercopy.c:200 [inline] > __check_object_size mm/usercopy.c:251 [inline] > __check_object_size+0x50a/0x6e0 mm/usercopy.c:213 > check_object_size include/linux/thread_info.h:215 [inline] > check_copy_size include/linux/thread_info.h:251 [inline] > copy_to_user include/linux/uaccess.h:168 [inline] > con_font_get drivers/tty/vt/vt.c:4580 [inline] > con_font_op+0x397/0xf10 drivers/tty/vt/vt.c:4674 This is coming from the folio checking: } else if (folio_test_large(folio)) { offset = ptr - folio_address(folio); if (n > folio_size(folio) - offset) usercopy_abort("page alloc", NULL, to_user, offset, n); } triggered by copy_to_user of the font.data allocation: #define max_font_width 64 #define max_font_height 128 #define max_font_glyphs 512 #define max_font_size (max_font_glyphs*max_font_width*max_font_height) ... font.data = kvmalloc(max_font_size, GFP_KERNEL); ... if (op->data && copy_to_user(op->data, font.data, c)) rc = -EFAULT; it is correctly seeing "c" (4194560 in the report) as larger than "max_font_size" (4194304, seen reported by "folio_size(folio)"). The "c" calculation comes from: unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32; ... rc = vc->vc_sw->con_font_get(vc, &font, vpitch); ... c = (font.width+7)/8 * vpitch * font.charcount; So yes, 4194560 is larger than 4194304, and a memory exposure was, in fact, blocked here. Given the recent work in this area, I'm not sure which calculation is wrong, max_font_size or c. Samuel? -Kees -- Kees Cook