Re: WARNING in usb_composite_setup_continue
We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version of syzkaller). (corrected analysis) This bug happens while continuing a delayed setup message in mass storage gadget. To be specific, composite_setup() sets FSG_STATE_CONFIG_CHANGE via fsg_set_alt() (line 1793), and followed by cdev->delayed_status++ (line 1798). Meanwile, the mass gadget tries check cdev->delayed_status == 0 through handle_exception() (line 2428), which occurs in between the two operations above. Such a race causes invalid operations eventually. == usb_composite_setup_continue: Unexpected call WARNING: CPU: 1 PID: 1882 at drivers/usb/gadget/composite.c:2457 usb_composite_setup_continue+0x1c7/0x220 drivers/usb/gadget/composite.c:2457 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 1882 Comm: file-storage Not tainted 5.8.13 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa7/0xea lib/dump_stack.c:118 panic+0x298/0x521 kernel/panic.c:231 __warn.cold.12+0x25/0x32 kernel/panic.c:600 report_bug+0x1b2/0x260 lib/bug.c:198 handle_bug+0x43/0x70 arch/x86/kernel/traps.c:235 exc_invalid_op+0x18/0x40 arch/x86/kernel/traps.c:255 asm_exc_invalid_op+0x12/0x20 ./arch/x86/include/asm/idtentry.h:540 RIP: 0010:usb_composite_setup_continue+0x1c7/0x220 drivers/usb/gadget/composite.c:2457 Code: 62 48 8b 7b 58 4c 89 fe e8 66 fb ff ff e9 e6 fe ff ff e8 6c 89 87 fd 48 c7 c6 60 c9 41 86 48 c7 c7 60 c6 41 86 e8 78 0c 5c fd <0f> 0b e9 c7 fe ff ff e8 3d a4 ae fd e9 a3 fe ff ff e8 53 a4 ae fd RSP: :8880446dfd38 EFLAGS: 00010086 RAX: RBX: 888069eee4b0 RCX: RDX: 0027 RSI: 0004 RDI: ed10088dbf9d RBP: 8880446dfd60 R08: ed100d953fd2 R09: ed100d953fd2 R10: 88806ca9fe8b R11: ed100d953fd1 R12: R13: 888069eee540 R14: 0246 R15: 888040609310 handle_exception drivers/usb/gadget/function/f_mass_storage.c:2428 [inline] fsg_main_thread+0x12f4/0x59f1 drivers/usb/gadget/function/f_mass_storage.c:2466 kthread+0x374/0x480 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled == Regards, Kyungtae Kim On Mon, Nov 9, 2020 at 2:08 PM Kyungtae Kim wrote: > > We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version > of syzkaller). > > The bug happens when the freed object tty->port is accessed in > tty_init_dev (line 1358). > It seems tty->port is freed during the locking (i.e., tty_ldisc_lock) > ahead (line 1355). > > == > usb_composite_setup_continue: Unexpected call > WARNING: CPU: 1 PID: 1882 at drivers/usb/gadget/composite.c:2457 > usb_composite_setup_continue+0x1c7/0x220 drivers/usb/gadget/composite.c:2457 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 1 PID: 1882 Comm: file-storage Not tainted 5.8.13 #4 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xa7/0xea lib/dump_stack.c:118 > panic+0x298/0x521 kernel/panic.c:231 > __warn.cold.12+0x25/0x32 kernel/panic.c:600 > report_bug+0x1b2/0x260 lib/bug.c:198 > handle_bug+0x43/0x70 arch/x86/kernel/traps.c:235 > exc_invalid_op+0x18/0x40 arch/x86/kernel/traps.c:255 > asm_exc_invalid_op+0x12/0x20 ./arch/x86/include/asm/idtentry.h:540 > RIP: 0010:usb_composite_setup_continue+0x1c7/0x220 > drivers/usb/gadget/composite.c:2457 > Code: 62 48 8b 7b 58 4c 89 fe e8 66 fb ff ff e9 e6 fe ff ff e8 6c 89 87 fd 48 > c7 c6 60 c9 41 86 48 c7 c7 60 c6 41 86 e8 78 0c 5c fd <0f> 0b e9 c7 fe ff ff > e8 3d a4 ae fd e9 a3 fe ff ff e8 53 a4 ae fd > RSP: :8880446dfd38 EFLAGS: 00010086 > RAX: RBX: 888069eee4b0 RCX: > RDX: 0027 RSI: 0004 RDI: ed10088dbf9d > RBP: 8880446dfd60 R08: ed100d953fd2 R09: ed100d953fd2 > R10: 88806ca9fe8b R11: ed100d953fd1 R12: > R13: 888069eee540 R14: 0246 R15: 888040609310 > handle_exception drivers/usb/gadget/function/f_mass_storage.c:2428 [inline] > fsg_main_thread+0x12f4/0x59f1 > drivers/usb/gadget/function/f_mass_storage.c:2466 > kthread+0x374/0x480 kernel/kthread.c:291 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > == > > Regards, > Kyungtae Kim
possible deadlock in tcm_alloc
]
#1: 8880568afaf0 (>s_type->i_mutex_key#17){}-{3:3}, at:
configfs_symlink+0x388/0xf10 fs/configfs/symlink.c:193
#2: 88806396b310 (>lock){+.+.}-{3:3}, at:
config_usb_cfg_link+0x70/0x3a0 drivers/usb/gadget/configfs.c:413
stack backtrace:
CPU: 2 PID: 722 Comm: c1_fuzz Not tainted 5.8.13 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xa7/0xea lib/dump_stack.c:118
print_circular_bug.cold.46+0x15a/0x169 kernel/locking/lockdep.c:1703
check_noncircular+0x327/0x3e0 kernel/locking/lockdep.c:1827
check_prev_add kernel/locking/lockdep.c:2496 [inline]
check_prevs_add kernel/locking/lockdep.c:2601 [inline]
validate_chain kernel/locking/lockdep.c:3218 [inline]
__lock_acquire+0x2fe7/0x5120 kernel/locking/lockdep.c:4395
lock_acquire+0x18d/0xb00 kernel/locking/lockdep.c:4982
__mutex_lock_common kernel/locking/mutex.c:956 [inline]
__mutex_lock+0x14f/0x1380 kernel/locking/mutex.c:1103
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118
tcm_alloc+0x1f/0x2b0 drivers/usb/gadget/function/f_tcm.c:2300
usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
config_usb_cfg_link+0x1ed/0x3a0 drivers/usb/gadget/configfs.c:435
configfs_symlink+0x4f5/0xf10 fs/configfs/symlink.c:202
vfs_symlink fs/namei.c:3953 [inline]
vfs_symlink+0x304/0x540 fs/namei.c:3939
do_symlinkat+0x104/0x1a0 fs/namei.c:3980
__do_sys_symlinkat fs/namei.c:3994 [inline]
__se_sys_symlinkat fs/namei.c:3991 [inline]
__x64_sys_symlinkat+0x6e/0xb0 fs/namei.c:3991
do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x439d2a
Code: ff 4c 8b 7c 24 30 64 c7 03 22 00 00 00 41 bc 22 00 00 00 e9 1a
fd ff ff 45 31 ed e9 4d fe ff ff 48 63 f6 b8 0a 01 00 00 0f 05 <48> 3d
00 f0 ff ff 77 02 f3 c3 48 c7 c2 c0 ff ff ff f7 d8 64 89 02
RSP: 002b:7ffc01673278 EFLAGS: 0206 ORIG_RAX: 010a
RAX: ffda RBX: 004002b0 RCX: 00439d2a
RDX: 7ffc016732e0 RSI: 0004 RDI: 7ffc016732a0
RBP: 7ffc01673320 R08: R09: 7ffc01674ee1
R10: 0005 R11: 0206 R12:
R13: 00403200 R14: 00403290 R15:
======
Regards,
Kyungtae Kim
Re: KASAN: use-after-free Read in do_set_interface
It cannot be reproducible, unfortunately. Thanks, Kyungtae Kim On Sat, Oct 31, 2020 at 9:40 PM Alan Stern wrote: > > On Wed, Oct 28, 2020 at 04:51:09PM -0400, Kyungtae Kim wrote: > > We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version > > of syzkaller). > > > > The bug happened when accessing a freed instance of struct fsg_dev > > (i.e., fsg->bulk_in) in do_set_interface() (line 2245). > > > > == > > BUG: KASAN: use-after-free in do_set_interface.part.7+0xa6b/0xd90 > > drivers/usb/gadget/function/f_mass_storage.c:2245 > > Read of size 8 at addr 88806bc940f8 by task file-storage/2063 > > > > CPU: 3 PID: 2063 Comm: file-storage Not tainted 5.8.13 #4 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xa7/0xea lib/dump_stack.c:118 > > print_address_description.constprop.8+0x3f/0x60 mm/kasan/report.c:383 > > kasan_report.cold.11+0x20/0x37 mm/kasan/report.c:513 > > __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:146 > > do_set_interface.part.7+0xa6b/0xd90 > > drivers/usb/gadget/function/f_mass_storage.c:2245 > > do_set_interface drivers/usb/gadget/function/f_mass_storage.c:2202 [inline] > > handle_exception drivers/usb/gadget/function/f_mass_storage.c:2426 [inline] > > fsg_main_thread+0x12c7/0x59f1 > > drivers/usb/gadget/function/f_mass_storage.c:2466 > > kthread+0x374/0x480 kernel/kthread.c:291 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 > > Is this reproducible? Can you test patches? > > Alan Stern
Re: [PATCH] USB: gadget: hidg: fix use-after-free in f_hidg
On Wed, Oct 28, 2020 at 4:13 PM Kyungtae Kim wrote:
>
> FuzzUSB (a variant of syzkaller) found the bug
> when accessing a freed instance of struct f_hidg.
>
> Reference: https://www.spinics.net/lists/linux-usb/msg195103.html
>
> The fix uses reference count to ensure the right access to instance of f_hidg.
>
>
> BUG: KASAN: use-after-free in f_hidg_poll+0x190/0x1e0
> drivers/usb/gadget/function/f_hid.c:424
> Read of size 1 at addr 8880579260e8 by task syz-executor.5/2849
>
> CPU: 3 PID: 2849 Comm: syz-executor.5 Not tainted 5.6.11 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xce/0x128 lib/dump_stack.c:118
> print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
> __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
> kasan_report+0x12/0x20 mm/kasan/common.c:641
> __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
> f_hidg_poll+0x190/0x1e0 drivers/usb/gadget/function/f_hid.c:424
> vfs_poll include/linux/poll.h:90 [inline]
> do_pollfd fs/select.c:859 [inline]
> do_poll fs/select.c:907 [inline]
> do_sys_poll+0x548/0xe20 fs/select.c:1001
> __do_sys_poll fs/select.c:1059 [inline]
> __se_sys_poll fs/select.c:1047 [inline]
> __x64_sys_poll+0x171/0x420 fs/select.c:1047
> do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4531a9
> Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48
> 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f
> 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:7f07bfcd1c78 EFLAGS: 0246 ORIG_RAX: 0007
> RAX: ffda RBX: 0073bfa8 RCX: 004531a9
> RDX: 0080 RSI: 0001 RDI: 20001980
> RBP: 0003 R08: R09:
> R10: R11: 0246 R12: 004bd290
> R13: 004d2c28 R14: 7f07bfcd26d4 R15:
>
> Allocated by task 2418:
> save_stack+0x21/0x90 mm/kasan/common.c:72
> set_track mm/kasan/common.c:80 [inline]
> __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515
> kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
> kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813
> kzalloc include/linux/slab.h:555 [inline]
> hidg_alloc+0x56/0x5e0 drivers/usb/gadget/function/f_hid.c:1091
> usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
> config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444
> configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202
> vfs_symlink+0x33d/0x5b0 fs/namei.c:4201
> do_symlinkat+0x11b/0x1d0 fs/namei.c:4228
> __do_sys_symlinkat fs/namei.c:4242 [inline]
> __se_sys_symlinkat fs/namei.c:4239 [inline]
> __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239
> do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 2868:
> save_stack+0x21/0x90 mm/kasan/common.c:72
> set_track mm/kasan/common.c:80 [inline]
> kasan_set_free_info mm/kasan/common.c:337 [inline]
> __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476
> kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
> slab_free_hook mm/slub.c:1444 [inline]
> slab_free_freelist_hook mm/slub.c:1477 [inline]
> slab_free mm/slub.c:3034 [inline]
> kfree+0xf7/0x410 mm/slub.c:3995
> hidg_free+0x7f/0x110 drivers/usb/gadget/function/f_hid.c:1069
> usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87
> config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485
> configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250
> vfs_unlink+0x287/0x570 fs/namei.c:4073
> do_unlinkat+0x4f9/0x620 fs/namei.c:4137
> __do_sys_unlink fs/namei.c:4184 [inline]
> __se_sys_unlink fs/namei.c:4182 [inline]
> __x64_sys_unlink+0x42/0x50 fs/namei.c:4182
> do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>
> Signed-off-by: Kyungtae Kim
> Reported-and-tested-by: Kyungtae Kim
>
> ---
> drivers/usb/gadget/function/f_hid.c | 21 -
> 1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/function/f_hid.c
> b/drivers/usb/gadget/function/f_hid.c
> index 1125f4715830..e900b51c075a 100644
> --- a/drivers/usb/gadget/function/f_hid.c
> +++ b/drivers/usb/gadget/function/f_hid.c
> @@ -16,6 +16,7 @@
> #include
> #include
> #include
> +#include
>
> #include "u_f.h"
> #include "u_hid.h"
> @@ -44,6 +45,7 @@ struct f_hidg {
> unsigned short report_desc_length;
>
KASAN: use-after-free Read in do_set_interface
We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version of syzkaller). The bug happened when accessing a freed instance of struct fsg_dev (i.e., fsg->bulk_in) in do_set_interface() (line 2245). == BUG: KASAN: use-after-free in do_set_interface.part.7+0xa6b/0xd90 drivers/usb/gadget/function/f_mass_storage.c:2245 Read of size 8 at addr 88806bc940f8 by task file-storage/2063 CPU: 3 PID: 2063 Comm: file-storage Not tainted 5.8.13 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa7/0xea lib/dump_stack.c:118 print_address_description.constprop.8+0x3f/0x60 mm/kasan/report.c:383 kasan_report.cold.11+0x20/0x37 mm/kasan/report.c:513 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:146 do_set_interface.part.7+0xa6b/0xd90 drivers/usb/gadget/function/f_mass_storage.c:2245 do_set_interface drivers/usb/gadget/function/f_mass_storage.c:2202 [inline] handle_exception drivers/usb/gadget/function/f_mass_storage.c:2426 [inline] fsg_main_thread+0x12c7/0x59f1 drivers/usb/gadget/function/f_mass_storage.c:2466 kthread+0x374/0x480 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 1910: save_stack+0x21/0x50 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.6+0xc7/0xd0 mm/kasan/common.c:467 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:508 kmem_cache_alloc_trace+0x139/0x330 mm/slub.c:2851 kzalloc ./include/linux/slab.h:555 [inline] fsg_alloc+0x77/0x290 drivers/usb/gadget/function/f_mass_storage.c:3417 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 config_usb_cfg_link+0x1ed/0x3a0 drivers/usb/gadget/configfs.c:435 configfs_symlink+0x4f5/0xf10 fs/configfs/symlink.c:202 vfs_symlink fs/namei.c:3953 [inline] vfs_symlink+0x304/0x540 fs/namei.c:3939 do_symlinkat+0x104/0x1a0 fs/namei.c:3980 __do_sys_symlinkat fs/namei.c:3994 [inline] __se_sys_symlinkat fs/namei.c:3991 [inline] __x64_sys_symlinkat+0x6e/0xb0 fs/namei.c:3991 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 2072: save_stack+0x21/0x50 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0x139/0x190 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:464 slab_free_hook mm/slub.c:1474 [inline] slab_free_freelist_hook mm/slub.c:1507 [inline] slab_free mm/slub.c:3072 [inline] kfree+0xef/0x3d0 mm/slub.c:4052 fsg_free+0x84/0xa0 drivers/usb/gadget/function/f_mass_storage.c:3408 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 config_usb_cfg_unlink+0x2e9/0x3a0 drivers/usb/gadget/configfs.c:476 configfs_unlink+0x379/0x77e fs/configfs/symlink.c:250 vfs_unlink+0x241/0x550 fs/namei.c:3825 do_unlinkat+0x3e7/0x610 fs/namei.c:3889 __do_sys_unlink fs/namei.c:3936 [inline] __se_sys_unlink fs/namei.c:3934 [inline] __x64_sys_unlink+0x3d/0x50 fs/namei.c:3934 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at 88806bc94000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 248 bytes inside of 512-byte region [88806bc94000, 88806bc94200) The buggy address belongs to the page: page:ea0001af2500 refcount:1 mapcount:0 mapping: index:0x0 head:ea0001af2500 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x1010200(slab|head) raw: 01010200 dead0100 dead0122 88806c40e580 raw: 00100010 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 88806bc93f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88806bc94000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >88806bc94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 88806bc94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88806bc94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Regards, Kyungtae Kim
