lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00000000000025e4720568861faf@google.com>
Date:   Wed, 28 Mar 2018 22:09:01 -0700
From:   syzbot <syzbot+6800425d54ed3ed8135d@...kaller.appspotmail.com>
To:     dasaratharaman.chandramouli@...el.com, dledford@...hat.com,
        don.hiatt@...el.com, dvyukov@...gle.com, ira.weiny@...el.com,
        jgg@...pe.ca, leonro@...lanox.com, linux-kernel@...r.kernel.org,
        linux-rdma@...r.kernel.org, parav@...lanox.com, roland@...nel.org,
        sean.hefty@...el.com, syzkaller-bugs@...glegroups.com,
        viro@...iv.linux.org.uk
Subject: Re: kernel BUG at lib/string.c:LINE! (3)

syzbot has found reproducer for the following crash on upstream commit
a2601d78b77aacc5dd790f488188f9556f4a9eb2 (Wed Mar 28 23:54:03 2018 +0000)
Merge tag 'powerpc-4.16-6' of  
git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=6800425d54ed3ed8135d

So far this crash happened 3 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4970341969428480
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5526256363765760
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5692795733934080
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-8440362230543204781
compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6800425d54ed3ed8135d@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

detected buffer overflow in memcpy
------------[ cut here ]------------
kernel BUG at lib/string.c:1052!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4420 Comm: syzkaller185831 Not tainted 4.16.0-rc7+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
RSP: 0018:ffff8801b02bf940 EFLAGS: 00010282
RAX: 0000000000000022 RBX: 1ffff10036057f2d RCX: 0000000000000000
RDX: 0000000000000022 RSI: 1ffff10036057edd RDI: ffffed0036057f1c
RBP: ffff8801b02bf940 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801b02bf9e8
R13: ffff8801b02bf988 R14: ffff8801b02bfaa8 R15: 000000000000fa00
FS:  00000000019ff880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 00000001b0f1b005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  memcpy include/linux/string.h:344 [inline]
  ucma_join_ip_multicast+0x37a/0x3c0 drivers/infiniband/core/ucma.c:1434
  ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1649
  __vfs_write+0xef/0x970 fs/read_write.c:480
  vfs_write+0x189/0x510 fs/read_write.c:544
  SYSC_write fs/read_write.c:589 [inline]
  SyS_write+0xef/0x220 fs/read_write.c:581
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd29
RSP: 002b:00007ffed3ea1058 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd29
RDX: 0000000000000118 RSI: 0000000020000f80 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401650
R13: 00000000004016e0 R14: 0000000000000000 R15: 0000000000000000
Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 a7 3f fb eb  
de 55 48 89 fe 48 c7 c7 c0 43 44 87 48 89 e5 e8 d5 05 f1 fa <0f> 0b 90 90  
90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801b02bf940
---[ end trace 71f07011b6e6886b ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