| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Aug 2020 09:23:35 -0600
From: Jens Axboe <axboe@...nel.dk>
To: syzbot <syzbot+a730016dc0bdce4f6ff5@...kaller.appspotmail.com>,
io-uring@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk
Subject: Re: memory leak in io_submit_sqes
On 8/11/20 8:59 AM, Jens Axboe wrote:
> On 8/11/20 7:57 AM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: d6efb3ac Merge tag 'tty-5.9-rc1' of git://git.kernel.org/p..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=13cb0762900000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=42163327839348a9
>> dashboard link: https://syzkaller.appspot.com/bug?extid=a730016dc0bdce4f6ff5
>> compiler: gcc (GCC) 10.1.0-syz 20200507
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e877dc900000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1608291a900000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+a730016dc0bdce4f6ff5@...kaller.appspotmail.com
>>
>> executing program
>> executing program
>> executing program
>> executing program
>> executing program
>> BUG: memory leak
>> unreferenced object 0xffff888124949100 (size 256):
>> comm "syz-executor808", pid 6480, jiffies 4294949911 (age 33.960s)
>> hex dump (first 32 bytes):
>> 00 78 74 2a 81 88 ff ff 00 00 00 00 00 00 00 00 .xt*............
>> 90 b0 51 81 ff ff ff ff 00 00 00 00 00 00 00 00 ..Q.............
>> backtrace:
>> [<0000000084e46f34>] io_alloc_req fs/io_uring.c:1503 [inline]
>> [<0000000084e46f34>] io_submit_sqes+0x5dc/0xc00 fs/io_uring.c:6306
>> [<000000006d4e19eb>] __do_sys_io_uring_enter+0x582/0x830 fs/io_uring.c:8036
>> [<00000000a4116b07>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>> [<0000000067b2aefc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> BUG: memory leak
>> unreferenced object 0xffff88811751d200 (size 96):
>> comm "syz-executor808", pid 6480, jiffies 4294949911 (age 33.960s)
>> hex dump (first 32 bytes):
>> 00 78 74 2a 81 88 ff ff 00 00 00 00 00 00 00 00 .xt*............
>> 0e 01 00 00 00 00 75 22 00 00 00 00 00 0f 1f 04 ......u"........
>> backtrace:
>> [<00000000073ea2ba>] kmalloc include/linux/slab.h:555 [inline]
>> [<00000000073ea2ba>] io_arm_poll_handler fs/io_uring.c:4773 [inline]
>> [<00000000073ea2ba>] __io_queue_sqe+0x445/0x6b0 fs/io_uring.c:5988
>> [<000000001551bde0>] io_queue_sqe+0x309/0x550 fs/io_uring.c:6060
>> [<000000002dfb908f>] io_submit_sqe fs/io_uring.c:6130 [inline]
>> [<000000002dfb908f>] io_submit_sqes+0x8b8/0xc00 fs/io_uring.c:6327
>> [<000000006d4e19eb>] __do_sys_io_uring_enter+0x582/0x830 fs/io_uring.c:8036
>> [<00000000a4116b07>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>> [<0000000067b2aefc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> This one looks very odd, and I cannot reproduce it. The socket() calls
> reliably fails for me, and even if I hack it to use 0 for protocol instead
> of 2, I don't see anything interesting happening here. An IORING_OP_WRITEV
> is submitted on the socket, which just fails with ENOTCONN.
Dug a bit deeper and found the missing option, I can now reproduce this!
I'll take a look.
--
Jens Axboe
Powered by blists - more mailing lists