Re: memory leak in u_audio_start_playback
On Sun, Oct 25, 2020 at 3:32 PM Kyungtae Kim wrote: > > We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version > of syzkaller). > > An instance of struct usb_request allocated in f_audio_set_alt() leaked. > > == > BUG: memory leak > unreferenced object 0x888053df0e00 (size 128): > comm "softirq", pid 0, jiffies 4294940573 (age 17.540s) > hex dump (first 32 bytes): > 00 0e df 53 80 88 ff ff 00 0e df 53 80 88 ff ff ...S...S > 00 82 df 53 80 88 ff ff c0 00 00 00 00 00 00 00 ...S > backtrace: > [<0694647e>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 > [inline] > [<0694647e>] slab_post_alloc_hook mm/slab.h:588 [inline] > [<0694647e>] slab_alloc_node mm/slub.c:2824 [inline] > [<0694647e>] slab_alloc mm/slub.c:2832 [inline] > [<0694647e>] kmem_cache_alloc_trace+0x15c/0x310 mm/slub.c:2849 > [<d7d91433>] kmalloc include/linux/slab.h:555 [inline] > [<d7d91433>] kzalloc include/linux/slab.h:669 [inline] > [<d7d91433>] dummy_alloc_request+0x83/0x120 > drivers/usb/gadget/udc/dummy_hcd.c:663 > [<6e043557>] usb_ep_alloc_request+0x23/0x170 > drivers/usb/gadget/udc/core.c:178 > [<fb13871b>] u_audio_start_playback+0x224/0x3c0 > drivers/usb/gadget/function/u_audio.c:449 > [<17cb1f54>] f_audio_set_alt+0x8e/0x170 > drivers/usb/gadget/function/f_uac1.c:463 > [<63ba610c>] composite_setup+0x62e/0x2690 > drivers/usb/gadget/composite.c:1793 > [<e86333ed>] configfs_composite_setup+0xa5/0xd0 > drivers/usb/gadget/configfs.c:1457 > [<f9a524ea>] dummy_timer+0x5a7/0x1460 > drivers/usb/gadget/udc/dummy_hcd.c:1899 > [<182f2904>] call_timer_fn+0xdd/0x3a0 kernel/time/timer.c:1416 > [<0d926b91>] expire_timers kernel/time/timer.c:1461 [inline] > [<0d926b91>] __run_timers kernel/time/timer.c:1792 [inline] > [<0d926b91>] run_timer_softirq+0x286/0x670 > kernel/time/timer.c:1805 > [<8902fa26>] __do_softirq+0xfa/0x684 kernel/softirq.c:292 > [<3597f960>] asm_call_on_stack+0xf/0x20 > arch/x86/entry/entry_64.S:711 > [<5c5a9a83>] __run_on_irqstack > arch/x86/include/asm/irq_stack.h:22 [inline] > [<5c5a9a83>] run_on_irqstack_cond > arch/x86/include/asm/irq_stack.h:48 [inline] > [<5c5a9a83>] do_softirq_own_stack+0x8b/0xb0 > arch/x86/kernel/irq_64.c:77 > [<590d59e5>] invoke_softirq kernel/softirq.c:387 [inline] > [<590d59e5>] __irq_exit_rcu kernel/softirq.c:417 [inline] > [<590d59e5>] irq_exit_rcu+0xb5/0xf0 kernel/softirq.c:429 > [<689d4053>] sysvec_apic_timer_interrupt+0x83/0xf0 > arch/x86/kernel/apic/apic.c:1091 > [<f2e90960>] asm_sysvec_apic_timer_interrupt+0x12/0x20 > arch/x86/include/asm/idtentry.h:585 > == > > Regards, > Kyungtae Kim
KASAN: use-after-free Write in tty_init_dev
o the object at 888039317000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 296 bytes inside of 2048-byte region [888039317000, 888039317800) The buggy address belongs to the page: page:eae4c400 refcount:1 mapcount:0 mapping: index:0x0 head:eae4c400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x1010200(slab|head) raw: 01010200 dead0100 dead0122 88806c40e080 raw: 00080008 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 888039317000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 888039317080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >888039317100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 888039317180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 888039317200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Regards, Kyungtae Kim
WARNING in usb_ep_queue
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version of syzkaller) == WARNING: CPU: 0 PID: 4452 at drivers/usb/gadget/udc/core.c:276 usb_ep_queue+0x157/0x3a0 drivers/usb/gadget/udc/core.c:276 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4452 Comm: syz-executor.0 Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 panic+0x2de/0x6fa kernel/panic.c:221 __warn+0x1e1/0x1f6 kernel/panic.c:582 report_bug+0x208/0x320 lib/bug.c:195 fixup_bug.part.6+0x37/0x80 arch/x86/kernel/traps.c:174 fixup_bug arch/x86/kernel/traps.c:261 [inline] do_error_trap+0x131/0x170 arch/x86/kernel/traps.c:267 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:usb_ep_queue+0x157/0x3a0 drivers/usb/gadget/udc/core.c:276 Code: 48 0f a3 1d 7b c3 12 05 0f 82 2b 01 00 00 e8 e0 0a 8c fd 44 89 e8 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 c9 0a 8c fd <0f> 0b 41 bd 94 ff ff ff eb 96 e8 ba 0a 8c fd 65 44 8b 25 a2 da 4a RSP: 0018:888039f37c78 EFLAGS: 00010216 RAX: 0004 RBX: 888065ecc0d8 RCX: 83b6d8a7 RDX: 00f1 RSI: c99b3000 RDI: 888065ecc10d RBP: 888039f37ca8 R08: ed100a825a17 R09: R10: R11: R12: R13: 0a20 R14: 88803e970710 R15: 0001 f_hidg_write+0x6a9/0x9e0 drivers/usb/gadget/function/f_hid.c:396 __vfs_write+0x85/0x110 fs/read_write.c:494 vfs_write+0x1cd/0x510 fs/read_write.c:558 ksys_write+0x18a/0x220 fs/read_write.c:611 __do_sys_write fs/read_write.c:623 [inline] __se_sys_write fs/read_write.c:620 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:620 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4531a9 Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7efd8e783c78 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 0073bf00 RCX: 004531a9 RDX: 0001 RSI: 2080 RDI: 0005 RBP: 0003 R08: R09: R10: R11: 0246 R12: 004c09c7 R13: 004d8a48 R14: 7efd8e7846d4 R15: == Thanks, Kyungtae Kim
KASAN: use-after-free Read in gs_flush_chars
We report a bug (in linux-5.7) found by FuzzUSB (a modified version of syzkaller) The bug happened when accessing a deallocated instance of gs_port. While spinning a lock in gs_flush_chars(), port is allowed to be freed in gser_free_inst(). This ends up tringgering an memory error. To fix this, it needs to check if port is is still in use, in particular, lock spinning, when deallocating it. == BUG: KASAN: use-after-free in __lock_acquire+0x44f1/0x4aa0 kernel/locking/lockdep.c:4225 Read of size 8 at addr 88803bf5d398 by task syz-executor.7/3903 CPU: 3 PID: 3903 Comm: syz-executor.7 Not tainted 5.7.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.6+0x1f/0x410 mm/kasan/report.c:382 __kasan_report+0x106/0x140 mm/kasan/report.c:511 kasan_report+0x38/0x50 mm/kasan/common.c:625 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:146 __lock_acquire+0x44f1/0x4aa0 kernel/locking/lockdep.c:4225 lock_acquire+0x18d/0xbe0 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 gs_flush_chars+0x45/0xb0 drivers/usb/gadget/function/u_serial.c:764 n_tty_write+0x685/0xe70 drivers/tty/n_tty.c:2350 do_tty_write drivers/tty/tty_io.c:962 [inline] tty_write+0x462/0x970 drivers/tty/tty_io.c:1046 __vfs_write+0x85/0x110 fs/read_write.c:495 vfs_write+0x1d3/0x520 fs/read_write.c:559 ksys_write+0x190/0x220 fs/read_write.c:612 __do_sys_write fs/read_write.c:624 [inline] __se_sys_write fs/read_write.c:621 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:621 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x453769 Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f7f29106c78 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 0073bf00 RCX: 00453769 RDX: RSI: 20c0 RDI: 0003 RBP: 0003 R08: R09: R10: R11: 0246 R12: 004c0ed1 R13: 004d8fa0 R14: 7f7f291076d4 R15: Allocated by task 2445: save_stack+0x21/0x50 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:495 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509 kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2824 kmalloc ./include/linux/slab.h:555 [inline] kzalloc ./include/linux/slab.h:669 [inline] gs_port_alloc drivers/usb/gadget/function/u_serial.c:1142 [inline] gserial_alloc_line_no_console+0xdc/0x920 drivers/usb/gadget/function/u_serial.c:1222 gserial_alloc_line+0x17/0x70 drivers/usb/gadget/function/u_serial.c:1256 gser_alloc_inst+0x8d/0xf0 drivers/usb/gadget/function/f_serial.c:327 try_get_usb_function_instance+0xf8/0x1c0 drivers/usb/gadget/functions.c:28 usb_get_function_instance+0x17/0x80 drivers/usb/gadget/functions.c:44 function_make+0xfa/0x3c0 drivers/usb/gadget/configfs.c:600 configfs_mkdir+0x458/0xaf0 fs/configfs/dir.c:1344 vfs_mkdir+0x3aa/0x670 fs/namei.c:3625 do_mkdirat+0x12b/0x220 fs/namei.c:3648 __do_sys_mkdir fs/namei.c:3664 [inline] __se_sys_mkdir fs/namei.c:3662 [inline] __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3662 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 3905: save_stack+0x21/0x50 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0x135/0x190 mm/kasan/common.c:456 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook mm/slub.c:1488 [inline] slab_free mm/slub.c:3045 [inline] kfree+0xf7/0x410 mm/slub.c:4026 gserial_free_port+0x124/0x250 drivers/usb/gadget/function/u_serial.c:1186 gserial_free_line+0x12b/0x270 drivers/usb/gadget/function/u_serial.c:1203 gser_free_inst+0x3d/0x50 drivers/usb/gadget/function/f_serial.c:313 usb_put_function_instance+0x86/0xb0 drivers/usb/gadget/functions.c:77 serial_attr_release+0x15/0x20 drivers/usb/gadget/function/f_serial.c:262 config_item_cleanup fs/configfs/item.c:130 [inline] config_item_release fs/configfs/item.c:139 [inline] kref_put ./include/linux/kref.h:65 [inline] config_item_put.part.0+0x191/0x250 fs/configfs/item.c:151 config_item_put+0x1f/0x30 fs/configfs/item.c:150 configfs_rmdir+0x58e/0x870 fs/configfs/dir.c:1555 vfs_rmdir+0x168/0x490 fs/namei.c:3688 do_rmdir+0x2f2/0x3a0 fs/namei.c:3750 __do_sys_rmdir fs/namei.c:3768 [inline] __se_sys_rmdir fs/namei.c:3766
KASAN: null-ptr-deref Read in tty_wakeup
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version of syzkaller) This bug happened during enumeration (i.e., set_config) for an acm gadget. Although tty (instance of tty_struct) held by port->port in gs_start_io() is null, this tries to access its field (tty->flags) in tty_wakeup(), thereby triggering this error. kernel config: https://kt0755.github.io/etc/config_v5.6.11 == BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] BUG: KASAN: null-ptr-deref in tty_wakeup+0x25/0x110 drivers/tty/tty_io.c:532 Read of size 8 at addr 0460 by task systemd-udevd/2719 CPU: 2 PID: 2719 Comm: systemd-udevd Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 __kasan_report+0x161/0x1b0 mm/kasan/report.c:510 kasan_report+0x12/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] tty_wakeup+0x25/0x110 drivers/tty/tty_io.c:532 gs_start_io+0x1b7/0x2a0 drivers/usb/gadget/function/u_serial.c:568 gserial_connect+0x41c/0x590 drivers/usb/gadget/function/u_serial.c:1333 acm_set_alt+0x251/0x5c0 drivers/usb/gadget/function/f_acm.c:456 set_config drivers/usb/gadget/composite.c:838 [inline] composite_setup+0x4231/0x6f10 drivers/usb/gadget/composite.c:1717 configfs_composite_setup+0x11a/0x170 drivers/usb/gadget/configfs.c:1466 dummy_timer+0xda5/0x33f0 drivers/usb/gadget/udc/dummy_hcd.c:1898 call_timer_fn+0x20e/0x770 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] run_timer_softirq+0x63f/0x13c0 kernel/time/timer.c:1786 __do_softirq+0x262/0xb46 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x161/0x1b0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x137/0x500 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:create_object+0x74c/0xba0 mm/kmemleak.c:607 Code: e9 44 fc ff ff 65 48 8b 04 25 00 0f 02 00 48 8d b8 90 04 00 00 48 ba 00 00 00 00 00 fc ff df 48 89 fe 48 c1 ee 03 0f b6 14 16 <84> d2 74 09 80 fa 03 0f 8e be 01 00 00 49 8d bf 50 01 00 00 8b 90 RSP: 0018:88805ad17560 EFLAGS: 0a02 ORIG_RAX: ff13 RAX: 88803b448000 RBX: 0120 RCX: 816e25c4 RDX: RSI: 111007689092 RDI: 88803b448490 RBP: 88805ad175b0 R08: ed100c9a128e R09: ed100c9a128e R10: 0001 R11: ed100c9a128d R12: 888057bb8160 R13: 888064d09420 R14: 888064d09534 R15: 888064d093e0 kmemleak_alloc+0x21/0x30 mm/kmemleak.c:893 kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc_node mm/slub.c:2786 [inline] slab_alloc mm/slub.c:2794 [inline] kmem_cache_alloc+0x157/0x2d0 mm/slub.c:2799 __d_alloc+0x2e/0x8b0 fs/dcache.c:1690 d_alloc+0x4d/0x250 fs/dcache.c:1769 d_alloc_parallel+0xfe/0x1910 fs/dcache.c:2521 __lookup_slow+0x195/0x440 fs/namei.c:1742 lookup_slow fs/namei.c:1774 [inline] walk_component+0x779/0xe30 fs/namei.c:1915 lookup_last fs/namei.c:2391 [inline] path_lookupat+0x151/0x3e0 fs/namei.c:2436 filename_lookup+0x191/0x3a0 fs/namei.c:2466 user_path_at_empty+0x40/0x50 fs/namei.c:2746 user_path_at include/linux/namei.h:58 [inline] vfs_statx+0xe9/0x190 fs/stat.c:197 vfs_lstat include/linux/fs.h:3277 [inline] __do_sys_newlstat+0x87/0xf0 fs/stat.c:364 __se_sys_newlstat fs/stat.c:358 [inline] __x64_sys_newlstat+0x54/0x80 fs/stat.c:358 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f473bb9f335 Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 RSP: 002b:7ffc79ada6f8 EFLAGS: 0246 ORIG_RAX: 0006 RAX: ffda RBX: 55d54f102c1a RCX: 7f473bb9f335 RDX: 7ffc79ada7b0 RSI: 7ffc79ada7b0 RDI: 7ffc79ada700 RBP: 7ffc79ada880 R08: fc00 R09: R10: 0007 R11: 0246 R12: 7ffc79ada890 R13: 7ffc79ada788 R14: 0018 R15: 55d54f846470 ==
KASAN: use-after-free Read in printer_ioctl
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version of syzkaller) This bug happened when accessing a deallocated instance in printer_ioctl(). This seems to be in line with the following bug. https://groups.google.com/forum/#!topic/syzkaller/U2SJOYi-S08 == BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 Read of size 8 at addr 8880683b0018 by task syz-executor.0/3377 CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xfb/0x130 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4531a9 Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fd14ad72c78 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0073bfa8 RCX: 004531a9 RDX: fff9 RSI: 009e RDI: 0003 RBP: 0003 R08: R09: R10: R11: 0246 R12: 004bbd61 R13: 004d0a98 R14: 7fd14ad736d4 R15: Allocated by task 2393: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 __do_sys_symlinkat fs/namei.c:4242 [inline] __se_sys_symlinkat fs/namei.c:4239 [inline] __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 3368: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 slab_free_hook mm/slub.c:1444 [inline] slab_free_freelist_hook mm/slub.c:1477 [inline] slab_free mm/slub.c:3034 [inline] kfree+0xf7/0x410 mm/slub.c:3995 gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 vfs_unlink+0x287/0x570 fs/namei.c:4073 do_unlinkat+0x4f9/0x620 fs/namei.c:4137 __do_sys_unlink fs/namei.c:4184 [inline] __se_sys_unlink fs/namei.c:4182 [inline] __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8880683b which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [8880683b, 8880683b0400) The buggy address belongs to the page: page:ea0001a0ec00 refcount:1 mapcount:0 mapping:88806c00e300 index:0x8880683b1800 compound_mapcount: 0 flags: 0x1010200(slab|head) raw: 01010200 00060001 88806c00e300 raw: 8880683b1800 801a 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 8880683aff00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc 8880683aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >8880683b: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 8880683b0080:
