lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 2 Dec 2019 07:40:31 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+5320383e16029ba057ff@...kaller.appspotmail.com>,
        Jens Axboe <axboe@...nel.dk>,
        Al Viro <viro@...iv.linux.org.uk>, io-uring@...r.kernel.org,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>
Cc:     Anna.Schumaker@...app.com,
        Casey Schaufler <casey@...aufler-ca.com>,
        David Howells <dhowells@...hat.com>,
        Jann Horn <jannh@...gle.com>,
        Kees Cook <keescook@...omium.org>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>, NeilBrown <neilb@...e.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: general protection fault in override_creds

On Mon, Dec 2, 2019 at 7:35 AM syzbot
<syzbot+5320383e16029ba057ff@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10f9ffcee00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c
> dashboard link: https://syzkaller.appspot.com/bug?extid=5320383e16029ba057ff
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12dd682ae00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16290abce00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+5320383e16029ba057ff@...kaller.appspotmail.com

I think this relates to fs/io_uring.c rather than kernel/cred.c.
+io_uring maintainers

> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 9217 Comm: io_uring-sq Not tainted 5.4.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
> RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
> RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
> Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
> 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
> RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
> RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
> RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
> R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
> R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   io_sq_thread+0x1c7/0xa20 fs/io_uring.c:3274
>   kthread+0x361/0x430 kernel/kthread.c:255
>   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> Modules linked in:
> ---[ end trace f2e1a4307fbe2245 ]---
> RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
> RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
> RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
> Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
> 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
> RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
> RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
> RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
> R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
> R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000da160a0598b2c704%40google.com.

Powered by blists - more mailing lists