[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1547153074.6911.8.camel@lca.pw>
Date: Thu, 10 Jan 2019 15:44:34 -0500
From: Qian Cai <cai@....pw>
To: James Bottomley <jejb@...ux.ibm.com>, Esme <esploit@...tonmail.ch>,
"dgilbert@...erlog.com" <dgilbert@...erlog.com>,
"martin.petersen@...cle.com" <martin.petersen@...cle.com>,
"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
linux-mm@...ck.org
Subject: Re: PROBLEM: syzkaller found / pool corruption-overwrite / page in
user-area or NULL
On Thu, 2019-01-10 at 11:58 -0800, James Bottomley wrote:
> On Thu, 2019-01-10 at 19:12 +0000, Esme wrote:
> > Sorry for the resend some mail servers rejected the mime type.
> >
> > Hi, I've been getting more into Kernel stuff lately and forged ahead
> > with some syzkaller bug finding. I played with reducing it further
> > as you can see from the attached c code but am moving on and hope to
> > get better about this process moving forward as I'm still building
> > out my test systems/debugging tools.
> >
> > Attached is the report and C repro that still triggers on a fresh git
> > pull as of a few minutes ago, if you need anything else please let me
> > know.
> > Esme
> >
> > Linux syzkaller 5.0.0-rc1+ #5 SMP Tue Jan 8 20:39:33 EST 2019 x86_64
> > GNU/Linux
>
> I'm not sure I'm reading this right, but it seems that a simple
> allocation inside block/scsi_ioctl.h
>
> buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN);
>
> (where bytes is < 4k) caused a slub padding check failure on free.
> From the internal details, the freeing entity seems to be KASAN as part
> of its quarantine reduction (albeit triggered by this kzalloc). I'm
> not remotely familiar with what KASAN is doing, but it seems the memory
> corruption problem is somewhere within the KASAN tracking?
>
> I added linux-mm in case they can confirm this diagnosis or give me a
> pointer to what might be wrong in scsi.
>
Well, need your .config and /proc/cmdline then.
Powered by blists - more mailing lists