memory leak in usbtest_probe
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version of syzkaller) The buf of an usbtest_dev instance (dev->buf) allocated in usbtest_probe() leaked. The usbtest_dev instance holding the buf is attached to a corresponding device instance through usb_set_intfdata(). But later, the usbtest_dev instance seems to be freed without deallocating its buf field ahead. kernel config: https://kt0755.github.io/etc/config_v5.6.11 == BUG: memory leak unreferenced object 0x888055046e00 (size 256): comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s) hex dump (first 32 bytes): 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U..Z. f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.7... backtrace: [] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [ ] slab_post_alloc_hook mm/slab.h:586 [inline] [ ] slab_alloc_node mm/slub.c:2786 [inline] [ ] slab_alloc mm/slub.c:2794 [inline] [ ] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811 [<5c3c3381>] kmalloc include/linux/slab.h:555 [inline] [<5c3c3381>] usbtest_probe+0x286/0x19d0 drivers/usb/misc/usbtest.c:2790 [<1cec6910>] usb_probe_interface+0x2bd/0x870 drivers/usb/core/driver.c:361 [<7806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551 [ ] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724 [<3ef66004>] __device_attach_driver+0x1b6/0x240 drivers/base/dd.c:831 [ ] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431 [ ] __device_attach+0x1f9/0x350 drivers/base/dd.c:897 [<838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944 [<30d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491 [<5bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504 [ ] usb_set_configuration+0xe84/0x1ab0 drivers/usb/core/message.c:2030 [ ] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210 [<98ade0f1>] usb_probe_device+0x90/0xd0 drivers/usb/core/driver.c:266 [<7806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551 [ ] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724 ==
KASAN: use-after-free Read in printer_read
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version of syzkaller) This bug happened when accessing a deallocated instance in printer_read(). printer_read() tries to access lock_printer_io of the printer_dev instance (f_printer.c:430). However, UAF arises because it had been freed by gprinter_free(). To fix, we can check if an instance of printer_dev is still in use before deallocating it. kernel config: https://kt0755.github.io/etc/config_v5.6.11 == BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:938 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x13a7/0x14d0 kernel/locking/mutex.c:1103 Read of size 8 at addr 8880540c3890 by task syz-executor.0/6819 CPU: 1 PID: 6819 Comm: syz-executor.0 Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __mutex_lock_common kernel/locking/mutex.c:938 [inline] __mutex_lock+0x13a7/0x14d0 kernel/locking/mutex.c:1103 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118 printer_read+0xbc/0xd60 drivers/usb/gadget/function/f_printer.c:430 __vfs_read+0x85/0x110 fs/read_write.c:425 vfs_read+0x161/0x380 fs/read_write.c:461 ksys_read+0x18a/0x220 fs/read_write.c:587 __do_sys_read fs/read_write.c:597 [inline] __se_sys_read fs/read_write.c:595 [inline] __x64_sys_read+0x73/0xb0 fs/read_write.c:595 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4531a9 Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f0024694c78 EFLAGS: 0246 ORIG_RAX: RAX: ffda RBX: 0073bfa8 RCX: 004531a9 RDX: 006b RSI: 2100 RDI: 0003 RBP: 0003 R08: R09: R10: R11: 0246 R12: 004bd843 R13: 004d3468 R14: 7f00246956d4 R15: Allocated by task 2420: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 __do_sys_symlinkat fs/namei.c:4242 [inline] __se_sys_symlinkat fs/namei.c:4239 [inline] __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6798: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 slab_free_hook mm/slub.c:1444 [inline] slab_free_freelist_hook mm/slub.c:1477 [inline] slab_free mm/slub.c:3034 [inline] kfree+0xf7/0x410 mm/slub.c:3995 gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 vfs_unlink+0x287/0x570 fs/namei.c:4073 do_unlinkat+0x4f9/0x620 fs/namei.c:4137 __do_sys_unlink fs/namei.c:4184 [inline] __se_sys_unlink fs/namei.c:4182 [inline] __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8880540c3800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 144 bytes inside of 1024-byte region [8880540c3800, 8880540c3c00) The buggy address belongs to the page: page:ea0001503000 refcount:1 mapcount:0 mapping:88806c00e300 index:0x8880540c4800 compound_mapcount: 0 flags: 0x1010200(slab|head) raw: 01010200 ea0001ae3808 ea0001ac6c08 88806c00e300 raw: 8880540c4800 0017 0001 page dumped because: kasan: bad access detected Memory state around
Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store
On Fri, May 01, 2020 at 09:05:38AM +0200, Greg KH wrote: > On Thu, Apr 30, 2020 at 11:03:54PM -0400, Kyungtae Kim wrote: > > We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version > > of syzkaller). > > > > This happened when the size of "name" buffer is smaller than that of > > "page" buffer > > (after function kstrdup executed at line 263). > > I guess it comes from the "page" buffer containing 0 value in the middle. > > So accessing the "name" buffer with "len" variable, which is used to > > indicate the size of "page" buffer, > > triggered memory access violation. > > To fix, it may need to check the size of name buffer, and try to use > > right index variable. > > Can you submit a patch for this as you have a reproducer to test the > issue? > > thanks, > > greg k-h I just submitted a patch after testing with the repro. Regards, Kyungtae
[PATCH] USB: gadget: fix illegal array access in binding with UDC
FuzzUSB (a variant of syzkaller) found an illegal array access using an incorrect index while binding a gadget with UDC. Reference: https://www.spinics.net/lists/linux-usb/msg194331.html This bug occurs when a size variable used for a buffer is misused to access its strcpy-ed buffer. Given a buffer along with its size variable (taken from user input), from which, a new buffer is created using kstrdup(). Due to the original buffer containing 0 value in the middle, the size of the kstrdup-ed buffer becomes smaller than that of the original. So accessing the kstrdup-ed buffer with the same size variable triggers memory access violation. The fix makes sure no zero value in the buffer, by comparing the strlen() of the orignal buffer with the size variable, so that the access to the kstrdup-ed buffer is safe. BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 Read of size 1 at addr 88806a55dd7e by task syz-executor.0/17208 CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 flush_write_buffer fs/configfs/file.c:251 [inline] configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 __vfs_write+0x85/0x110 fs/read_write.c:494 vfs_write+0x1cd/0x510 fs/read_write.c:558 ksys_write+0x18a/0x220 fs/read_write.c:611 __do_sys_write fs/read_write.c:623 [inline] __se_sys_write fs/read_write.c:620 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:620 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Kyungtae Kim Reported-and-tested-by: Kyungtae Kim --- drivers/usb/gadget/configfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c index 32b637e3e1fa..6a9aa4413d64 100644 --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store(struct config_item *item, char *name; int ret; + if (strlen(page) < len) + return -EOVERFLOW; + name = kstrdup(page, GFP_KERNEL); if (!name) return -ENOMEM; -- 2.17.1
KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store
_execute_power_methods+0xda/0x1b1 drivers/acpi/acpica/uteval.c:288 acpi_get_object_info+0x487/0x994 drivers/acpi/acpica/nsxfname.c:366 acpi_set_pnp_ids drivers/acpi/scan.c:1245 [inline] acpi_init_device_object+0xbfd/0x17a0 drivers/acpi/scan.c:1585 acpi_add_single_object+0x121/0x1710 drivers/acpi/scan.c:1620 acpi_bus_check_add+0x1c9/0x4f0 drivers/acpi/scan.c:1873 acpi_ns_walk_namespace+0x1d3/0x320 drivers/acpi/acpica/nswalk.c:236 acpi_walk_namespace+0xb5/0xef drivers/acpi/acpica/nsxfeval.c:606 acpi_bus_scan+0xdf/0xf0 drivers/acpi/scan.c:2054 acpi_scan_init+0x264/0x5e4 drivers/acpi/scan.c:2218 acpi_init+0x592/0x612 drivers/acpi/bus.c:1249 do_one_initcall+0xe0/0x650 init/main.c:1152 do_initcall_level init/main.c:1225 [inline] do_initcalls init/main.c:1241 [inline] do_basic_setup init/main.c:1261 [inline] kernel_init_freeable+0x5e8/0x67c init/main.c:1445 kernel_init+0x13/0x1b0 init/main.c:1352 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at 88806a55dd68 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 14 bytes to the right of 8-byte region [88806a55dd68, 88806a55dd70) The buggy address belongs to the page: page:ea0001a95740 refcount:1 mapcount:0 mapping:88806c00f980 index:0x88806a55dfd8 flags: 0x1000200(slab) raw: 01000200 ea0001a95600 00050005 88806c00f980 raw: 88806a55dfd8 80aa0005 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 88806a55dc00: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb 88806a55dc80: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc >88806a55dd00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc ^ 88806a55dd80: fb fc fc fb fc fc 00 fc fc 00 fc fc fb fc fc fb 88806a55de00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc ====== Regards, Kyungtae Kim
INFO: task hung in reiserfs_sync_fs
I'm reporting a bug in linux-4.19.19: "INFO: task hung in reiserfs_sync_fs" (no reproducer) = INFO: task kworker/0:1:13513 blocked for more than 120 seconds. Not tainted 4.19.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/0:1 D27376 13513 2 0x8000 Workqueue: events_long flush_old_commits Call Trace: context_switch kernel/sched/core.c:2824 [inline] __schedule+0x809/0x2160 kernel/sched/core.c:3472 schedule+0x88/0x1c0 kernel/sched/core.c:3516 schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:3574 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x50c/0x1330 kernel/locking/mutex.c:1072 mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:1087 reiserfs_write_lock+0x87/0x140 fs/reiserfs/lock.c:27 reiserfs_sync_fs+0x77/0xf0 fs/reiserfs/super.c:76 flush_old_commits+0x16d/0x210 fs/reiserfs/super.c:111 process_one_work+0x9f7/0x1800 kernel/workqueue.c:2153 worker_thread+0x8f/0xd20 kernel/workqueue.c:2296 kthread+0x3a3/0x470 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 INFO: task syz-executor1:2786 blocked for more than 120 seconds. Not tainted 4.19.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor1 D27200 2786 6598 0x0004 Call Trace: context_switch kernel/sched/core.c:2824 [inline] __schedule+0x809/0x2160 kernel/sched/core.c:3472 schedule+0x88/0x1c0 kernel/sched/core.c:3516 schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:3574 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x50c/0x1330 kernel/locking/mutex.c:1072 mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:1087 reiserfs_write_lock+0x87/0x140 fs/reiserfs/lock.c:27 reiserfs_get_block+0x22c/0x45d0 fs/reiserfs/inode.c:688 do_mpage_readpage+0x586/0x23b0 fs/mpage.c:231 mpage_readpages+0x412/0x5a0 fs/mpage.c:404 reiserfs_readpages+0x31/0x40 fs/reiserfs/inode.c:1167 read_pages+0x117/0x5a0 mm/readahead.c:123 __do_page_cache_readahead+0x503/0x660 mm/readahead.c:211 ra_submit mm/internal.h:66 [inline] ondemand_readahead+0x465/0xd90 mm/readahead.c:493 page_cache_sync_readahead+0xcd/0x120 mm/readahead.c:528 generic_file_buffered_read mm/filemap.c:2092 [inline] generic_file_read_iter+0x162b/0x2520 mm/filemap.c:2362 call_read_iter include/linux/fs.h:1805 [inline] new_sync_read fs/read_write.c:406 [inline] __vfs_read+0x535/0x6d0 fs/read_write.c:418 vfs_read+0x139/0x370 fs/read_write.c:452 ksys_read+0xde/0x1c0 fs/read_write.c:578 __do_sys_read fs/read_write.c:588 [inline] __se_sys_read fs/read_write.c:586 [inline] __x64_sys_read+0x7e/0xc0 fs/read_write.c:586 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: 72 20 6c 69 6e 65 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 70 72 6f 63 65 73 73 65 64 0a 00 50 72 6f 63 65 73 73 69 6e 67 20 <6e> 65 78 74 20 61 63 74 69 6f 6e 0a 00 54 52 55 45 00 46 41 4c 53 RSP: 002b:7f632463ac68 EFLAGS: 0246 ORIG_RAX: RAX: ffda RBX: 7f632463b6cc RCX: 004497b9 RDX: 008c RSI: 2100 RDI: 0014 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 8298 R14: 006f1338 R15: 7f632463b700 INFO: task syz-executor4:2784 blocked for more than 120 seconds. Not tainted 4.19.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor4 D27712 2784 6606 0x0004 Call Trace: context_switch kernel/sched/core.c:2824 [inline] __schedule+0x809/0x2160 kernel/sched/core.c:3472 schedule+0x88/0x1c0 kernel/sched/core.c:3516 io_schedule+0x21/0x80 kernel/sched/core.c:5139 wait_on_page_bit_common mm/filemap.c:1100 [inline] __lock_page+0x2d2/0x3b0 mm/filemap.c:1273 lock_page include/linux/pagemap.h:483 [inline] pagecache_get_page+0x4b3/0x870 mm/filemap.c:1554 find_or_create_page include/linux/pagemap.h:322 [inline] grab_cache_page include/linux/pagemap.h:388 [inline] grab_tail_page fs/reiserfs/inode.c:2206 [inline] reiserfs_truncate_file+0x3fa/0xe60 fs/reiserfs/inode.c:2274 reiserfs_vfs_truncate_file+0x37/0x50 fs/reiserfs/file.c:139 reiserfs_direct_IO+0x205/0x270 fs/reiserfs/inode.c:3275 generic_file_direct_write+0x20d/0x4a0 mm/filemap.c:3042 __generic_file_write_iter+0x244/0x6c0 mm/filemap.c:3221 generic_file_write_iter+0x31e/0x6e0 mm/filemap.c:3292 call_write_iter include/linux/fs.h:1811 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x538/0x6e0 fs/read_write.c:487 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290
UBSAN: Undefined behaviour in fs/jfs/jfs_dmap.c
