lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 26 May 2019 08:39:50 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+3d04999521633dceb439@...kaller.appspotmail.com>,
        bpf <bpf@...r.kernel.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in class_equal

On Sat, May 25, 2019 at 7:38 PM syzbot
<syzbot+3d04999521633dceb439@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    af5136f9 selftests/net: SO_TXTIME with ETF and FQ
> git tree:       net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13164ee4a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fc045131472947d7
> dashboard link: https://syzkaller.appspot.com/bug?extid=3d04999521633dceb439
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1661b6e4a00000

Looking at the reproducer, it may be bpf-related. +bpf mailing list.


> Bisection is inconclusive: the first bad commit could be any of:
>
> 7c00e8ae Merge tag 'armsoc-soc' of
> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
> a2b7ab45 Merge tag 'linux-watchdog-4.18-rc1' of
> git://www.linux-watchdog.org/linux-watchdog
> 721afaa2 Merge tag 'armsoc-dt' of
> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1062daaaa00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+3d04999521633dceb439@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in class_equal+0x40/0x50
> kernel/locking/lockdep.c:1527
> Read of size 8 at addr ffff8880813cdab0 by task syz-executor.0/9147
>
> CPU: 0 PID: 9147 Comm: syz-executor.0 Not tainted 5.2.0-rc1+ #6
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>
> Allocated by task 2266519551:
> ------------[ cut here ]------------
> kernel BUG at mm/slab.c:4178!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 9147 Comm: syz-executor.0 Not tainted 5.2.0-rc1+ #6
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:__check_heap_object+0xa5/0xb3 mm/slab.c:4178
> Code: 2b 48 c7 c7 4d fc 61 88 e8 28 ad 07 00 5d c3 41 8b 91 04 01 00 00 48
> 29 c7 48 39 d7 77 bd 48 01 d0 48 29 c8 4c 39 c0 72 b2 c3 <0f> 0b 48 c7 c7
> 4d fc 61 88 e8 3c b2 07 00 44 89 e1 48 c7 c7 08 fd
> RSP: 0018:ffff8880813cd370 EFLAGS: 00010046
> RAX: 0000000000000001 RBX: 0000000000000001 RCX: 000000000000000c
> RDX: ffff8880813cc340 RSI: 0000000000000000 RDI: ffff8880813cd468
> RBP: ffff8880813cd3c0 R08: 0000000000000001 R09: ffff8880aa594c40
> R10: 0000000000000f23 R11: 0000000000000000 R12: ffff8880813cd468
> R13: ffffea000204f300 R14: ffff8880813cd469 R15: 0000000000000001
> FS:  00005555564e1940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffff8c046bd8 CR3: 000000009a952000 CR4: 00000000001406f0
> Call Trace:
> Modules linked in:
> ---[ end trace e78aeeb619bc791b ]---
> RIP: 0010:__check_heap_object+0xa5/0xb3 mm/slab.c:4178
> Code: 2b 48 c7 c7 4d fc 61 88 e8 28 ad 07 00 5d c3 41 8b 91 04 01 00 00 48
> 29 c7 48 39 d7 77 bd 48 01 d0 48 29 c8 4c 39 c0 72 b2 c3 <0f> 0b 48 c7 c7
> 4d fc 61 88 e8 3c b2 07 00 44 89 e1 48 c7 c7 08 fd
> RSP: 0018:ffff8880813cd370 EFLAGS: 00010046
> RAX: 0000000000000001 RBX: 0000000000000001 RCX: 000000000000000c
> RDX: ffff8880813cc340 RSI: 0000000000000000 RDI: ffff8880813cd468
> RBP: ffff8880813cd3c0 R08: 0000000000000001 R09: ffff8880aa594c40
> R10: 0000000000000f23 R11: 0000000000000000 R12: ffff8880813cd468
> R13: ffffea000204f300 R14: ffff8880813cd469 R15: 0000000000000001
> FS:  00005555564e1940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffff8c046bd8 CR3: 000000009a952000 CR4: 00000000001406f0
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000016cb560589b9c7c4%40google.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists