lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <94eb2c05551289ffff0563224e41@google.com>
Date:   Fri, 19 Jan 2018 06:58:01 -0800
From:   syzbot <syzbot+e2d6cfb305e9f3911dea@...kaller.appspotmail.com>
To:     james.morse@....com, keescook@...omium.org,
        keun-o.park@...kmatter.ae, labbott@...hat.com,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org, mingo@...nel.org,
        syzkaller-bugs@...glegroups.com
Subject: WARNING in usercopy_warn

Hello,

syzbot hit the following crash on linux-next commit
b625c1ff82272e26c76570d3c7123419ec345b20

So far this crash happened 5 times on linux-next, mmots.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e2d6cfb305e9f3911dea@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

device syz0 entered promiscuous mode
------------[ cut here ]------------
Bad or missing usercopy whitelist? Kernel memory exposure attempt detected  
from SLAB object 'skbuff_head_cache' (offset 64, size 16)!
WARNING: CPU: 0 PID: 3663 at mm/usercopy.c:81 usercopy_warn+0xdb/0x100  
mm/usercopy.c:76
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 3663 Comm: syzkaller694156 Not tainted  
4.15.0-rc7-next-20180115+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  panic+0x1e4/0x41c kernel/panic.c:183
  __warn+0x1dc/0x200 kernel/panic.c:547
  report_bug+0x211/0x2d0 lib/bug.c:184
  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
  fixup_bug arch/x86/kernel/traps.c:247 [inline]
  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1085
RIP: 0010:usercopy_warn+0xdb/0x100 mm/usercopy.c:76
RSP: 0018:ffff8801d99df548 EFLAGS: 00010282
RAX: dffffc0000000008 RBX: ffffffff865cf19f RCX: ffffffff815aba6e
RDX: 0000000000000000 RSI: 1ffff1003b33be2e RDI: 1ffff1003b33be64
RBP: ffff8801d99df5a0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000003e6 R11: 0000000000000000 R12: ffffffff86200d00
R13: ffffffff85d2cfc0 R14: 0000000000000040 R15: 0000000000000010
  __check_heap_object+0x89/0xc0 mm/slab.c:4426
  check_heap_object mm/usercopy.c:236 [inline]
  __check_object_size+0x272/0x530 mm/usercopy.c:259
  check_object_size include/linux/thread_info.h:112 [inline]
  check_copy_size include/linux/thread_info.h:143 [inline]
  copy_to_user include/linux/uaccess.h:154 [inline]
  put_cmsg+0x233/0x3f0 net/core/scm.c:242
  sock_recv_errqueue+0x200/0x3e0 net/core/sock.c:2913
  packet_recvmsg+0xb2e/0x17a0 net/packet/af_packet.c:3296
  sock_recvmsg_nosec net/socket.c:803 [inline]
  sock_recvmsg+0xc9/0x110 net/socket.c:810
  ___sys_recvmsg+0x2a4/0x640 net/socket.c:2179
  __sys_recvmmsg+0x2a9/0xaf0 net/socket.c:2287
  SYSC_recvmmsg net/socket.c:2368 [inline]
  SyS_recvmmsg+0xc4/0x160 net/socket.c:2352
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x444339
RSP: 002b:00007ffdb359d7d8 EFLAGS: 00000203 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444339
RDX: 0000000000000001 RSI: 0000000020ef7fc4 RDI: 0000000000000005
RBP: 00000000006ce018 R08: 0000000020000000 R09: 0000000000000001
R10: 0000000000002000 R11: 0000000000000203 R12: 0000000000402020
R13: 00000000004020b0 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (6239 bytes)

View attachment "repro.syz.txt" of type "text/plain" (1837 bytes)

View attachment "repro.c.txt" of type "text/plain" (6898 bytes)

View attachment "config.txt" of type "text/plain" (135039 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