I'm reporting a bug in linux-4.19.19: "UBSAN: Undefined behaviour in fs/jfs/jfs_dmap.c" (don't have repro) A memory access violation (invalid array index) arose in dmtree function dbAdjTree(). For now, however, it's hard to say for sure this caused by user-supplied input. = UBSAN: Undefined behaviour in fs/jfs/jfs_dmap.c:2915:15 index 342 is out of range for type 's8 [341]' CPU: 0 PID: 3703 Comm: syz-executor6 Not tainted 4.19.19 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 __ubsan_handle_out_of_bounds+0x174/0x1b8 lib/ubsan.c:386 dbAdjTree+0x5e5/0x6b0 fs/jfs/jfs_dmap.c:2915 dbSplit+0x170/0x230 fs/jfs/jfs_dmap.c:2694 dbAdjCtl+0x357/0x9c0 fs/jfs/jfs_dmap.c:2569 dbAllocDmap+0xd0/0x120 fs/jfs/jfs_dmap.c:2082 dbAllocDmapLev+0x154/0x370 fs/jfs/jfs_dmap.c:2026 dbAllocCtl+0x12b/0x7b0 fs/jfs/jfs_dmap.c:1866 dbAllocAG+0x99e/0x1180 fs/jfs/jfs_dmap.c:1407 dbAlloc+0x47c/0xb00 fs/jfs/jfs_dmap.c:863 extBalloc fs/jfs/jfs_extent.c:531 [inline] extAlloc+0x4b4/0x1000 fs/jfs/jfs_extent.c:138 jfs_get_block+0x5d0/0xbf0 fs/jfs/inode.c:257 nobh_write_begin+0x35b/0xc90 fs/buffer.c:2607 jfs_write_begin+0x42/0x100 fs/jfs/inode.c:322 generic_perform_write+0x224/0x4f0 mm/filemap.c:3139 __generic_file_write_iter+0x395/0x6c0 mm/filemap.c:3264 generic_file_write_iter+0x31e/0x6e0 mm/filemap.c:3292 call_write_iter include/linux/fs.h:1811 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x538/0x6e0 fs/read_write.c:487 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fde5da97c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7fde5da986cc RCX: 004497b9 RDX: 009e RSI: 2100 RDI: 0016 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: bd90 R14: 006f4e30 R15: 7fde5da98700 = Thanks, Kyungtae
UBSAN: Undefined behaviour in fs/xfs/xfs_ioctl.c
I'm reporting a bug in linux-4.19.19: "UBSAN: Undefined behaviour in fs/xfs/xfs_ioctl.c" kernel config: https://kt0755.github.io/etc/config_4.19.19 repro: https://kt0755.github.io/etc/repro.8d35e.c (xfs is mounted on /mnt/xfs/) Integer overflow arose in xfs_ioc_space() when bf->l_start + bf->l_len (at line 676) is larger than the boundary of its storage (i.e., long long int). A sanity check right before it would help. = UBSAN: Undefined behaviour in fs/xfs/xfs_ioctl.c:676:18 signed integer overflow: 2378465760851919362 + 8382694012240466910 cannot be represented in type 'long long int' CPU: 0 PID: 8220 Comm: syz-executor2 Not tainted 4.19.19 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198 xfs_ioc_space+0xb97/0xc70 fs/xfs/xfs_ioctl.c:676 xfs_file_ioctl+0x101e/0x1690 fs/xfs/xfs_ioctl.c:1926 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1aa/0x1160 fs/ioctl.c:690 ksys_ioctl+0x9e/0xb0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:710 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f7df3931c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f7df39326cc RCX: 004497b9 RDX: 2000 RSI: 020040305829 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 5f70 R14: 006ef010 R15: 7f7df3932700 = Thanks, Kyungtae
UBSAN: Undefined behaviour in drivers/scsi/sr_ioctl.c
I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in drivers/scsi/sr_ioctl.c" kernel config: https://kt0755.github.io/etc/config-5.0-rc2 repro: https://kt0755.github.io/etc/repro.01311.c (need to provide cdrom image) Integer overflow arose in sr_select_speed() when "speed *= 177" is larger than the size of the type "int". A sanity check right before it would help. = UBSAN: Undefined behaviour in drivers/scsi/sr_ioctl.c:424:9 signed integer overflow: -2147483648 * 177 cannot be represented in type 'int' CPU: 0 PID: 22452 Comm: syz-executor4 Not tainted 5.0.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb1/0x118 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 sr_select_speed+0x179/0x1a0 drivers/scsi/sr_ioctl.c:424 cdrom_ioctl_select_speed drivers/cdrom/cdrom.c:2435 [inline] cdrom_ioctl+0x850/0x2ffa drivers/cdrom/cdrom.c:3347 sr_block_ioctl+0x129/0x180 drivers/scsi/sr.c:587 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0x1378/0x1b50 block/ioctl.c:605 block_ioctl+0x105/0x150 fs/block_dev.c:1906 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1aa/0x1160 fs/ioctl.c:698 ksys_ioctl+0x9e/0xb0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:718 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f4a70139c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f4a7013a6cc RCX: 004497b9 RDX: 8000 RSI: 5322 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 2dd8 R14: 006ebe78 R15: 7f4a7013a700 ========= Thanks, Kyungtae Kim
Re: UBSAN: Undefined behaviour in net/ipv4/ip_output.c
That's my bad. Thank you for your comment and effort. Regards, Kyungtae Kim On Wed, Jan 23, 2019 at 4:34 PM Willem de Bruijn wrote: > > On Mon, Jan 21, 2019 at 2:25 PM Kyungtae Kim wrote: > > > > I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in > > net/ipv4/ip_output.c" > > > > kernel config: https://kt0755.github.io/etc/config-5.0-rc2 > > repro: https://kt0755.github.io/etc/repro.b6a11.c > > Thanks for the report. > > That reproducer does not seem to exercise system call sendmsg. Did you > mean to share another? Perhaps one that users SO_SNDBUFFORCE or > sysctl_wmem_max. > > When constructing a reproducer, I did easily trigger an UBSAN warning > when setting SO_SNDBUFFORCE to INT_MAX - 1, so I can imagine that this > one can trigger, as well. As long as sk_sndbuf can be set to any > integer value, we'll have to be careful with any such multiplication. > > > Integer overflow happened in __ip_append_data() when 2 * sk->sk_sndbuf > > (at line 1004) > > is larger than the boundary of the destination (i.e., int). > > Some sanity check code right before it would help. > > > > = > > UBSAN: Undefined behaviour in net/ipv4/ip_output.c:1004:11 > > signed integer overflow: > > 1282607372 * 2 cannot be represented in type 'int' > > CPU: 0 PID: 8465 Comm: syz-executor4 Not tainted 5.0.0-rc2 #1 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xb1/0x118 lib/dump_stack.c:113 > > ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 > > handle_overflow+0x1cf/0x21a lib/ubsan.c:190 > > __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 > > __ip_append_data+0x30ed/0x3350 net/ipv4/ip_output.c:1004 > > ip_append_data.part.18+0xf3/0x170 net/ipv4/ip_output.c:1220 > > ip_append_data+0x63/0x80 net/ipv4/ip_output.c:1209 > > raw_sendmsg+0xd99/0x2b60 net/ipv4/raw.c:670 > > inet_sendmsg+0xfc/0x620 net/ipv4/af_inet.c:798 > > sock_sendmsg_nosec net/socket.c:621 [inline] > > sock_sendmsg+0xdd/0x130 net/socket.c:631 > > ___sys_sendmsg+0x7b3/0x950 net/socket.c:2116 > > __sys_sendmsg+0xfc/0x1d0 net/socket.c:2154 > > __do_sys_sendmsg net/socket.c:2163 [inline] > > __se_sys_sendmsg net/socket.c:2161 [inline] > > __x64_sys_sendmsg+0x83/0xc0 net/socket.c:2161 > > do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x4497b9 > > Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 > > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d > > 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:7f0d0100bc68 EFLAGS: 0246 ORIG_RAX: 002e > > RAX: ffda RBX: 7f0d0100c6cc RCX: 004497b9 > > RDX: RSI: 2500 RDI: 0013 > > RBP: 0071bea0 R08: R09: > > R10: R11: 0246 R12: > > R13: 89a0 R14: 006f1a40 R15: 7f0d0100c700 > > = > > > > Thanks, > > Kyungtae
UBSAN: Undefined behaviour in net/ipv4/ip_output.c
I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in net/ipv4/ip_output.c" kernel config: https://kt0755.github.io/etc/config-5.0-rc2 repro: https://kt0755.github.io/etc/repro.b6a11.c Integer overflow happened in __ip_append_data() when 2 * sk->sk_sndbuf (at line 1004) is larger than the boundary of the destination (i.e., int). Some sanity check code right before it would help. = UBSAN: Undefined behaviour in net/ipv4/ip_output.c:1004:11 signed integer overflow: 1282607372 * 2 cannot be represented in type 'int' CPU: 0 PID: 8465 Comm: syz-executor4 Not tainted 5.0.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb1/0x118 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 __ip_append_data+0x30ed/0x3350 net/ipv4/ip_output.c:1004 ip_append_data.part.18+0xf3/0x170 net/ipv4/ip_output.c:1220 ip_append_data+0x63/0x80 net/ipv4/ip_output.c:1209 raw_sendmsg+0xd99/0x2b60 net/ipv4/raw.c:670 inet_sendmsg+0xfc/0x620 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:631 ___sys_sendmsg+0x7b3/0x950 net/socket.c:2116 __sys_sendmsg+0xfc/0x1d0 net/socket.c:2154 __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg net/socket.c:2161 [inline] __x64_sys_sendmsg+0x83/0xc0 net/socket.c:2161 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f0d0100bc68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7f0d0100c6cc RCX: 004497b9 RDX: RSI: 2500 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 89a0 R14: 006f1a40 R15: 7f0d0100c700 = Thanks, Kyungtae
INFO: task hung in drop_inmem_page
6d5 (sb_writers#8){.+.+}, at: sb_start_write
include/linux/fs.h:1550 [inline]
#0: 6dfdd6d5 (sb_writers#8){.+.+}, at:
mnt_want_write_file+0x12a/0x340 fs/namespace.c:497
#1: dc29e189 (>s_type->i_mutex_key#16){+.+.}, at:
inode_lock include/linux/fs.h:713 [inline]
#1: dc29e189 (>s_type->i_mutex_key#16){+.+.}, at:
f2fs_ioc_start_atomic_write fs/f2fs/file.c:1671 [inline]
#1: dc29e189 (>s_type->i_mutex_key#16){+.+.}, at:
f2fs_ioctl+0x101b/0x6c50 fs/f2fs/file.c:2853
3 locks held by syz-executor5/10897:
#0: b6b59b71 (>f_pos_lock){+.+.}, at:
__fdget_pos+0xd6/0x100 fs/file.c:766
#1: 6dfdd6d5 (sb_writers#8){.+.+}, at: file_start_write
include/linux/fs.h:2719 [inline]
#1: 6dfdd6d5 (sb_writers#8){.+.+}, at: vfs_write+0x469/0x570
fs/read_write.c:548
#2: dc29e189 (>s_type->i_mutex_key#16){+.+.}, at:
inode_lock include/linux/fs.h:713 [inline]
#2: dc29e189 (>s_type->i_mutex_key#16){+.+.}, at:
f2fs_file_write_iter+0x27a/0xcd0 fs/f2fs/file.c:2917
1 lock held by syz-executor5/10898:
#0: b6b59b71 (>f_pos_lock){+.+.}, at:
__fdget_pos+0xd6/0x100 fs/file.c:766
=
Thanks,
Kyungtae Kim
KASAN: use-after-free Read in ata_scsi_mode_select_xlat
o the page: page:ea00045c5c80 count:1 mapcount:0 mapping: index:0x0 compound_mapcount: 0 flags: 0x2008100(slab|head) raw: 02008100 0001800c000c raw: ea00043e7100 00050005 88011a003080 page dumped because: kasan: bad access detected Memory state around the buggy address: 880117171f00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb 880117171f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc >880117172000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 880117172080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880117172100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ===== Thanks, Kyungtae Kim
UBSAN: Undefined behaviour in fs/f2fs/extent_cache.c
We report a bug in linux-4.20.2: "UBSAN: Undefined behaviour in fs/f2fs/extent_cache.c" kernel config: https://kt0755.github.io/etc/config_v4.20_stable repro: https://kt0755.github.io/etc/repro.4a3e7.c (f2fs is mounted on /mnt/f2fs/) This arose in f2fs_update_extent_tree_range (fs/f2fs/extent_cache.c:605). It seems that, for some reason, its last argument became "24" although that was supposed to be bool type. = UBSAN: Undefined behaviour in fs/f2fs/extent_cache.c:605:4 load of value 24 is not a valid value for type '_Bool' CPU: 0 PID: 6774 Comm: syz-executor5 Not tainted 4.20.2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb1/0x118 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 __ubsan_handle_load_invalid_value+0x17a/0x1be lib/ubsan.c:457 f2fs_update_extent_tree_range+0x1d4a/0x1d50 fs/f2fs/extent_cache.c:605 f2fs_update_extent_cache+0x2b6/0x350 fs/f2fs/extent_cache.c:804 f2fs_update_data_blkaddr+0x61/0x70 fs/f2fs/data.c:656 f2fs_outplace_write_data+0x1d6/0x4b0 fs/f2fs/segment.c:3140 f2fs_convert_inline_page+0x86d/0x2060 fs/f2fs/inline.c:163 f2fs_convert_inline_inode+0x6b5/0xad0 fs/f2fs/inline.c:208 f2fs_preallocate_blocks+0x78b/0xb00 fs/f2fs/data.c:982 f2fs_file_write_iter+0x31b/0xf40 fs/f2fs/file.c:3062 call_write_iter include/linux/fs.h:1857 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x538/0x6e0 fs/read_write.c:487 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f1ea15edc68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f1ea15ee6cc RCX: 004497b9 RDX: 1000 RSI: 2140 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: bb50 R14: 006f4bf0 R15: 7f1ea15ee700 ===== Thanks, Kyungtae Kim
UBSAN: Undefined behaviour in drivers/input/misc/uinput.c
We report a bug in linux-4.19.13: "UBSAN: Undefined behaviour in drivers/input/misc/uinput.c" kernel config: https://kt0755.github.io/etc/config_4.19.13 repro: https://kt0755.github.io/etc/repro.c4925.c An integer overflow arose in uinput_validate_absinfo (drivers/input/misc/uinput.c:420). To be specific, "if (abs->flat > max - min)" cannot be represented in type 'int'. Thing is, in this case, abs->flat, max and min come from user supplied input. To fix, an appropriate sanity check of that calculation should be placed right before the usage. = UBSAN: Undefined behaviour in drivers/input/misc/uinput.c:420:22 signed integer overflow: 841280591 - -1832774988 cannot be represented in type 'int' CPU: 0 PID: 7372 Comm: syz-executor3 Not tainted 4.19.13 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_sub_overflow+0x2a/0x31 lib/ubsan.c:206 uinput_validate_absinfo.isra.2+0x194/0x1a0 drivers/input/misc/uinput.c:420 uinput_abs_setup drivers/input/misc/uinput.c:503 [inline] uinput_ioctl_handler+0xa57/0x1bf0 drivers/input/misc/uinput.c:1036 uinput_ioctl+0x2d/0x40 drivers/input/misc/uinput.c:1048 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1aa/0x1160 fs/ioctl.c:690 ksys_ioctl+0x9e/0xb0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:710 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f7b273c3c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f7b273c46cc RCX: 004497b9 RDX: 2000 RSI: 004040105504 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 5ca0 R14: 006eed40 R15: 7f7b273c4700 ===== Thanks, Kyungtae Kim
Re: UBSAN: Undefined behaviour in net/can/bcm.c
On Sat, Jan 12, 2019 at 3:02 PM Oliver Hartkopp wrote: > > So there could potentially be some other users of timeval_to_ktime() > that might have the same issue. > The following would be the one related. = UBSAN: Undefined behaviour in ./include/linux/ktime.h:42:14 signed integer overflow: -3428892174463270912 * 10 cannot be represented in type 'long int' CPU: 0 PID: 7024 Comm: syz-executor6 Not tainted 4.19.13 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 bcm_timeval_to_ktime include/linux/ktime.h:42 [inline] bcm_rx_setup net/can/bcm.c:1189 [inline] bcm_sendmsg+0x35ea/0x3fd0 net/can/bcm.c:1355 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:631 sock_write_iter+0x24b/0x3d0 net/socket.c:900 call_write_iter include/linux/fs.h:1811 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x538/0x6e0 fs/read_write.c:487 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f6045f43c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f6045f446cc RCX: 004497b9 RDX: 0048 RSI: 20c0 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: ba60 R14: 006f4b00 R15: 7f6045f44700 = Thanks, Kyungtae Kim
UBSAN: Undefined behaviour in net/can/bcm.c
