lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 22 Jan 2018 12:06:58 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Doug Gilbert <dgilbert@...erlog.com>, jejb@...ux.vnet.ibm.com,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi <linux-scsi@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Ben Hutchings <ben.hutchings@...ethink.co.uk>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: scsi: sg: assorted memory corruptions

Hello,

The following program triggers assorted memory corruptions on 4.15-rc9:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

#define SG_NEXT_CMD_LEN 0x2283

int main()
{
  int fd = open("/dev/sg0", O_RDWR);
  long len = 9;
  ioctl(fd, SG_NEXT_CMD_LEN, &len);
  char* p = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x24\x00"
            "\x00\x00\x00\x00\x00\x1c\xbb\xac\x14\x00\xaa\xe0\x00\x00\x01"
            "\x00\x07\x07\x00\x00\x59\x08\x00\x00\x00\x80\xfe\x7f\x00\x00\x01";
  write(fd, p, 46);
  return 0;
}

Run it in a loop as "while ./a.out; do true; done".  Below are some
manifestations, but it really looks it smashes heap badly and then it
manifests in a random way:


general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 2 PID: 11158 Comm: syz-executor2 Not tainted 4.15.0-rc9+ #65
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
RIP: 0010:find_stack lib/stackdepot.c:173 [inline]
RIP: 0010:depot_save_stack+0x108/0x440 lib/stackdepot.c:225
RSP: 0018:ffff88007118ed68 EFLAGS: 00010002
RAX: 0000000033ae8ebb RBX: 00000000891e24d1 RCX: 0000000000000002
RDX: 0000000024208bf1 RSI: 0000000001000000 RDI: ffff88007118edc0
RBP: ffff88007118edb0 R08: 1ffff1000e231d77 R09: ffff88007118edd8
R10: 00000000e160d61a R11: 00000000f692b9a9 R12: 000000000000000d
R13: 0000000000000068 R14: 0001800800008008 R15: 00000000000e24d1
FS:  00000000023e4940(0000) GS:ffff88002db00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b9bc25000 CR3: 000000007d476000 CR4: 00000000000026e0
DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 save_stack+0xa3/0xd0 mm/kasan/kasan.c:453
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3488 [inline]
 kfree+0xc5/0x160 mm/slab.c:3803
 __mmu_notifier_mm_destroy+0x116/0x1c0 mm/mmu_notifier.c:323
 mmu_notifier_mm_destroy include/linux/mmu_notifier.h:297 [inline]
 __mmdrop+0x104/0x3f0 kernel/fork.c:908
 mmdrop include/linux/sched/mm.h:43 [inline]
 finish_task_switch+0x44c/0x6f0 kernel/sched/core.c:2671
 context_switch kernel/sched/core.c:2802 [inline]
 __schedule+0x842/0x1e10 kernel/sched/core.c:3375
 schedule+0xe8/0x420 kernel/sched/core.c:3434
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x3af/0x770 kernel/futex.c:2548
 futex_wait+0x374/0x9e0 kernel/futex.c:2663
 do_futex+0xe20/0x2750 kernel/futex.c:3545
 SYSC_futex kernel/futex.c:3605 [inline]
 SyS_futex+0x368/0x485 kernel/futex.c:3573
 entry_SYSCALL_64_fastpath+0x24/0x8c
RIP: 0033:0x4482b9
RSP: 002b:0000000000a2f908 EFLAGS: 00000206 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 00000000004482b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071becc
RBP: 00000000000000bb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000a2f910 R11: 0000000000000206 R12: 00000000000003b7
R13: 0000000000000b5a R14: 00000000c59c644d R15: 0000000000000000
Code: 75 b8 48 89 7d c0 41 81 e7 ff ff 0f 00 4e 8b 34 fd 60 f9 ed 87
4d 85 f6 74 5e 4d 63 ec 49 c1 e5 03 eb 08 4d 8b 36 4d 85 f6 74 4d <41>
39 5e 08 75 f2 45 3b 66 0c 75 ec 49 8d 76 18 4c 89 cf 4c 89
RIP: find_stack lib/stackdepot.c:173 [inline] RSP: ffff88007118ed68
RIP: depot_save_stack+0x108/0x440 lib/stackdepot.c:225 RSP: ffff88007118ed68
---[ end trace a25d77609c7bff29 ]---


