| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Nov 2019 22:06:45 +1100
From: Duncan Roe <duncan_roe@...usnet.com.au>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: cmetcalf@...hip.com, coreteam@...filter.org, davem@...emloft.net,
dvyukov@...gle.com, gang.chen.5i5j@...il.com, kaber@...sh.net,
kadlec@...ckhole.kfki.hu, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, pablo@...filter.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in blkdev_get
On Sun, Nov 24, 2019 at 07:30:35PM +0000, Al Viro wrote:
> On Sun, Nov 24, 2019 at 11:07:00AM -0800, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit 77ef8f5177599efd0cedeb52c1950c1bd73fa5e3
> > Author: Chris Metcalf <cmetcalf@...hip.com>
> > Date: Mon Jan 25 20:05:34 2016 +0000
> >
> > tile kgdb: fix bug in copy to gdb regs, and optimize memset
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1131bc0ee00000
> > start commit: f5b7769e Revert "debugfs: inode: debugfs_create_dir uses m..
> > git tree: upstream
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=1331bc0ee00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1531bc0ee00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=709f8187af941e84
> > dashboard link: https://syzkaller.appspot.com/bug?extid=eaeb616d85c9a0afec7d
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177f898f800000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147eb85f800000
> >
> > Reported-by: syzbot+eaeb616d85c9a0afec7d@...kaller.appspotmail.com
> > Fixes: 77ef8f517759 ("tile kgdb: fix bug in copy to gdb regs, and optimize
> > memset")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> Seriously? How can the commit in question (limited to arch/tile/kernel/kgdb.c)
> possibly affect a bug that manages to produce a crash report with
> RSP: 0018:ffffffff82e03eb8 EFLAGS: 00000282
> RAX: 0000000000000000 RBX: ffffffff82e00000 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81088779
> RBP: ffffffff82e03eb8 R08: 0000000000000000 R09: 0000000000000001
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff82e00000
> FS: 0000000000000000(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c420447ff8 CR3: 0000000213184000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> in it? Unless something very odd has happened to tile, this crash has
> been observed on 64bit x86; the names of registers alone are enough
> to be certain of that.
>
> And the binaries produced by an x86 build should not be affected by any
> changes in arch/tile; not unless something is very wrong with the build
> system. It's not even that this commit has fixed an earlier bug that
> used to mask the one manifested here - it really should have had zero
> impact on x86 builds, period.
>
> So I'm sorry, but I'm calling bullshit. Something's quite wrong with
> the bot - either its build system or the bisection process.
The acid test would be: does reverting that commit make the problem go away?
See, for example, https://bugzilla.kernel.org/show_bug.cgi?id=203935
Cheers ... Duncan.
Powered by blists - more mailing lists