We report a bug in linux-4.19.13: "UBSAN: Undefined behaviour in net/can/bcm.c" kernel config: https://kt0755.github.io/etc/config_4.19.13 repro: https://kt0755.github.io/etc/repro.296b5.c An integer overflow arose in bcm_timeval_to_ktime() when tv.tv_usec * NSEC_PER_USEC is larger than its boundary of the destination (i.e., long). To fix, an appropriate boundary check should be placed right before the usage. = UBSAN: Undefined behaviour in net/can/bcm.c:140:41 signed integer overflow: 60870466536963773 * 1000 cannot be represented in type 'long int' CPU: 0 PID: 7063 Comm: syz-executor3 Not tainted 4.19.13 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 bcm_timeval_to_ktime net/can/bcm.c:140 [inline] bcm_rx_setup net/can/bcm.c:1190 [inline] bcm_sendmsg+0x3807/0x3fd0 net/can/bcm.c:1355 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:631 sock_write_iter+0x24b/0x3d0 net/socket.c:900 call_write_iter include/linux/fs.h:1811 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x538/0x6e0 fs/read_write.c:487 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fc2e6feac68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7fc2e6feb6cc RCX: 004497b9 RDX: 0048 RSI: 20c0 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: ba60 R14: 006f4b00 R15: 7fc2e6feb700 ===== Thanks, Kyungtae Kim
Re: UBSAN: Undefined behaviour in drivers/pps/pps.c
It seems that timeout.nsec doesn't need to be patched. But before going further, I'm just curious why such timeout variables in the kernel are defined as signed type variable in the first place? Thanks, Kyungtae Kim On Wed, Jan 9, 2019 at 4:20 AM Rodolfo Giometti wrote: > > On 08/01/2019 21:24, Kyungtae Kim wrote: > > We report a bug in linux-4.20: "UBSAN: Undefined behaviour in > > drivers/pps/pps.c" > > > > kernel config: https://kt0755.github.io/etc/config_v4.20_stable > > repro: https://kt0755.github.io/etc/repro.a6372.c > > > > pps_cdev_pps_fetch() lacks the bounds checking for computing > > fdata->timeout.sec * HZ, that causes such integer overflow when the result > > is larger than the boundary. > > The patch below checks the possibility of overflow right before the > > multiplication. > > > > = > > UBSAN: Undefined behaviour in drivers/pps/pps.c:82:30 > > signed integer overflow: > > -7557201428062104791 * 100 cannot be represented in type 'long long int' > > CPU: 0 PID: 10159 Comm: syz-executor6 Not tainted 4.20.0 #1 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xb1/0x118 lib/dump_stack.c:113 > > ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 > > handle_overflow+0x1cf/0x21a lib/ubsan.c:190 > > __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 > > pps_cdev_pps_fetch+0x575/0x5b0 drivers/pps/pps.c:82 > > pps_cdev_ioctl+0x567/0x910 drivers/pps/pps.c:191 > > vfs_ioctl fs/ioctl.c:46 [inline] > > do_vfs_ioctl+0x1aa/0x1160 fs/ioctl.c:698 > > ksys_ioctl+0x9e/0xb0 fs/ioctl.c:713 > > __do_sys_ioctl fs/ioctl.c:720 [inline] > > __se_sys_ioctl fs/ioctl.c:718 [inline] > > __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:718 > > do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x4497b9 > > Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 > > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d > > 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:7f8cf875bc68 EFLAGS: 0246 ORIG_RAX: 0010 > > RAX: ffda RBX: 7f8cf875c6cc RCX: 004497b9 > > RDX: 2240 RSI: c00870a4 RDI: 0014 > > RBP: 0071bea0 R08: R09: > > R10: R11: 0246 R12: > > R13: 5c10 R14: 006eecb0 R15: 7f8cf875c700 > > = > > > > --- > > drivers/pps/pps.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c > > index 8febacb..66002e1 100644 > > --- a/drivers/pps/pps.c > > +++ b/drivers/pps/pps.c > > @@ -79,6 +79,8 @@ static int pps_cdev_pps_fetch(struct pps_device > > *pps, struct pps_fdata *fdata) > > dev_dbg(pps->dev, "timeout %lld.%09d\n", > > (long long) fdata->timeout.sec, > > fdata->timeout.nsec); > > + if (fdata->timeout.sec > S64_MAX / HZ) > > + return -EINVAL; > > ticks = fdata->timeout.sec * HZ; > > ticks += fdata->timeout.nsec / (NSEC_PER_SEC / HZ); > > It looks good to me. Do you think is better adding a check for timeout.nsec > also? > > Now you have to produce a patch according to > linux/Documentation/process/submitting-patches.rst and then submitting it! :-) > > Ciao, > > Rodolfo > > -- > GNU/Linux Solutions e-mail: giome...@enneenne.com > Linux Device Driver giome...@linux.it > Embedded Systems phone: +39 349 2432127 > UNIX programming skype: rodolfo.giometti
UBSAN: Undefined behaviour in drivers/pps/pps.c
We report a bug in linux-4.20: "UBSAN: Undefined behaviour in drivers/pps/pps.c" kernel config: https://kt0755.github.io/etc/config_v4.20_stable repro: https://kt0755.github.io/etc/repro.a6372.c pps_cdev_pps_fetch() lacks the bounds checking for computing fdata->timeout.sec * HZ, that causes such integer overflow when the result is larger than the boundary. The patch below checks the possibility of overflow right before the multiplication. = UBSAN: Undefined behaviour in drivers/pps/pps.c:82:30 signed integer overflow: -7557201428062104791 * 100 cannot be represented in type 'long long int' CPU: 0 PID: 10159 Comm: syz-executor6 Not tainted 4.20.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb1/0x118 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x1cf/0x21a lib/ubsan.c:190 __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214 pps_cdev_pps_fetch+0x575/0x5b0 drivers/pps/pps.c:82 pps_cdev_ioctl+0x567/0x910 drivers/pps/pps.c:191 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1aa/0x1160 fs/ioctl.c:698 ksys_ioctl+0x9e/0xb0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:718 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f8cf875bc68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f8cf875c6cc RCX: 004497b9 RDX: 2240 RSI: c00870a4 RDI: 0014 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 5c10 R14: 006eecb0 R15: 7f8cf875c700 = --- drivers/pps/pps.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c index 8febacb..66002e1 100644 --- a/drivers/pps/pps.c +++ b/drivers/pps/pps.c @@ -79,6 +79,8 @@ static int pps_cdev_pps_fetch(struct pps_device *pps, struct pps_fdata *fdata) dev_dbg(pps->dev, "timeout %lld.%09d\n", (long long) fdata->timeout.sec, fdata->timeout.nsec); + if (fdata->timeout.sec > S64_MAX / HZ) + return -EINVAL; ticks = fdata->timeout.sec * HZ; ticks += fdata->timeout.nsec / (NSEC_PER_SEC / HZ); Thanks, Kyungtae Kim
Re: general protection fault in spk_ttyio_ldisc_close
On Tue, Jan 8, 2019 at 8:50 AM Greg KH wrote: > > On Tue, Jan 08, 2019 at 08:37:37AM -0500, Kyungtae Kim wrote: > > We report a bug in linux-4.20: "general protection fault in > > spk_ttyio_ldisc_close" > > > > kernel config: https://kt0755.github.io/etc/config_v4.20_stable > > repro: https://kt0755.github.io/etc/repro.a670e.c > > > > This occurs when the function kfree is about to execute > > (driver/staging/speakup/spk_ttyio.c:68). > > Particularly, kfree takes the argument like speakup_tty->disc_data. > > But speakup_tty is invalid, so the pointer dereference causes GPF. > > At a glance, it seems that speakup_tty was deallocated somewhere ahead of > > kfree. > > How did you trigger this? Did you shut down and close the device > already somehow? Do you have a real tty device that is driven by the > device? > > thanks, > > greg k-h For this crash, we did without real speakup tty device. I'm currently trying to figure out how this actually happens. Thanks, Kyungtae Kim
general protection fault in spk_ttyio_ldisc_close
We report a bug in linux-4.20: "general protection fault in spk_ttyio_ldisc_close" kernel config: https://kt0755.github.io/etc/config_v4.20_stable repro: https://kt0755.github.io/etc/repro.a670e.c This occurs when the function kfree is about to execute (driver/staging/speakup/spk_ttyio.c:68). Particularly, kfree takes the argument like speakup_tty->disc_data. But speakup_tty is invalid, so the pointer dereference causes GPF. At a glance, it seems that speakup_tty was deallocated somewhere ahead of kfree. = general protection fault: [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 13246 Comm: syz-executor7 Not tainted 4.20.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 RIP: 0010:spk_ttyio_ldisc_close+0x3f/0x80 drivers/staging/speakup/spk_ttyio.c:68 Code: 35 95 8c e8 43 03 60 01 48 8b 1d dc 2e 3f 07 48 ba 00 00 00 00 00 fc ff df 48 8d bb 70 05 00 00 48 89 f8 48 c1 e8 03 48 01 d0 <80> 38 00 75 26 48 8b bb 70 05 00 00 e8 a0 68 4f fa 48 c7 c7 c0 35 RSP: 0018:88810e6f7960 EFLAGS: 00010282 RAX: dcae RBX: RCX: 111021cdef00 RDX: dc00 RSI: 0008 RDI: 0570 RBP: 88810e6f7968 R08: fbfff192a6b9 R09: fbfff192a6b9 R10: 88810e6f7950 R11: fbfff192a6b8 R12: 8881063ee6b0 R13: 87471020 R14: 8881063eeea8 R15: 888116ec7b80 FS: 7f607f746700() GS:88811a00() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 006fb2e0 CR3: 00010f186000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: tty_ldisc_close drivers/tty/tty_ldisc.c:477 [inline] tty_ldisc_kill+0xef/0x1a0 drivers/tty/tty_ldisc.c:623 tty_ldisc_release+0x111/0x230 drivers/tty/tty_ldisc.c:790 tty_release_struct+0x1f/0x60 drivers/tty/tty_io.c:1595 tty_release+0xb80/0x11c0 drivers/tty/tty_io.c:1768 __fput+0x2b8/0x7a0 fs/file_table.c:278 fput+0x1a/0x20 fs/file_table.c:309 task_work_run+0x15b/0x1e0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x8d6/0x30d0 kernel/exit.c:867 do_group_exit+0x13d/0x370 kernel/exit.c:970 get_signal+0x6bb/0x1890 kernel/signal.c:2517 do_signal+0x8c/0x1a10 arch/x86/kernel/signal.c:816 exit_to_usermode_loop+0x186/0x1d0 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x445/0x4f0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f607f745ce8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 0071bf80 RCX: 004497b9 RDX: RSI: RDI: 0071bf80 RBP: 0071bf80 R08: R09: 0071bf58 R10: R11: 0246 R12: R13: R14: 7f607f7469c0 R15: 7f607f746700 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ========= Thanks, Kyungtae Kim
Fwd: UBSAN: Undefined behaviour in drivers/input/mousedev.c
-- Forwarded message - From: Kyungtae Kim Date: Mon, Nov 26, 2018 at 12:26 AM Subject: UBSAN: Undefined behaviour in drivers/input/mousedev.c To: Cc: Byoungyoung Lee , DaeRyong Jeong , , , We report a crash found in v4.20-rc2: kernel config: https://kt0755.github.io/etc/config_v4.20 repro: https://kt0755.github.io/etc/repro.5266f.c In mousedev_rel_event(), "mousedev->packet.dx += value" (driver/input/mousedev.c:212) causes integer overflow when the result of calculation is larger than the size of dx. This can arise because "value" originates from user input (via evdev_write), and there is no sanity check along the path. It's not for sure this crash would be tolerable despite its occurrence. But one way to stop it is to use the bounds check before using it. Crash log: === UBSAN: Undefined behaviour in drivers/input/mousedev.c:212:23 signed integer overflow: 1240408832 + 1240408832 cannot be represented in type 'int' CPU: 0 PID: 10708 Comm: syz-executor3 Not tainted 4.20.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb1/0x118 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x2dc/0x327 lib/ubsan.c:190 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198 mousedev_rel_event drivers/input/mousedev.c:212 [inline] mousedev_event+0x14ad/0x1830 drivers/input/mousedev.c:370 input_to_handler+0x414/0x510 drivers/input/input.c:121 input_pass_values.part.10+0x4ed/0x6c0 drivers/input/input.c:148 input_pass_values drivers/input/input.c:401 [inline] input_handle_event+0x3f0/0x1200 drivers/input/input.c:401 input_inject_event+0x22f/0x31e drivers/input/input.c:466 evdev_write+0x483/0x7a0 drivers/input/evdev.c:565 __vfs_write+0x109/0x6e0 fs/read_write.c:485 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f4148cd3c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f4148cd46cc RCX: 004497b9 RDX: 02a6 RSI: 2080 RDI: 0014 RBP: 0071c010 R08: R09: R10: R11: 0246 R12: R13: b820 R14: 006f48c0 R15: 7f4148cd4700 ========== Thanks, Kyungtae Kim
Fwd: UBSAN: Undefined behaviour in drivers/input/mousedev.c
-- Forwarded message - From: Kyungtae Kim Date: Mon, Nov 26, 2018 at 12:26 AM Subject: UBSAN: Undefined behaviour in drivers/input/mousedev.c To: Cc: Byoungyoung Lee , DaeRyong Jeong , , , We report a crash found in v4.20-rc2: kernel config: https://kt0755.github.io/etc/config_v4.20 repro: https://kt0755.github.io/etc/repro.5266f.c In mousedev_rel_event(), "mousedev->packet.dx += value" (driver/input/mousedev.c:212) causes integer overflow when the result of calculation is larger than the size of dx. This can arise because "value" originates from user input (via evdev_write), and there is no sanity check along the path. It's not for sure this crash would be tolerable despite its occurrence. But one way to stop it is to use the bounds check before using it. Crash log: === UBSAN: Undefined behaviour in drivers/input/mousedev.c:212:23 signed integer overflow: 1240408832 + 1240408832 cannot be represented in type 'int' CPU: 0 PID: 10708 Comm: syz-executor3 Not tainted 4.20.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb1/0x118 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 handle_overflow+0x2dc/0x327 lib/ubsan.c:190 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198 mousedev_rel_event drivers/input/mousedev.c:212 [inline] mousedev_event+0x14ad/0x1830 drivers/input/mousedev.c:370 input_to_handler+0x414/0x510 drivers/input/input.c:121 input_pass_values.part.10+0x4ed/0x6c0 drivers/input/input.c:148 input_pass_values drivers/input/input.c:401 [inline] input_handle_event+0x3f0/0x1200 drivers/input/input.c:401 input_inject_event+0x22f/0x31e drivers/input/input.c:466 evdev_write+0x483/0x7a0 drivers/input/evdev.c:565 __vfs_write+0x109/0x6e0 fs/read_write.c:485 vfs_write+0x1b3/0x520 fs/read_write.c:549 ksys_write+0xde/0x1c0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f4148cd3c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f4148cd46cc RCX: 004497b9 RDX: 02a6 RSI: 2080 RDI: 0014 RBP: 0071c010 R08: R09: R10: R11: 0246 R12: R13: b820 R14: 006f48c0 R15: 7f4148cd4700 ========== Thanks, Kyungtae Kim
Re: BUG: unable to handle kernel NULL pointer dereference in write_port
Ah, I got that. Thanks. Kyungtae
Re: BUG: unable to handle kernel NULL pointer dereference in write_port
Ah, I got that. Thanks. Kyungtae
Re: BUG: unable to handle kernel NULL pointer dereference in write_port
Thank you for your reply. But I think this kind of crash can occur in real PC as well, and I'm just thinking of some way to stop it in the first place (if possible). because malicious users can use this, so as to make the whole system (kernel) work incorrectly. Thanks, Kyungtae
Re: BUG: unable to handle kernel NULL pointer dereference in write_port
Thank you for your reply. But I think this kind of crash can occur in real PC as well, and I'm just thinking of some way to stop it in the first place (if possible). because malicious users can use this, so as to make the whole system (kernel) work incorrectly. Thanks, Kyungtae
Re: KMSAN: uninit-value in rcu_accelerate_cbs / KMSAN: uninit-value in rcu_process_callbacks
