| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Oct 2019 20:47:12 -0600
From: Jens Axboe <axboe@...nel.dk>
To: syzbot <syzbot+d958a65633ea70280b23@...kaller.appspotmail.com>,
dvyukov@...gle.com, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk
Subject: Re: KASAN: null-ptr-deref Write in io_wq_cancel_all
On 10/26/19 8:36 PM, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: 139c2d13 Add linux-next specific files for 20191025
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=12888a00e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29
> dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160573c0e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d958a65633ea70280b23@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: null-ptr-deref in set_bit
> include/asm-generic/bitops-instrumented.h:28 [inline]
> BUG: KASAN: null-ptr-deref in io_wq_cancel_all+0x28/0x2a0 fs/io-wq.c:574
> Write of size 8 at addr 0000000000000004 by task syz-executor.2/9365
>
> CPU: 1 PID: 9365 Comm: syz-executor.2 Not tainted 5.4.0-rc4-next-20191025 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> __kasan_report.cold+0x5/0x41 mm/kasan/report.c:510
> kasan_report+0x12/0x20 mm/kasan/common.c:634
> check_memory_region_inline mm/kasan/generic.c:185 [inline]
> check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
> __kasan_check_write+0x14/0x20 mm/kasan/common.c:98
> set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
> io_wq_cancel_all+0x28/0x2a0 fs/io-wq.c:574
> io_ring_ctx_wait_and_kill+0x1e2/0x710 fs/io_uring.c:3679
> io_uring_release+0x42/0x50 fs/io_uring.c:3691
> __fput+0x2ff/0x890 fs/file_table.c:280
> ____fput+0x16/0x20 fs/file_table.c:313
> task_work_run+0x145/0x1c0 kernel/task_work.c:113
> exit_task_work include/linux/task_work.h:22 [inline]
> do_exit+0x904/0x2e60 kernel/exit.c:817
> do_group_exit+0x135/0x360 kernel/exit.c:921
> get_signal+0x47c/0x24f0 kernel/signal.c:2734
> do_signal+0x87/0x1700 arch/x86/kernel/signal.c:815
> exit_to_usermode_loop+0x286/0x380 arch/x86/entry/common.c:159
> prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
> syscall_return_slowpath+0x47a/0x530 arch/x86/entry/common.c:274
> ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:344
> RIP: 0033:0x45c909
> Code: ff 48 85 f6 0f 84 d7 8c fb ff 48 83 ee 10 48 89 4e 08 48 89 3e 48 89
> d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 0f 8c
> ae 8c fb ff 74 01 c3 31 ed 48 f7 c7 00 00 01 00 75
> RSP: 002b:00007fe3de137db0 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
> RAX: 0000000000000000 RBX: 00007fe3de138700 RCX: 000000000045c909
> RDX: 00007fe3de1389d0 RSI: 00007fe3de137db0 RDI: 00000000003d0f00
> RBP: 00007ffff688f6a0 R08: 00007fe3de138700 R09: 00007fe3de138700
> R10: 00007fe3de1389d0 R11: 0000000000000202 R12: 0000000000000000
> R13: 00007ffff688f53f R14: 00007fe3de1389c0 R15: 000000000075bfd4
> ==================================================================
This one should be fixed in the current tree, and the version posted
yesterday. I don't know if linux-next has been updated since. I'll
check the reproducer and verify when I get the chance.
--
Jens Axboe
Powered by blists - more mailing lists