lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+aRxn2Wgr7OuZRMb-PbvpJqbeLVUAkygUd_2y6+4u_5Jg@mail.gmail.com>
Date:   Thu, 25 Jul 2019 11:51:36 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Marcel Holtmann <marcel@...tmann.org>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        linux-bluetooth <linux-bluetooth@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        syzbot <syzbot+0abbda0523882250a97a@...kaller.appspotmail.com>
Subject: Re: KASAN: use-after-free Read in h5_rx_3wire_hdr

On Thu, Jul 25, 2019 at 11:44 AM Marcel Holtmann <marcel@...tmann.org> wrote:
>
> Hi Dmitry,
>
> >> syzbot found the following crash on:
> >>
> >> HEAD commit:    6d21a41b Add linux-next specific files for 20190718
> >> git tree:       linux-next
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1377958fa00000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=3430a151e1452331
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=0abbda0523882250a97a
> >> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=113e2bb7a00000
> >
> > +drivers/bluetooth/hci_h5.c maintainers
> >
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+0abbda0523882250a97a@...kaller.appspotmail.com
> >>
> >> ==================================================================
> >> BUG: KASAN: use-after-free in h5_rx_3wire_hdr+0x35d/0x3c0
> >> /drivers/bluetooth/hci_h5.c:438
> >> Read of size 1 at addr ffff8880a161d1c8 by task syz-executor.4/12040
> >>
> >> CPU: 1 PID: 12040 Comm: syz-executor.4 Not tainted 5.2.0-next-20190718 #41
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >> Google 01/01/2011
> >> Call Trace:
> >>  __dump_stack /lib/dump_stack.c:77 [inline]
> >>  dump_stack+0x172/0x1f0 /lib/dump_stack.c:113
> >>  print_address_description.cold+0xd4/0x306 /mm/kasan/report.c:351
> >>  __kasan_report.cold+0x1b/0x36 /mm/kasan/report.c:482
> >>  kasan_report+0x12/0x17 /mm/kasan/common.c:612
> >>  __asan_report_load1_noabort+0x14/0x20 /mm/kasan/generic_report.c:129
> >>  h5_rx_3wire_hdr+0x35d/0x3c0 /drivers/bluetooth/hci_h5.c:438
> >>  h5_recv+0x32f/0x500 /drivers/bluetooth/hci_h5.c:563
> >>  hci_uart_tty_receive+0x279/0x790 /drivers/bluetooth/hci_ldisc.c:600
> >>  tiocsti /drivers/tty/tty_io.c:2197 [inline]
> >>  tty_ioctl+0x949/0x14f0 /drivers/tty/tty_io.c:2573
> >>  vfs_ioctl /fs/ioctl.c:46 [inline]
> >>  file_ioctl /fs/ioctl.c:509 [inline]
> >>  do_vfs_ioctl+0xdb6/0x13e0 /fs/ioctl.c:696
> >>  ksys_ioctl+0xab/0xd0 /fs/ioctl.c:713
> >>  __do_sys_ioctl /fs/ioctl.c:720 [inline]
> >>  __se_sys_ioctl /fs/ioctl.c:718 [inline]
> >>  __x64_sys_ioctl+0x73/0xb0 /fs/ioctl.c:718
> >>  do_syscall_64+0xfd/0x6a0 /arch/x86/entry/common.c:296
> >>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >> RIP: 0033:0x459819
> >> Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> >> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> >> ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> >> RSP: 002b:00007f7a3b459c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> >> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819
> >> RDX: 0000000020000080 RSI: 0000000000005412 RDI: 0000000000000003
> >> RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a3b45a6d4
> >> R13: 00000000004c408a R14: 00000000004d7ff0 R15: 00000000ffffffff
>
> Is this happening on specific hardware?

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