Thank you for all your comments. Thanks, Kyungtae Kim On Wed, Nov 14, 2018 at 11:05 AM Paul E. McKenney wrote: > > On Wed, Nov 14, 2018 at 04:31:11PM +0100, Alexander Potapenko wrote: > > On Wed, Nov 14, 2018 at 4:09 PM Paul E. McKenney > > wrote: > > > > > > On Wed, Nov 14, 2018 at 04:03:33AM -0500, Kyungtae Kim wrote: > > > > We report two crashes in v4.19-rc8 (4.20-rc1 as well, I guess): > > > > (Unfortunately, there is no repro for those.) > > > > > > > > The two crashes seem to share the same issue. > > > > In both cases, (uninitialized) memory access violation occurs > > > > when "rdp->cblist" is about to be accessed > > > > (kernel/rcu/tree.c:2838,1728). > > > > I guess those are freed before the use, but I still haven't figured > > > > out the reason why. > > > > I'm looking forward to some help. > > > > First of all, I'd avoid reporting KMSAN bugs without clear reproducers. > > The tool is still in beta and may still give false positives due to > > either missed initialization or rare memory corruptions. > > OK, I will set this aside, then, thank you! > > Thanx, Paul > > > > You lost me on this one. In both cases, rdp references a per-CPU > > > variable that is implicitly initialized to all zeroes, due to being > > > (sort of) a C-language global. > > > > > > If a callback is queued early, then the following lines in __call_rcu() > > > will make an honest list of that field because of the : > > > > > > if (rcu_segcblist_empty(>cblist)) > > > rcu_segcblist_init(>cblist); > > > > > > Otherwise, when rcu_init() is invoked during early boot, we have this > > > in rcu_init_percpu_data(), which is called from rcutree_prepare_cpu() > > > which is called from rcu_init(), which is called from start_kernel(): > > > > > > if (rcu_segcblist_empty(>cblist) && /* No early-boot CBs? */ > > > !init_nocb_callback_list(rdp)) > > > rcu_segcblist_init(>cblist); /* Re-enable > > > callbacks. */ > > > > > > So either init_nocb_callback_list() initializes the alternative callback > > > lists for a no-CBs CPU or rcu_segcblist_init() again makes an honest > > > list of that field. > > > > > > My guess is that your tool is missing the > > > > > > rdp = this_cpu_ptr(rsp->rda); > > > > > > in the __call_rcu() case, and also missing the > > > > > > struct rcu_data *rdp = per_cpu_ptr(rsp->rda, cpu); > > > > > > Note that the ->rda field is explicitly compile-time initialized to > > > the base address of the per-CPU variable, which is rcu_preempt_data, > > > rcu_bh_data, or rcu_sched_data, depending on which RCU flavor is at hand. > > > (In v4.20-rc1, these are all merged into a single flavor to rule them > > > all.) > > > > > > Alternatively, your tool might be missing the implicit initialization > > > of per-CPU variables. > > This used to be fine, but after rebasing to v4.20-rc2 I also started > > seeing strange reports on per-CPU variables. Taking a look. > > > Or maybe I am missing something. If so, please let me know what it is. > > > > > > Thanx, Paul > > > > > > > Crash log 1 > > > > = > > > > BUG: KMSAN: uninit-value in __rcu_process_callbacks > > > > kernel/rcu/tree.c:2838 [inline] > > > > BUG: KMSAN: uninit-value in rcu_process_callbacks+0x5ac/0x1cb0 > > > > kernel/rcu/tree.c:2864 > > > > CPU: 0 PID: 20 Comm: kauditd Not tainted 4.19.0-rc8+ #18 > > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs > > > > 01/01/2011 > > > > Call Trace: > > > > > > > > __dump_stack lib/dump_stack.c:77 [inline] > > > > dump_stack+0x305/0x460 lib/dump_stack.c:113 > > > > kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 > > > > __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:500 > > > > __rcu_process_callbacks kernel/rcu/tree.c:2838 [inline] > > > > rcu_process_callbacks+0x5ac/0x1cb0 kernel/rcu/tree.c:2864 > > > > __do_softirq+0x5ff/0xa55 kernel/softirq.c:292 > > > > invoke_softirq kernel/softirq.c:373 [inline] &
Re: KMSAN: uninit-value in rcu_accelerate_cbs / KMSAN: uninit-value in rcu_process_callbacks
Thank you for all your comments. Thanks, Kyungtae Kim On Wed, Nov 14, 2018 at 11:05 AM Paul E. McKenney wrote: > > On Wed, Nov 14, 2018 at 04:31:11PM +0100, Alexander Potapenko wrote: > > On Wed, Nov 14, 2018 at 4:09 PM Paul E. McKenney > > wrote: > > > > > > On Wed, Nov 14, 2018 at 04:03:33AM -0500, Kyungtae Kim wrote: > > > > We report two crashes in v4.19-rc8 (4.20-rc1 as well, I guess): > > > > (Unfortunately, there is no repro for those.) > > > > > > > > The two crashes seem to share the same issue. > > > > In both cases, (uninitialized) memory access violation occurs > > > > when "rdp->cblist" is about to be accessed > > > > (kernel/rcu/tree.c:2838,1728). > > > > I guess those are freed before the use, but I still haven't figured > > > > out the reason why. > > > > I'm looking forward to some help. > > > > First of all, I'd avoid reporting KMSAN bugs without clear reproducers. > > The tool is still in beta and may still give false positives due to > > either missed initialization or rare memory corruptions. > > OK, I will set this aside, then, thank you! > > Thanx, Paul > > > > You lost me on this one. In both cases, rdp references a per-CPU > > > variable that is implicitly initialized to all zeroes, due to being > > > (sort of) a C-language global. > > > > > > If a callback is queued early, then the following lines in __call_rcu() > > > will make an honest list of that field because of the : > > > > > > if (rcu_segcblist_empty(>cblist)) > > > rcu_segcblist_init(>cblist); > > > > > > Otherwise, when rcu_init() is invoked during early boot, we have this > > > in rcu_init_percpu_data(), which is called from rcutree_prepare_cpu() > > > which is called from rcu_init(), which is called from start_kernel(): > > > > > > if (rcu_segcblist_empty(>cblist) && /* No early-boot CBs? */ > > > !init_nocb_callback_list(rdp)) > > > rcu_segcblist_init(>cblist); /* Re-enable > > > callbacks. */ > > > > > > So either init_nocb_callback_list() initializes the alternative callback > > > lists for a no-CBs CPU or rcu_segcblist_init() again makes an honest > > > list of that field. > > > > > > My guess is that your tool is missing the > > > > > > rdp = this_cpu_ptr(rsp->rda); > > > > > > in the __call_rcu() case, and also missing the > > > > > > struct rcu_data *rdp = per_cpu_ptr(rsp->rda, cpu); > > > > > > Note that the ->rda field is explicitly compile-time initialized to > > > the base address of the per-CPU variable, which is rcu_preempt_data, > > > rcu_bh_data, or rcu_sched_data, depending on which RCU flavor is at hand. > > > (In v4.20-rc1, these are all merged into a single flavor to rule them > > > all.) > > > > > > Alternatively, your tool might be missing the implicit initialization > > > of per-CPU variables. > > This used to be fine, but after rebasing to v4.20-rc2 I also started > > seeing strange reports on per-CPU variables. Taking a look. > > > Or maybe I am missing something. If so, please let me know what it is. > > > > > > Thanx, Paul > > > > > > > Crash log 1 > > > > = > > > > BUG: KMSAN: uninit-value in __rcu_process_callbacks > > > > kernel/rcu/tree.c:2838 [inline] > > > > BUG: KMSAN: uninit-value in rcu_process_callbacks+0x5ac/0x1cb0 > > > > kernel/rcu/tree.c:2864 > > > > CPU: 0 PID: 20 Comm: kauditd Not tainted 4.19.0-rc8+ #18 > > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs > > > > 01/01/2011 > > > > Call Trace: > > > > > > > > __dump_stack lib/dump_stack.c:77 [inline] > > > > dump_stack+0x305/0x460 lib/dump_stack.c:113 > > > > kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 > > > > __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:500 > > > > __rcu_process_callbacks kernel/rcu/tree.c:2838 [inline] > > > > rcu_process_callbacks+0x5ac/0x1cb0 kernel/rcu/tree.c:2864 > > > > __do_softirq+0x5ff/0xa55 kernel/softirq.c:292 > > > > invoke_softirq kernel/softirq.c:373 [inline] &
KMSAN: uninit-value in rcu_accelerate_cbs / KMSAN: uninit-value in rcu_process_callbacks
kmsan.c:255 [inline] kmsan_internal_alloc_meta_for_pages+0x157/0x730 mm/kmsan/kmsan.c:693 kmsan_alloc_page+0x80/0xe0 mm/kmsan/kmsan_hooks.c:320 __alloc_pages_nodemask+0x128c/0x69b0 mm/page_alloc.c:4416 alloc_pages_current+0x51f/0x760 mm/mempolicy.c:2093 alloc_pages include/linux/gfp.h:511 [inline] alloc_slab_page mm/slub.c:1459 [inline] allocate_slab mm/slub.c:1604 [inline] new_slab+0x552/0x1f30 mm/slub.c:1675 new_slab_objects mm/slub.c:2438 [inline] ___slab_alloc+0x1414/0x1dd0 mm/slub.c:2590 __slab_alloc mm/slub.c:2630 [inline] slab_alloc_node mm/slub.c:2693 [inline] slab_alloc mm/slub.c:2735 [inline] kmem_cache_alloc+0xc9b/0xda0 mm/slub.c:2740 kmem_cache_zalloc include/linux/slab.h:697 [inline] avc_alloc_node+0x109/0xb90 security/selinux/avc.c:572 avc_insert security/selinux/avc.c:696 [inline] avc_compute_av+0x31e/0x1050 security/selinux/avc.c:1008 avc_has_perm_noaudit+0x516/0x770 security/selinux/avc.c:1149 avc_has_perm+0x172/0x480 security/selinux/avc.c:1184 selinux_socket_create+0x248/0x3c0 security/selinux/hooks.c:4560 security_socket_create+0x146/0x210 security/security.c:1372 __sock_create+0x26b/0xf30 net/socket.c:1232 sock_create net/socket.c:1317 [inline] __sys_socket+0x180/0x670 net/socket.c:1347 __do_sys_socket net/socket.c:1356 [inline] __se_sys_socket+0x8d/0xb0 net/socket.c:1354 __x64_sys_socket+0x4a/0x70 net/socket.c:1354 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 = Thanks, Kyungtae Kim
KMSAN: uninit-value in rcu_accelerate_cbs / KMSAN: uninit-value in rcu_process_callbacks
kmsan.c:255 [inline] kmsan_internal_alloc_meta_for_pages+0x157/0x730 mm/kmsan/kmsan.c:693 kmsan_alloc_page+0x80/0xe0 mm/kmsan/kmsan_hooks.c:320 __alloc_pages_nodemask+0x128c/0x69b0 mm/page_alloc.c:4416 alloc_pages_current+0x51f/0x760 mm/mempolicy.c:2093 alloc_pages include/linux/gfp.h:511 [inline] alloc_slab_page mm/slub.c:1459 [inline] allocate_slab mm/slub.c:1604 [inline] new_slab+0x552/0x1f30 mm/slub.c:1675 new_slab_objects mm/slub.c:2438 [inline] ___slab_alloc+0x1414/0x1dd0 mm/slub.c:2590 __slab_alloc mm/slub.c:2630 [inline] slab_alloc_node mm/slub.c:2693 [inline] slab_alloc mm/slub.c:2735 [inline] kmem_cache_alloc+0xc9b/0xda0 mm/slub.c:2740 kmem_cache_zalloc include/linux/slab.h:697 [inline] avc_alloc_node+0x109/0xb90 security/selinux/avc.c:572 avc_insert security/selinux/avc.c:696 [inline] avc_compute_av+0x31e/0x1050 security/selinux/avc.c:1008 avc_has_perm_noaudit+0x516/0x770 security/selinux/avc.c:1149 avc_has_perm+0x172/0x480 security/selinux/avc.c:1184 selinux_socket_create+0x248/0x3c0 security/selinux/hooks.c:4560 security_socket_create+0x146/0x210 security/security.c:1372 __sock_create+0x26b/0xf30 net/socket.c:1232 sock_create net/socket.c:1317 [inline] __sys_socket+0x180/0x670 net/socket.c:1347 __do_sys_socket net/socket.c:1356 [inline] __se_sys_socket+0x8d/0xb0 net/socket.c:1354 __x64_sys_socket+0x4a/0x70 net/socket.c:1354 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 = Thanks, Kyungtae Kim
BUG: unable to handle kernel NULL pointer dereference in write_port
200015c0 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7f40dbe46700 Code: 49 81 fc ff ff 00 00 4c 8d 6b ff 0f 87 af 00 00 00 48 85 db 0f 84 a6 00 00 00 48 8b 5d d0 45 31 f6 eb 2c e8 59 00 b1 fe 44 89 f8 <44> 89 66 90 49 83 c4 01 48 83 c3 01 4d 85 ed 0f 95 c2 49 81 fc RIP: outb arch/x86/include/asm/io.h:333 [inline] RSP: 88011095fc40 RIP: write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 88011095fc40 CR2: c90001eb5f90 ---[ end trace 6917feb3b143574b ]--- = Thanks, Kyungtae Kim
BUG: unable to handle kernel NULL pointer dereference in write_port
200015c0 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7f40dbe46700 Code: 49 81 fc ff ff 00 00 4c 8d 6b ff 0f 87 af 00 00 00 48 85 db 0f 84 a6 00 00 00 48 8b 5d d0 45 31 f6 eb 2c e8 59 00 b1 fe 44 89 f8 <44> 89 66 90 49 83 c4 01 48 83 c3 01 4d 85 ed 0f 95 c2 49 81 fc RIP: outb arch/x86/include/asm/io.h:333 [inline] RSP: 88011095fc40 RIP: write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 88011095fc40 CR2: c90001eb5f90 ---[ end trace 6917feb3b143574b ]--- = Thanks, Kyungtae Kim
UBSAN: Undefined behaviour in mm/page_alloc.c
We report a bug in v4.19-rc2 (4.20-rc1 as well, I guess): kernel config: https://kt0755.github.io/etc/config_v2-4.19 repro: https://kt0755.github.io/etc/repro.c4074.c In the middle of page request, this arose because order is too large to handle (mm/page_alloc.c:3119). It actually comes from that order is controllable by user input via raw_cmd_ioctl without its sanity check, thereby causing memory problem. To stop it, we can use like MAX_ORDER for bounds check before using it. = UBSAN: Undefined behaviour in mm/page_alloc.c:3117:19 shift exponent 51 is too large for 32-bit type 'int' CPU: 0 PID: 6520 Comm: syz-executor1 Not tainted 4.19.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 __ubsan_handle_shift_out_of_bounds+0x2b6/0x30b lib/ubsan.c:425 __zone_watermark_ok+0x2c7/0x400 mm/page_alloc.c:3117 zone_watermark_fast mm/page_alloc.c:3216 [inline] get_page_from_freelist+0xc49/0x44c0 mm/page_alloc.c:3300 __alloc_pages_nodemask+0x21e/0x640 mm/page_alloc.c:4370 alloc_pages_current+0xcc/0x210 mm/mempolicy.c:2093 alloc_pages include/linux/gfp.h:509 [inline] __get_free_pages+0x12/0x60 mm/page_alloc.c:4414 dma_mem_alloc+0x36/0x50 arch/x86/include/asm/floppy.h:156 raw_cmd_copyin drivers/block/floppy.c:3159 [inline] raw_cmd_ioctl drivers/block/floppy.c:3206 [inline] fd_locked_ioctl+0xa00/0x2c10 drivers/block/floppy.c:3544 fd_ioctl+0x40/0x60 drivers/block/floppy.c:3571 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0xb3c/0x1a30 block/ioctl.c:601 block_ioctl+0x105/0x150 fs/block_dev.c:1883 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1c0/0x1150 fs/ioctl.c:687 ksys_ioctl+0x9e/0xb0 fs/ioctl.c:702 __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl fs/ioctl.c:707 [inline] __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:707 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fb5ef0e2c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7fb5ef0e36cc RCX: 004497b9 RDX: 2040 RSI: 0258 RDI: 0014 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 5490 R14: 006ed530 R15: 7fb5ef0e3700 = Thanks, Kyungtae Kim
UBSAN: Undefined behaviour in mm/page_alloc.c
