| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jun 2020 17:25:28 +0200
From: Paolo Bonzini <pbonzini@...hat.com>
To: syzbot <syzbot+e0240f9c36530bda7130@...kaller.appspotmail.com>,
bp@...en8.de, hpa@...or.com, jmattson@...gle.com, joro@...tes.org,
kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
mingo@...hat.com, sean.j.christopherson@...el.com,
syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
vkuznets@...hat.com, wanpengli@...cent.com, x86@...nel.org
Subject: Re: KASAN: out-of-bounds Read in kvm_arch_hardware_setup
The reproducer has nothing to do with KVM:
# https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
but the stack trace does. On the other hand, the address seems okay:
kvm_cpu_caps+0x24/0x50
and there are tons of other kvm_cpu_cap_get calls that aren't causing
KASAN to complain. The variable is initialized from
kvm_arch_hardware_setup
hardware_setup (in arch/x86/kvm/vmx/vmx.c)
vmx_set_cpu_caps
kvm_set_cpu_caps
with a simple memcpy that writes the entire array. Does anyone understand
what is going on here?
Paolo
On 27/06/20 22:01, syzbot wrote:
> BUG: KASAN: out-of-bounds in kvm_cpu_cap_get arch/x86/kvm/cpuid.h:292 [inline]
> BUG: KASAN: out-of-bounds in kvm_cpu_cap_has arch/x86/kvm/cpuid.h:297 [inline]
> BUG: KASAN: out-of-bounds in kvm_init_msr_list arch/x86/kvm/x86.c:5362 [inline]
> BUG: KASAN: out-of-bounds in kvm_arch_hardware_setup+0xb05/0xf40 arch/x86/kvm/x86.c:9802
> Read of size 4 at addr ffffffff896c3134 by task syz-executor614/6786
>
> CPU: 1 PID: 6786 Comm: syz-executor614 Not tainted 5.7.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> print_address_description+0x66/0x5a0 mm/kasan/report.c:383
> __kasan_report mm/kasan/report.c:513 [inline]
> kasan_report+0x132/0x1d0 mm/kasan/report.c:530
> kvm_cpu_cap_get arch/x86/kvm/cpuid.h:292 [inline]
> kvm_cpu_cap_has arch/x86/kvm/cpuid.h:297 [inline]
> kvm_init_msr_list arch/x86/kvm/x86.c:5362 [inline]
> kvm_arch_hardware_setup+0xb05/0xf40 arch/x86/kvm/x86.c:9802
> </IRQ>
>
> The buggy address belongs to the variable:
> kvm_cpu_caps+0x24/0x50
>
> Memory state around the buggy address:
> ffffffff896c3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff896c3080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffffffff896c3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ^
> ffffffff896c3180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff896c3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
Powered by blists - more mailing lists