lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+YneZGXv0V0qq_b6RsuBNEW0iXTxoFGVM6DCQ212tGNvQ@mail.gmail.com>
Date:   Sat, 12 Nov 2016 12:22:17 -0800
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Paolo Bonzini <pbonzini@...hat.com>, rkrcmar@...hat.com,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>, KVM list <kvm@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Steve Rutherford <srutherford@...gle.com>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: kvm: out-of-bounds write in __rtc_irq_eoi_tracking_restore_one

Hello,

The following program triggers slab-ouf-of-bound write:
https://gist.githubusercontent.com/dvyukov/c4941c67e2eb5be314b902b17dc089df/raw/4f1844d19f6308135ca14c7f28e0898da1b363de/gistfile1.txt

On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11).

BUG: KASAN: slab-out-of-bounds in
__rtc_irq_eoi_tracking_restore_one+0x33b/0x350 at addr
ffff88003bd82b7c
Write of size 1 by task syz-executor/5031
CPU: 3 PID: 5031 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006d0df6b8 ffffffff81c2e46b ffff88003e80cf40 ffff88003bd82568
 ffff88003bd82ea0 0000000000000001 ffff88006d0df6e0 ffffffff8165ab9c
 ffffed00077b056f ffffed00077b056f ffff88003e80cf40 ffff88006d0df760
Call Trace:
 [<ffffffff8165b257>] __asan_report_store1_noabort+0x17/0x20
mm/kasan/report.c:331
 [<ffffffff8112aa3b>] __rtc_irq_eoi_tracking_restore_one+0x33b/0x350
arch/x86/kvm/ioapic.c:128
 [<ffffffff8112be26>] kvm_rtc_eoi_tracking_restore_one+0x66/0x90
arch/x86/kvm/ioapic.c:142
 [<ffffffff81125325>] kvm_apic_set_state+0x9b5/0xde0 arch/x86/kvm/lapic.c:2091
 [<     inline     >] kvm_vcpu_ioctl_set_lapic arch/x86/kvm/x86.c:2834
 [<ffffffff810a8b1d>] kvm_arch_vcpu_ioctl+0x155d/0x3100 arch/x86/kvm/x86.c:3337
 [<ffffffff810608b2>] kvm_vcpu_ioctl+0x1e2/0xdd0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2708
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
 [<     inline     >] SYSC_ioctl fs/ioctl.c:694
 [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Object at ffff88003bd82568, in cache kmalloc-2048 size: 2048
Allocated:
PID = 5018
 [ 2761.628607] [<ffffffff811abb36>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
 [ 2761.628607] [<ffffffff81659ee6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
 [ 2761.634614] [<     inline     >] set_track mm/kasan/kasan.c:507
 [ 2761.634614] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0
mm/kasan/kasan.c:598
 [ 2761.639003] [<ffffffff816557f8>] kmem_cache_alloc_trace+0xf8/0x280
mm/slub.c:2735
 [ 2761.639003] [<     inline     >] kmalloc include/linux/slab.h:490
 [ 2761.639003] [<     inline     >] kzalloc include/linux/slab.h:636
 [ 2761.639003] [<ffffffff8112cbc1>] kvm_ioapic_init+0x51/0x5d0
arch/x86/kvm/ioapic.c:611
 [ 2761.639003] [<ffffffff810ab9e4>] kvm_arch_vm_ioctl+0xfb4/0x1c10
arch/x86/kvm/x86.c:3914
 [ 2761.639003] [<ffffffff81065e93>] kvm_vm_ioctl+0x193/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3097
 [ 2761.639003] [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [ 2761.639003] [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
 [ 2761.639003] [<     inline     >] SYSC_ioctl fs/ioctl.c:694
 [ 2761.639003] [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [ 2761.639003] [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
 ffff88003bd82a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88003bd82a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88003bd82b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff88003bd82b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88003bd82c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