We report a bug in v4.19-rc2 (4.20-rc1 as well, I guess): kernel config: https://kt0755.github.io/etc/config_v2-4.19 repro: https://kt0755.github.io/etc/repro.c4074.c In the middle of page request, this arose because order is too large to handle (mm/page_alloc.c:3119). It actually comes from that order is controllable by user input via raw_cmd_ioctl without its sanity check, thereby causing memory problem. To stop it, we can use like MAX_ORDER for bounds check before using it. = UBSAN: Undefined behaviour in mm/page_alloc.c:3117:19 shift exponent 51 is too large for 32-bit type 'int' CPU: 0 PID: 6520 Comm: syz-executor1 Not tainted 4.19.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xd2/0x148 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 __ubsan_handle_shift_out_of_bounds+0x2b6/0x30b lib/ubsan.c:425 __zone_watermark_ok+0x2c7/0x400 mm/page_alloc.c:3117 zone_watermark_fast mm/page_alloc.c:3216 [inline] get_page_from_freelist+0xc49/0x44c0 mm/page_alloc.c:3300 __alloc_pages_nodemask+0x21e/0x640 mm/page_alloc.c:4370 alloc_pages_current+0xcc/0x210 mm/mempolicy.c:2093 alloc_pages include/linux/gfp.h:509 [inline] __get_free_pages+0x12/0x60 mm/page_alloc.c:4414 dma_mem_alloc+0x36/0x50 arch/x86/include/asm/floppy.h:156 raw_cmd_copyin drivers/block/floppy.c:3159 [inline] raw_cmd_ioctl drivers/block/floppy.c:3206 [inline] fd_locked_ioctl+0xa00/0x2c10 drivers/block/floppy.c:3544 fd_ioctl+0x40/0x60 drivers/block/floppy.c:3571 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0xb3c/0x1a30 block/ioctl.c:601 block_ioctl+0x105/0x150 fs/block_dev.c:1883 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1c0/0x1150 fs/ioctl.c:687 ksys_ioctl+0x9e/0xb0 fs/ioctl.c:702 __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl fs/ioctl.c:707 [inline] __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:707 do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fb5ef0e2c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7fb5ef0e36cc RCX: 004497b9 RDX: 2040 RSI: 0258 RDI: 0014 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 5490 R14: 006ed530 R15: 7fb5ef0e3700 = Thanks, Kyungtae Kim
Re: KASAN: use-after-free Read in vgacon_invert_region
(We analyzed the crash and added the result below.) We report the crash: "KASAN: use-after-free Read in vgacon_invert_region" This crash was found in v4.17-rc3. Specifically, memory access (read operation) is invalid and which is detected by KASAN. Analysis: The function "vt_do_resize" basically allows for resizing the screen buffer (i.e., vc_data) beyond memory address 0x10 (i.e., 0x8810 in this case). We think, however, a certain memory area starting from 0x10 is protected. So subsequent memory access beyond this address (by "vgacon_invert_region") causes memory access violation. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-ba6c1.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 Read of size 2 at addr 8810 by task syz-executor3/525 CPU: 0 PID: 525 Comm: syz-executor3 Not tainted 4.17.0-rc3 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x78/0x290 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x234/0x350 mm/kasan/report.c:412 __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:431 vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 invert_screen+0x197/0x630 drivers/tty/vt/vt.c:461 highlight drivers/tty/vt/selection.c:51 [inline] set_selection+0x6b7/0xf60 drivers/tty/vt/selection.c:276 tioclinux+0x126/0x410 drivers/tty/vt/vt.c:2691 vt_ioctl+0x1036/0x2580 drivers/tty/vt/vt_ioctl.c:362 tty_ioctl+0x288/0x14c0 drivers/tty/tty_io.c:2646 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x191/0xfe0 fs/ioctl.c:686 ksys_ioctl+0x99/0xb0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x78/0xb0 fs/ioctl.c:706 do_syscall_64+0xb0/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f720c4bec68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f720c4bf6cc RCX: 004497b9 RDX: 2040 RSI: 0002541c RDI: 0013 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 5aa8 R14: 006ecb48 R15: 7f720c4bf700 The buggy address belongs to the page: page:ea004000 count:0 mapcount:-127 mapping: index:0x0 flags: 0x0() raw: ff80 raw: 88013fff9300 88013fff9300 0008 page dumped because: kasan: bad access detected Memory state around the buggy address: 880fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 880fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ====== Thanks, Kyungtae Kim On Thu, May 17, 2018 at 2:04 PM, Kyungtae Kim <kt0...@gmail.com> wrote: > We report the crash: > "KASAN: use-after-free Read in vgacon_invert_region" > > This crash was found in v4.17-rc3. Specifically, memory access (read > operation) is invalid, and it is detected by KASAN. > > C repro code: > https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-ba6c1.c > kernel config: > https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 > > Crash log: > == > BUG: KASAN: use-after-free in vgacon_invert_region+0xf9/0x100 > drivers/video/console/vgacon.c:663 > Read of size 2 at addr 8810 by task syz-executor3/525 > > CPU: 0 PID: 525 Comm: syz-executor3 Not tainted 4.17.0-rc3 #3 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xc7/0x138 lib/dump_stack.c:113 > print_address_description+0x78/0x290 mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report+0x234/0x350 mm/kasan/report.c:412 > __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:431 > vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 > invert_screen+0x197/0x630 drivers/tty/vt/vt.c:461 > highlight drivers/tty/vt/selection.c:51 [inline] > set_selection+0x6b7/0xf60 drivers/tty/vt/selection.c:276 > tioclinux+0x
Re: KASAN: use-after-free Read in vgacon_invert_region
(We analyzed the crash and added the result below.) We report the crash: "KASAN: use-after-free Read in vgacon_invert_region" This crash was found in v4.17-rc3. Specifically, memory access (read operation) is invalid and which is detected by KASAN. Analysis: The function "vt_do_resize" basically allows for resizing the screen buffer (i.e., vc_data) beyond memory address 0x10 (i.e., 0x8810 in this case). We think, however, a certain memory area starting from 0x10 is protected. So subsequent memory access beyond this address (by "vgacon_invert_region") causes memory access violation. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-ba6c1.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 Read of size 2 at addr 8810 by task syz-executor3/525 CPU: 0 PID: 525 Comm: syz-executor3 Not tainted 4.17.0-rc3 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x78/0x290 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x234/0x350 mm/kasan/report.c:412 __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:431 vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 invert_screen+0x197/0x630 drivers/tty/vt/vt.c:461 highlight drivers/tty/vt/selection.c:51 [inline] set_selection+0x6b7/0xf60 drivers/tty/vt/selection.c:276 tioclinux+0x126/0x410 drivers/tty/vt/vt.c:2691 vt_ioctl+0x1036/0x2580 drivers/tty/vt/vt_ioctl.c:362 tty_ioctl+0x288/0x14c0 drivers/tty/tty_io.c:2646 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x191/0xfe0 fs/ioctl.c:686 ksys_ioctl+0x99/0xb0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x78/0xb0 fs/ioctl.c:706 do_syscall_64+0xb0/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f720c4bec68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f720c4bf6cc RCX: 004497b9 RDX: 2040 RSI: 0002541c RDI: 0013 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 5aa8 R14: 006ecb48 R15: 7f720c4bf700 The buggy address belongs to the page: page:ea004000 count:0 mapcount:-127 mapping: index:0x0 flags: 0x0() raw: ff80 raw: 88013fff9300 88013fff9300 0008 page dumped because: kasan: bad access detected Memory state around the buggy address: 880fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 880fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ====== Thanks, Kyungtae Kim On Thu, May 17, 2018 at 2:04 PM, Kyungtae Kim wrote: > We report the crash: > "KASAN: use-after-free Read in vgacon_invert_region" > > This crash was found in v4.17-rc3. Specifically, memory access (read > operation) is invalid, and it is detected by KASAN. > > C repro code: > https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-ba6c1.c > kernel config: > https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 > > Crash log: > == > BUG: KASAN: use-after-free in vgacon_invert_region+0xf9/0x100 > drivers/video/console/vgacon.c:663 > Read of size 2 at addr 8810 by task syz-executor3/525 > > CPU: 0 PID: 525 Comm: syz-executor3 Not tainted 4.17.0-rc3 #3 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xc7/0x138 lib/dump_stack.c:113 > print_address_description+0x78/0x290 mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report+0x234/0x350 mm/kasan/report.c:412 > __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:431 > vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 > invert_screen+0x197/0x630 drivers/tty/vt/vt.c:461 > highlight drivers/tty/vt/selection.c:51 [inline] > set_selection+0x6b7/0xf60 drivers/tty/vt/selection.c:276 > tioclinux+0x126/0x410 drivers/tty/vt/vt.c:
KASAN: use-after-free Read in vgacon_invert_region
We report the crash: "KASAN: use-after-free Read in vgacon_invert_region" This crash was found in v4.17-rc3. Specifically, memory access (read operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-ba6c1.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 Read of size 2 at addr 8810 by task syz-executor3/525 CPU: 0 PID: 525 Comm: syz-executor3 Not tainted 4.17.0-rc3 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x78/0x290 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x234/0x350 mm/kasan/report.c:412 __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:431 vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 invert_screen+0x197/0x630 drivers/tty/vt/vt.c:461 highlight drivers/tty/vt/selection.c:51 [inline] set_selection+0x6b7/0xf60 drivers/tty/vt/selection.c:276 tioclinux+0x126/0x410 drivers/tty/vt/vt.c:2691 vt_ioctl+0x1036/0x2580 drivers/tty/vt/vt_ioctl.c:362 tty_ioctl+0x288/0x14c0 drivers/tty/tty_io.c:2646 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x191/0xfe0 fs/ioctl.c:686 ksys_ioctl+0x99/0xb0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x78/0xb0 fs/ioctl.c:706 do_syscall_64+0xb0/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f720c4bec68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f720c4bf6cc RCX: 004497b9 RDX: 2040 RSI: 0002541c RDI: 0013 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 5aa8 R14: 006ecb48 R15: 7f720c4bf700 The buggy address belongs to the page: page:ea004000 count:0 mapcount:-127 mapping: index:0x0 flags: 0x0() raw: ff80 raw: 88013fff9300 88013fff9300 0008 page dumped because: kasan: bad access detected Memory state around the buggy address: 880fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 880fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == Thanks, Kyungtae Kim
KASAN: use-after-free Read in vgacon_invert_region
We report the crash: "KASAN: use-after-free Read in vgacon_invert_region" This crash was found in v4.17-rc3. Specifically, memory access (read operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-ba6c1.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 Read of size 2 at addr 8810 by task syz-executor3/525 CPU: 0 PID: 525 Comm: syz-executor3 Not tainted 4.17.0-rc3 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x78/0x290 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x234/0x350 mm/kasan/report.c:412 __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:431 vgacon_invert_region+0xf9/0x100 drivers/video/console/vgacon.c:663 invert_screen+0x197/0x630 drivers/tty/vt/vt.c:461 highlight drivers/tty/vt/selection.c:51 [inline] set_selection+0x6b7/0xf60 drivers/tty/vt/selection.c:276 tioclinux+0x126/0x410 drivers/tty/vt/vt.c:2691 vt_ioctl+0x1036/0x2580 drivers/tty/vt/vt_ioctl.c:362 tty_ioctl+0x288/0x14c0 drivers/tty/tty_io.c:2646 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x191/0xfe0 fs/ioctl.c:686 ksys_ioctl+0x99/0xb0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x78/0xb0 fs/ioctl.c:706 do_syscall_64+0xb0/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f720c4bec68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f720c4bf6cc RCX: 004497b9 RDX: 2040 RSI: 0002541c RDI: 0013 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 5aa8 R14: 006ecb48 R15: 7f720c4bf700 The buggy address belongs to the page: page:ea004000 count:0 mapcount:-127 mapping: index:0x0 flags: 0x0() raw: ff80 raw: 88013fff9300 88013fff9300 0008 page dumped because: kasan: bad access detected Memory state around the buggy address: 880fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 880fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == Thanks, Kyungtae Kim
KASAN: use-after-free Write in do_con_write
We report the crash: "KASAN: use-after-free Write in do_con_write" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-c4a1f8.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 Write of size 2 at addr 88139042 by task getty/2803 CPU: 0 PID: 2803 Comm: getty Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ffa6267ac00 RSP: 002b:7ffee1ff7538 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 00607340 RCX: 7ffa6267ac00 RDX: 0002 RSI: 004059fb RDI: 0001 RBP: 0002 R08: 000a R09: 7ffa62944670 R10: 7ffee1ff7620 R11: 0246 R12: 7ffee1ff8090 R13: 7ffa62d65690 R14: 004059fb R15: The buggy address belongs to the page: page:ea004e40 count:0 mapcount:0 mapping: index:0x0 flags: 0x0() raw: raw: ea004e60 ea004e60 page dumped because: kasan: bad access detected Memory state around the buggy address: 88138f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88138f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >88139000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ====== Thanks, Kyungtae Kim
KASAN: use-after-free Write in do_con_write
We report the crash: "KASAN: use-after-free Write in do_con_write" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-c4a1f8.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 Write of size 2 at addr 88139042 by task getty/2803 CPU: 0 PID: 2803 Comm: getty Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ffa6267ac00 RSP: 002b:7ffee1ff7538 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 00607340 RCX: 7ffa6267ac00 RDX: 0002 RSI: 004059fb RDI: 0001 RBP: 0002 R08: 000a R09: 7ffa62944670 R10: 7ffee1ff7620 R11: 0246 R12: 7ffee1ff8090 R13: 7ffa62d65690 R14: 004059fb R15: The buggy address belongs to the page: page:ea004e40 count:0 mapcount:0 mapping: index:0x0 flags: 0x0() raw: raw: ea004e60 ea004e60 page dumped because: kasan: bad access detected Memory state around the buggy address: 88138f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88138f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >88139000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ====== Thanks, Kyungtae Kim
Fwd: KASAN: use-after-free Write in do_con_write
