lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Jul 2018 18:34:52 +0200 From: Dmitry Vyukov <dvyukov@...gle.com> To: syzbot <syzbot+b680e42077a0d7c9a0c4@...kaller.appspotmail.com> Cc: LKML <linux-kernel@...r.kernel.org>, syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Thomas Gleixner <tglx@...utronix.de>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, netdev <netdev@...r.kernel.org> Subject: Re: KASAN: stack-out-of-bounds Read in timerqueue_add On Wed, Jul 4, 2018 at 6:29 PM, syzbot <syzbot+b680e42077a0d7c9a0c4@...kaller.appspotmail.com> wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: fc36def997cf mm: teach dump_page() to correctly output poi.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=167e3b92400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f62553dc846b0692 > dashboard link: https://syzkaller.appspot.com/bug?extid=b680e42077a0d7c9a0c4 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1030a858400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1167aaa4400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+b680e42077a0d7c9a0c4@...kaller.appspotmail.com +bpf maintainers since the repro seems to deal to bpf maps We've got a splash of crashes today, all seem to suggest some kind of stack corruption/overflow, see the last 6 bugs here: https://syzkaller.appspot.com/ > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > IPVS: ftp: loaded support on port[0] = 21 > ================================================================== > BUG: KASAN: stack-out-of-bounds in timerqueue_add+0x249/0x2b0 > lib/timerqueue.c:52 > Read of size 8 at addr ffff8801af537cf8 by task syz-executor591/7178 > > CPU: 0 PID: 7178 Comm: syz-executor591 Not tainted 4.18.0-rc3+ #130 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > <IRQ> > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 > print_address_description+0x6c/0x20b mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 > __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 > timerqueue_add+0x249/0x2b0 lib/timerqueue.c:52 > enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960 > __run_hrtimer kernel/time/hrtimer.c:1413 [inline] > __hrtimer_run_queues+0xc07/0x10c0 kernel/time/hrtimer.c:1460 > hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 > local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] > smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050 > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 > </IRQ> > > The buggy address belongs to the page: > page:ffffea0006bd4dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 > flags: 0x2fffc0000000000() > raw: 02fffc0000000000 0000000000000000 ffffffff06bd0101 0000000000000000 > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8801af537b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff8801af537c00: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 >> >> ffff8801af537c80: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 > > ^ > ffff8801af537d00: f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 > ffff8801af537d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ================================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@...glegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@...glegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/000000000000b2989805702eedd3%40google.com. > For more options, visit https://groups.google.com/d/optout.
Powered by blists - more mailing lists