[   71.351814] general protection fault: 0000 [#1] SMP KASAN
[   71.352992] Modules linked in:
[   71.353611] CPU: 3 PID: 3724 Comm: bash Not tainted 4.15.0-rc9+ #65
[   71.354666] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[   71.356440] RIP: 0010:thread_group_cputime+0x4b8/0x1000
[   71.357354] RSP: 0018:ffff88005dbff658 EFLAGS: 00010206
[   71.358240] RAX: 0000000000000005 RBX: dffffc0000000000 RCX: 1ffff1000cf0b917
[   71.359403] RDX: ffff88005dbff838 RSI: 1ffff1000bb7ff06 RDI: 0000000000000028
[   71.360757] RBP: ffff88005dbff800 R08: ffff88005dbff840 R09: ffff88006454a280
[   71.362314] R10: ffff88006b06e1c0 R11: ffff88006785c1c0 R12: fffffffffffffa70
[   71.363800] R13: ffff88005dbff830 R14: ffffed000bb7fef3 R15: ffff88005dbff7d8
[   71.365291] FS:  00007fb375f95700(0000) GS:ffff88006cb80000(0000)
knlGS:0000000000000000
[   71.366990] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.368198] CR2: 00000000006edbd4 CR3: 00000000637fb002 CR4: 00000000001606e0
[   71.369710] Call Trace:
[   71.370259]  ? print_unlock_imbalance_bug+0x70/0x70
[   71.371297]  ? account_idle_time+0x1b0/0x1b0
[   71.372292]  ? lock_downgrade+0x8e0/0x8e0
[   71.373148]  ? lock_downgrade+0x8e0/0x8e0
[   71.374036]  thread_group_cputime_adjusted+0x6b/0xd0
[   71.375086]  ? task_cputime_adjusted+0x240/0x240
[   71.376067]  wait_consider_task+0x1a91/0x38b0
[   71.376987]  ? graph_lock+0x160/0x160
[   71.377780]  ? graph_lock+0x160/0x160
[   71.378568]  ? exit_notify+0xb60/0xb60
[   71.379381]  ? print_unlock_imbalance_bug+0x70/0x70
[   71.380420]  ? find_held_lock+0x35/0x1d0
[   71.381262]  ? lock_acquire+0x1f7/0x4f0
[   71.382151]  ? do_wait+0x3ba/0x9d0
[   71.382885]  ? lock_downgrade+0x8e0/0x8e0
[   71.383743]  ? lock_release+0xaf0/0xaf0
[   71.384566]  ? add_wait_queue+0x19e/0x230
[   71.385427]  ? __wake_up_locked_key_bookmark+0x20/0x20
[   71.386553]  ? task_active_pid_ns+0xd0/0xd0
[   71.387451]  do_wait+0x45b/0x9d0
[   71.388155]  ? wait_consider_task+0x38b0/0x38b0
[   71.389139]  ? tty_vhangup+0x30/0x30
[   71.389933]  ? find_held_lock+0x35/0x1d0
[   71.390777]  ? lock_downgrade+0x8e0/0x8e0
[   71.391634]  ? lock_release+0xaf0/0xaf0
[   71.392522]  ? do_raw_spin_unlock+0x1f0/0x2d0
[   71.393487]  kernel_wait4+0x234/0x3b0
[   71.394289]  ? SyS_waitid+0x50/0x50
[   71.395041]  ? task_stopped_code+0x190/0x190
[   71.395957]  ? sigprocmask+0xf4/0x2e0
[   71.396746]  SYSC_wait4+0x119/0x120
[   71.397516]  ? kernel_wait4+0x3b0/0x3b0
[   71.398353]  ? _copy_to_user+0x85/0xd0
[   71.399169]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   71.400318]  ? SyS_rt_sigprocmask+0x1ca/0x240
[   71.401251]  ? sigprocmask+0x2e0/0x2e0
[   71.402147]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   71.403291]  ? security_file_ioctl+0x95/0xc0
[   71.404210]  SyS_wait4+0x2c/0x40
[   71.404913]  entry_SYSCALL_64_fastpath+0x24/0x8c
[   71.405928] RIP: 0033:0x7fb375671a3e
[   71.406699] RSP: 002b:00007ffc523ec340 EFLAGS: 00000246 ORIG_RAX:
000000000000003d
[   71.408297] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fb375671a3e
[   71.409817] RDX: 000000000000000a RSI: 00007ffc523ec398 RDI: ffffffffffffffff
[   71.411317] RBP: 0000000000000000 R08: 00000000011c1a48 R09: 0000000000000000
[   71.412867] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   71.414388] R13: 00000000011abb88 R14: 0000000000000000 R15: 00000000011abd08
[   71.415888] Code: c0 10 49 39 c6 0f 84 09 01 00 00 48 c1 ef 03 4c
89 ee 49 89 fe 48 c1 ee 03 49 01 de 49 8d bc 24 b8 05 00 00 48 89 f8
48 c1 e8 03 <80> 3c 18 00 0f 85 c7 05 00 00 49 8d bc 24 c0 05 00 00 49
8b 84
[   71.419966] RIP: thread_group_cputime+0x4b8/0x1000 RSP: ffff88005dbff658
[   71.421464] ---[ end trace 982cd2844bb6092a ]---