-- Forwarded message -- From: Kyungtae Kim <kt0...@gmail.com> Date: Sat, May 12, 2018 at 9:47 AM Subject: KASAN: use-after-free Write in do_con_write To: gre...@linuxfoundation.org, jsl...@suse.com, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee <lifeasag...@gmail.com>, DaeRyong Jeong <threeear...@gmail.com> We report the crash: "KASAN: use-after-free Write in do_con_write" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-c4a1f8.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 Write of size 2 at addr 88139042 by task getty/2803 CPU: 0 PID: 2803 Comm: getty Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ffa6267ac00 RSP: 002b:7ffee1ff7538 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 00607340 RCX: 7ffa6267ac00 RDX: 0002 RSI: 004059fb RDI: 0001 RBP: 0002 R08: 000a R09: 7ffa62944670 R10: 7ffee1ff7620 R11: 0246 R12: 7ffee1ff8090 R13: 7ffa62d65690 R14: 004059fb R15: The buggy address belongs to the page: page:ea004e40 count:0 mapcount:0 mapping: index:0x0 flags: 0x0() raw: raw: ea004e60 ea004e60 page dumped because: kasan: bad access detected Memory state around the buggy address: 88138f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88138f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >88139000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ====== Thanks, Kyungtae Kim
Fwd: KASAN: use-after-free Write in do_con_write
-- Forwarded message -- From: Kyungtae Kim Date: Sat, May 12, 2018 at 9:47 AM Subject: KASAN: use-after-free Write in do_con_write To: gre...@linuxfoundation.org, jsl...@suse.com, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee , DaeRyong Jeong We report the crash: "KASAN: use-after-free Write in do_con_write" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-c4a1f8.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 Write of size 2 at addr 88139042 by task getty/2803 CPU: 0 PID: 2803 Comm: getty Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ffa6267ac00 RSP: 002b:7ffee1ff7538 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 00607340 RCX: 7ffa6267ac00 RDX: 0002 RSI: 004059fb RDI: 0001 RBP: 0002 R08: 000a R09: 7ffa62944670 R10: 7ffee1ff7620 R11: 0246 R12: 7ffee1ff8090 R13: 7ffa62d65690 R14: 004059fb R15: The buggy address belongs to the page: page:ea004e40 count:0 mapcount:0 mapping: index:0x0 flags: 0x0() raw: raw: ea004e60 ea004e60 page dumped because: kasan: bad access detected Memory state around the buggy address: 88138f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88138f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >88139000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ====== Thanks, Kyungtae Kim
Fwd: KASAN: use-after-free Write in vgacon_scroll
-- Forwarded message -- From: Kyungtae Kim <kt0...@gmail.com> Date: Sat, May 12, 2018 at 9:44 AM Subject: KASAN: use-after-free Write in vgacon_scroll To: b.zolnier...@samsung.com, dri-de...@lists.freedesktop.org, linux-fb...@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee <lifeasag...@gmail.com>, DaeRyong Jeong <threeear...@gmail.com> We report the crash: "KASAN: use-after-free Write in vgacon_scroll" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-bd11a.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in memcpy include/linux/string.h:345 [inline] BUG: KASAN: use-after-free in scr_memcpyw include/linux/vt_buffer.h:49 [inline] BUG: KASAN: use-after-free in vgacon_scrollback_update drivers/video/console/vgacon.c:249 [inline] BUG: KASAN: use-after-free in vgacon_scroll+0x684/0x890 drivers/video/console/vgacon.c:1374 Write of size 3758 at addr 88011a8bf98e by task syz-executor1/3226 CPU: 0 PID: 3226 Comm: syz-executor1 Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13b/0x1a0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:345 [inline] scr_memcpyw include/linux/vt_buffer.h:49 [inline] vgacon_scrollback_update drivers/video/console/vgacon.c:249 [inline] vgacon_scroll+0x684/0x890 drivers/video/console/vgacon.c:1374 con_scroll+0x2cc/0x330 drivers/tty/vt/vt.c:329 lf+0x247/0x290 drivers/tty/vt/vt.c:1122 do_con_trol+0x14f/0x5310 drivers/tty/vt/vt.c:1785 do_con_write.part.20+0x597/0x1b70 drivers/tty/vt/vt.c:2433 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 redirected_tty_write+0xaf/0xc0 drivers/tty/tty_io.c:1063 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7fc0af9acc68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7fc0af9ad6cc RCX: 004497b9 RDX: 1000 RSI: 2080 RDI: 0013 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7fc0af9ad700 The buggy address belongs to the page: page:ea00046a2c00 count:1 mapcount:0 mapping: index:0x0 compound_mapcount: 0 flags: 0x2008000(head) raw: 02008000 0001 raw: dead0100 dead0200 page dumped because: kasan: bad access detected Memory state around the buggy address: 88011a8bff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88011a8bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >88011a8c: fb fb fb fc fc fb fb fb fc fc 00 00 00 fc fc fc ^ 88011a8c0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88011a8c0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ====== Thanks, Kyungtae Kim
Fwd: KASAN: use-after-free Write in vgacon_scroll
-- Forwarded message -- From: Kyungtae Kim Date: Sat, May 12, 2018 at 9:44 AM Subject: KASAN: use-after-free Write in vgacon_scroll To: b.zolnier...@samsung.com, dri-de...@lists.freedesktop.org, linux-fb...@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee , DaeRyong Jeong We report the crash: "KASAN: use-after-free Write in vgacon_scroll" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-bd11a.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: == BUG: KASAN: use-after-free in memcpy include/linux/string.h:345 [inline] BUG: KASAN: use-after-free in scr_memcpyw include/linux/vt_buffer.h:49 [inline] BUG: KASAN: use-after-free in vgacon_scrollback_update drivers/video/console/vgacon.c:249 [inline] BUG: KASAN: use-after-free in vgacon_scroll+0x684/0x890 drivers/video/console/vgacon.c:1374 Write of size 3758 at addr 88011a8bf98e by task syz-executor1/3226 CPU: 0 PID: 3226 Comm: syz-executor1 Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13b/0x1a0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:345 [inline] scr_memcpyw include/linux/vt_buffer.h:49 [inline] vgacon_scrollback_update drivers/video/console/vgacon.c:249 [inline] vgacon_scroll+0x684/0x890 drivers/video/console/vgacon.c:1374 con_scroll+0x2cc/0x330 drivers/tty/vt/vt.c:329 lf+0x247/0x290 drivers/tty/vt/vt.c:1122 do_con_trol+0x14f/0x5310 drivers/tty/vt/vt.c:1785 do_con_write.part.20+0x597/0x1b70 drivers/tty/vt/vt.c:2433 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 redirected_tty_write+0xaf/0xc0 drivers/tty/tty_io.c:1063 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7fc0af9acc68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7fc0af9ad6cc RCX: 004497b9 RDX: 1000 RSI: 2080 RDI: 0013 RBP: 0071bf58 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7fc0af9ad700 The buggy address belongs to the page: page:ea00046a2c00 count:1 mapcount:0 mapping: index:0x0 compound_mapcount: 0 flags: 0x2008000(head) raw: 02008000 0001 raw: dead0100 dead0200 page dumped because: kasan: bad access detected Memory state around the buggy address: 88011a8bff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88011a8bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >88011a8c: fb fb fb fc fc fb fb fb fc fc 00 00 00 fc fc fc ^ 88011a8c0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88011a8c0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ====== Thanks, Kyungtae Kim
Fwd: BUG: unable to handle kernel paging request in write_port
-- Forwarded message -- From: Kyungtae Kim <kt0...@gmail.com> Date: Sat, May 12, 2018 at 9:40 AM Subject: BUG: unable to handle kernel paging request in write_port To: Arnd Bergmann <a...@arndb.de>, gre...@linuxfoundation.org, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee <lifeasag...@gmail.com>, DaeRyong Jeong <threeear...@gmail.com> We report the crash: "BUG: unable to handle kernel paging request in write_port" This crash was found in v4.17-rc3. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-0cc6c.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: BUG: unable to handle kernel paging request at c90001eb5f90 PGD 1150c2067 P4D 1150c2067 PUD 1150c3067 PMD 10cd1e067 PTE 0 Oops: 0002 [#1] SMP KASAN PTI Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 2925 Comm: syz-executor7 Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 RIP: 0010:outb arch/x86/include/asm/io.h:333 [inline] RIP: 0010:write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 0018:88011095fc40 EFLAGS: 00010286 RAX: 1095feaf RBX: 2000163f RCX: 8286ca77 RDX: 0001 RSI: c90001eb6000 RDI: 880114403f58 RBP: 88011095fc78 R08: a9c6c9a0 R09: R10: 880115622813 R11: ed0022ac4503 R12: 007f R13: 000c R14: R15: 88011095feaf FS: 7f40dbe46700() GS:88011560() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c90001eb5f90 CR3: 0001117ca000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f40dbe45c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f40dbe466cc RCX: 004497b9 RDX: 008c RSI: 200015c0 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7f40dbe46700 Code: 49 81 fc ff ff 00 00 4c 8d 6b ff 0f 87 af 00 00 00 48 85 db 0f 84 a6 00 00 00 48 8b 5d d0 45 31 f6 eb 2c e8 59 00 b1 fe 44 89 f8 <44> 89 66 90 49 83 c4 01 48 83 c3 01 4d 85 ed 0f 95 c2 49 81 fc RIP: outb arch/x86/include/asm/io.h:333 [inline] RSP: 88011095fc40 RIP: write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 88011095fc40 CR2: c90001eb5f90 ---[ end trace 6917feb3b143574b ]--- Kernel panic - not syncing: Fatal exception Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: 0x2740 from 0x8100 (relocation range: 0xffff8000-0xbfff) Thanks, Kyungtae Kim
Fwd: BUG: unable to handle kernel paging request in write_port
-- Forwarded message -- From: Kyungtae Kim Date: Sat, May 12, 2018 at 9:40 AM Subject: BUG: unable to handle kernel paging request in write_port To: Arnd Bergmann , gre...@linuxfoundation.org, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee , DaeRyong Jeong We report the crash: "BUG: unable to handle kernel paging request in write_port" This crash was found in v4.17-rc3. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-0cc6c.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: BUG: unable to handle kernel paging request at c90001eb5f90 PGD 1150c2067 P4D 1150c2067 PUD 1150c3067 PMD 10cd1e067 PTE 0 Oops: 0002 [#1] SMP KASAN PTI Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 2925 Comm: syz-executor7 Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 RIP: 0010:outb arch/x86/include/asm/io.h:333 [inline] RIP: 0010:write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 0018:88011095fc40 EFLAGS: 00010286 RAX: 1095feaf RBX: 2000163f RCX: 8286ca77 RDX: 0001 RSI: c90001eb6000 RDI: 880114403f58 RBP: 88011095fc78 R08: a9c6c9a0 R09: R10: 880115622813 R11: ed0022ac4503 R12: 007f R13: 000c R14: R15: 88011095feaf FS: 7f40dbe46700() GS:88011560() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c90001eb5f90 CR3: 0001117ca000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f40dbe45c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f40dbe466cc RCX: 004497b9 RDX: 008c RSI: 200015c0 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7f40dbe46700 Code: 49 81 fc ff ff 00 00 4c 8d 6b ff 0f 87 af 00 00 00 48 85 db 0f 84 a6 00 00 00 48 8b 5d d0 45 31 f6 eb 2c e8 59 00 b1 fe 44 89 f8 <44> 89 66 90 49 83 c4 01 48 83 c3 01 4d 85 ed 0f 95 c2 49 81 fc RIP: outb arch/x86/include/asm/io.h:333 [inline] RSP: 88011095fc40 RIP: write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 88011095fc40 CR2: c90001eb5f90 ---[ end trace 6917feb3b143574b ]--- Kernel panic - not syncing: Fatal exception Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: 0x2740 from 0x8100 (relocation range: 0x8000-0xbfff) Thanks, Kyungtae Kim
Fwd: KASAN: use-after-free Write in write_mem
-- Forwarded message -- From: Kyungtae Kim <kt0...@gmail.com> Date: Fri, May 11, 2018 at 11:38 AM Subject: KASAN: use-after-free Write in write_mem To: a...@arndb.de, gre...@linuxfoundation.org, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee <lifeasag...@gmail.com>, DaeLyong Jeong <threeear...@gmail.com> We report the crash: "KASAN: use-after-free Write in write_mem" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-3c6e1.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: Write of size 4096 at addr 8801 by task syz-executor1/3358 CPU: 0 PID: 3358 Comm: syz-executor1 Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13b/0x1a0 mm/kasan/kasan.c:267 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 _copy_from_user+0xb7/0x100 lib/usercopy.c:12 copy_from_user include/linux/uaccess.h:147 [inline] write_mem+0x8f/0x190 drivers/char/mem.c:240 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f6f7f254c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f6f7f2556cc RCX: 004497b9 RDX: ffad RSI: 2000 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7f6f7f255700 The buggy address belongs to the page: page:ea000400 count:0 mapcount:-127 mapping: index:0x0 flags: 0x0() raw: ff80 raw: 88013fff91e0 ea002020 0004 page dumped because: kasan: bad access detected Memory state around the buggy address: 8800ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8800ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8801: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88010080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88010100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ======== Thanks, Kyungtae Kim
Fwd: KASAN: use-after-free Write in write_mem
-- Forwarded message -- From: Kyungtae Kim Date: Fri, May 11, 2018 at 11:38 AM Subject: KASAN: use-after-free Write in write_mem To: a...@arndb.de, gre...@linuxfoundation.org, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee , DaeLyong Jeong We report the crash: "KASAN: use-after-free Write in write_mem" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-3c6e1.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: Write of size 4096 at addr 8801 by task syz-executor1/3358 CPU: 0 PID: 3358 Comm: syz-executor1 Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13b/0x1a0 mm/kasan/kasan.c:267 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 _copy_from_user+0xb7/0x100 lib/usercopy.c:12 copy_from_user include/linux/uaccess.h:147 [inline] write_mem+0x8f/0x190 drivers/char/mem.c:240 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f6f7f254c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f6f7f2556cc RCX: 004497b9 RDX: ffad RSI: 2000 RDI: 0013 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 9ee8 R14: 006f0f88 R15: 7f6f7f255700 The buggy address belongs to the page: page:ea000400 count:0 mapcount:-127 mapping: index:0x0 flags: 0x0() raw: ff80 raw: 88013fff91e0 ea002020 0004 page dumped because: kasan: bad access detected Memory state around the buggy address: 8800ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8800ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8801: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 88010080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 88010100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==== Thanks, Kyungtae Kim
