| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Sep 2020 17:59:04 -0400
From: Qian Cai <cai@....pw>
To: viro@...iv.linux.org.uk
Cc: torvalds@...ux-foundation.org, vgoyal@...hat.com,
miklos@...redi.hu, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: slab-out-of-bounds in iov_iter_revert()
Super easy to reproduce on today's mainline by just fuzzing for a few minutes
on virtiofs (if it ever matters). Any thoughts?
[ 511.089112] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0xd8/0x3c0
iov_iter_revert at lib/iov_iter.c:1135
(inlined by) iov_iter_revert at lib/iov_iter.c:1080
[ 511.092650] Read of size 8 at addr ffff88869e11dff8 by task trinity-c1/11868
[ 511.096178]
[ 511.096897] CPU: 20 PID: 11868 Comm: trinity-c1 Not tainted 5.9.0-rc4+ #1
[ 511.100257] Hardware name: Red Hat KVM, BIOS 1.14.0-1.module+el8.3.0+7638+07cf13d2 04/01/2014
[ 511.103999] Call Trace:
[ 511.105002] dump_stack+0x7c/0xb0
[ 511.106329] ? iov_iter_revert+0xd8/0x3c0
[ 511.107915] print_address_description.constprop.7+0x1e/0x230
[ 511.110193] ? kmsg_dump_rewind_nolock+0x59/0x59
[ 511.112038] ? _raw_write_lock_irqsave+0xe0/0xe0
[ 511.113890] ? iov_iter_revert+0xd8/0x3c0
[ 511.115469] ? iov_iter_revert+0xd8/0x3c0
[ 511.117082] kasan_report.cold.9+0x37/0x86
[ 511.118711] ? do_readv+0x20/0x1b0
[ 511.120078] ? iov_iter_revert+0xd8/0x3c0
[ 511.122614] iov_iter_revert+0xd8/0x3c0
[ 511.124673] generic_file_read_iter+0x139/0x220
[ 511.127386] fuse_file_read_iter+0x239/0x270 [fuse]
[ 511.130229] ? fuse_direct_IO+0x600/0x600 [fuse]
[ 511.133491] ? rwsem_optimistic_spin+0x3d0/0x3d0
[ 511.137177] ? wake_up_q+0x92/0xd0
[ 511.139702] ? kasan_unpoison_shadow+0x30/0x40
[ 511.142518] do_iter_readv_writev+0x307/0x350
[ 511.144850] ? no_seek_end_llseek_size+0x20/0x20
[ 511.147155] do_iter_read+0x13f/0x2e0
[ 511.148696] vfs_readv+0xcc/0x130
[ 511.150118] ? compat_rw_copy_check_uvector+0x1e0/0x1e0
[ 511.152300] ? enqueue_hrtimer+0x60/0x100
[ 511.154043] ? hrtimer_start_range_ns+0x32f/0x4c0
[ 511.157561] ? hrtimer_run_softirq+0x100/0x100
[ 511.161514] ? _raw_spin_lock_irq+0x7b/0xd0
[ 511.164570] ? _raw_write_unlock_irqrestore+0x20/0x20
[ 511.167568] ? hrtimer_active+0x71/0xa0
[ 511.169331] ? mutex_lock+0x8e/0xe0
[ 511.171694] ? __mutex_lock_slowpath+0x10/0x10
[ 511.174580] ? perf_call_bpf_enter.isra.21+0x110/0x110
[ 511.177926] ? __fget_light+0xa3/0x100
[ 511.179916] do_readv+0xc1/0x1b0
[ 511.181331] ? vfs_readv+0x130/0x130
[ 511.182867] ? ktime_get_coarse_real_ts64+0x4a/0x70
[ 511.185455] do_syscall_64+0x33/0x40
[ 511.188008] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 511.191314] RIP: 0033:0x7f11e9b4578d
[ 511.193639] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 08
[ 511.202148] RSP: 002b:00007fff9b5eec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
[ 511.205620] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007f11e9b4578d
[ 511.210533] RDX: 0000000000000091 RSI: 0000000002c49450 RDI: 00000000000000e1
[ 511.214992] RBP: 0000000000000013 R08: 000000008d8d8d8d R09: 00000000000002d2
[ 511.218631] R10: 00000020845754a0 R11: 0000000000000246 R12: 0000000000000002
[ 511.221595] R13: 00007f11ea227058 R14: 00007f11ea2356c0 R15: 00007f11ea227000
[ 511.225949]
[ 511.227008] Allocated by task 11748:
[ 511.229204] kasan_save_stack+0x19/0x40
[ 511.231404] __kasan_kmalloc.constprop.8+0xc1/0xd0
[ 511.234647] perf_event_mmap+0x28f/0x5f0
[ 511.237170] mmap_region+0x1cc/0xa50
[ 511.239192] do_mmap+0x3e5/0x6a0
[ 511.241337] vm_mmap_pgoff+0x15f/0x1b0
[ 511.243586] ksys_mmap_pgoff+0x2d3/0x320
[ 511.245903] do_syscall_64+0x33/0x40
[ 511.247914] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 511.250139]
[ 511.250797] Freed by task 11748:
[ 511.252160] kasan_save_stack+0x19/0x40
[ 511.253775] kasan_set_track+0x1c/0x30
[ 511.255348] kasan_set_free_info+0x1b/0x30
[ 511.257072] __kasan_slab_free+0x108/0x150
[ 511.258785] kfree+0x95/0x380
[ 511.260050] perf_event_mmap+0x4aa/0x5f0
[ 511.261694] mmap_region+0x1cc/0xa50
[ 511.263198] do_mmap+0x3e5/0x6a0
[ 511.264564] vm_mmap_pgoff+0x15f/0x1b0
[ 511.266133] ksys_mmap_pgoff+0x2d3/0x320
[ 511.267773] do_syscall_64+0x33/0x40
[ 511.269276] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 511.272756]
[ 511.273583] The buggy address belongs to the object at ffff88869e11c000
[ 511.273583] which belongs to the cache kmalloc-4k of size 4096
[ 511.281456] The buggy address is located 4088 bytes to the right of
[ 511.281456] 4096-byte region [ffff88869e11c000, ffff88869e11d000)
[ 511.288473] The buggy address belongs to the page:
[ 511.291093] page:0000000073d20fbc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69e118
[ 511.296681] head:0000000073d20fbc order:3 compound_mapcount:0 compound_pincount:0
[ 511.301118] flags: 0x17ffffc0010200(slab|head)
[ 511.303426] raw: 0017ffffc0010200 0000000000000000 0000000300000001 ffff888107c4ef80
[ 511.307482] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 511.310957] page dumped because: kasan: bad access detected
[ 511.313233]
[ 511.313867] Memory state around the buggy address:
[ 511.315849] ffff88869e11de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 511.318933] ffff88869e11df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 511.322715] >ffff88869e11df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 511.325993] ^
[ 511.330020] ffff88869e11e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 511.334333] ffff88869e11e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Powered by blists - more mailing lists