[  493.794289] BUG: unable to handle kernel paging request at fffff1e03c000220
[  493.795959] IP: qlist_free_all+0xe4/0x110
[  493.796893] PGD 0 P4D 0
[  493.797450] Oops: 0000 [#1] SMP KASAN
[  493.798274] Modules linked in:
[  493.798953] CPU: 1 PID: 4273 Comm: a.out Not tainted 4.15.0-rc9+ #65
[  493.800321] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[  493.802005] RIP: 0010:qlist_free_all+0xe4/0x110
[  493.802960] RSP: 0018:ffff88006ae17cb8 EFLAGS: 00010286
[  493.804073] RAX: 0001800f0000800f RBX: 0000000000000282 RCX: ffffea0000000000
[  493.805540] RDX: fffff1e03c000200 RSI: 000077ff80000000 RDI: 0000000000000000
[  493.807061] RBP: ffff88006ae17ce0 R08: 1ffff1000d5c2f68 R09: ffff880063e60040
[  493.808562] R10: 1ffff1000c7cc115 R11: 0000000000000001 R12: ffff88006ae17cf0
[  493.810080] R13: 0001800f0000800f R14: ffffffff86acaf20 R15: 0000000000000000
[  493.812477] FS:  00000000007e9880(0000) GS:ffff88006ca80000(0000)
knlGS:0000000000000000
[  493.813762] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  493.814678] CR2: fffff1e03c000220 CR3: 000000006b812003 CR4: 00000000001606e0
[  493.815830] Call Trace:
[  493.816280]  quarantine_reduce+0x141/0x170
[  493.817011]  kasan_kmalloc+0x99/0xe0
[  493.817607]  kasan_slab_alloc+0x12/0x20
[  493.818254]  kmem_cache_alloc+0x10c/0x620
[  493.818899]  ? map_id_range_down+0x1e6/0x400
[  493.819585]  getname_flags+0xd0/0x5a0
[  493.820184]  user_path_at_empty+0x2d/0x50
[  493.820819]  SyS_access+0x254/0x7b0
[  493.821399]  ? SyS_faccessat+0x7c0/0x7c0
[  493.822061]  ? lockdep_sys_exit_thunk+0x16/0x29
[  493.822814]  ? async_page_fault+0x36/0x60
[  493.823481]  entry_SYSCALL_64_fastpath+0x24/0x8c
[  493.824251] RIP: 0033:0x463327
[  493.824748] RSP: 002b:00007ffe8b588888 EFLAGS: 00000246 ORIG_RAX:
0000000000000015
[  493.825938] RAX: ffffffffffffffda RBX: 00000000007ea1f0 RCX: 0000000000463327
[  493.827132] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 00000000004af1a1
[  493.828214] RBP: 00007ffe8b588ae8 R08: 00007ffe8b5c1040 R09: 0000000000000000
[  493.829226] R10: 00000000006c3f20 R11: 0000000000000246 R12: 00007ffe8b588af8
[  493.830308] R13: 0000000000401d20 R14: 0000000000401db0 R15: 0000000000000000
[  493.831386] Code: 00 00 00 80 48 01 c2 72 42 48 be 00 00 00 80 ff
77 00 00 48 01 f2 48 b9 00 00 00 00 00 ea ff ff 48 c1 ea 0c 48 c1 e2
06 48 01 ca <48> 8b 72 20 48 8d 7e ff 83 e6 01 48 0f 45 d7 48 8b 7a 30
e9 36
[  493.834255] RIP: qlist_free_all+0xe4/0x110 RSP: ffff88006ae17cb8
[  493.835157] CR2: fffff1e03c000220
[  493.835733] ---[ end trace 1fbd2672ad8e619c ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