lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 11 Dec 2018 11:16:20 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Andrew Morton <akpm@...ux-foundation.org>,
        Jens Axboe <axboe@...nel.dk>, linux-block@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>
Cc:     Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        bugzilla-daemon@...zilla.kernel.org,
        kasan-dev <kasan-dev@...glegroups.com>, jaguo2014@...look.com
Subject: Re: [Bug 201949] New: KASAN: use-after-free Read in __handle_mm_fault

On Tue, Dec 11, 2018 at 12:45 AM Andrew Morton
<akpm@...ux-foundation.org> wrote:
>
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).

Looking at the reproducer this looks like a bug in sg ioctl.
+block/scsi_ioctl.c maintainers

> On Mon, 10 Dec 2018 10:56:31 +0000 bugzilla-daemon@...zilla.kernel.org wrote:
>
> > https://bugzilla.kernel.org/show_bug.cgi?id=201949
> >
> >             Bug ID: 201949
> >            Summary: KASAN: use-after-free Read in __handle_mm_fault
> >            Product: Memory Management
> >            Version: 2.5
> >     Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6
> >           Hardware: All
> >                 OS: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: Other
> >           Assignee: akpm@...ux-foundation.org
> >           Reporter: jaguo2014@...look.com
> >         Regression: No
> >
> > Created attachment 279915
> >   --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit
> > poc.c
> >
> > Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug.
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline]
> > BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> > Read of size 8 at addr ffff888000048008 by task syz-executor666/2067
> >
> > CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0x75/0xae lib/dump_stack.c:113
> >  print_address_description+0x65/0x270 mm/kasan/report.c:256
> >  kasan_report_error mm/kasan/report.c:354 [inline]
> >  kasan_report+0x25b/0x380 mm/kasan/report.c:412
> >  handle_pte_fault mm/memory.c:3744 [inline]
> >  __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> >  handle_mm_fault+0xfc/0x350 mm/memory.c:3926
> >  do_user_addr_fault arch/x86/mm/fault.c:1423 [inline]
> >  __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489
> >  async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142
> > RIP: 0033:0x4014fd
> > Code: Bad RIP value.
> > RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0
> > RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0
> > RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270
> > R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000
> > R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000
> >
> > The buggy address belongs to the page:
> > page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> > flags: 0x0()
> > raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000
> > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> >  ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >  ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >                       ^
> >  ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >  ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > ==================================================================
> >
> >
> > Syzkaller reproducer:
> > # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox:
> > Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true
> > EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true
> > Repro:false Trace:false}
> > r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0)
> > ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, "ae"})
> >
> > --
> > You are receiving this mail because:
> > You are the assignee for the bug.
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@...glegroups.com.
> To post to this group, send email to kasan-dev@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20181210154550.03bf3fe93944a7c786ba924d%40linux-foundation.org.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