| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Feb 2021 11:17:06 -0700
From: Shuah Khan <skhan@...uxfoundation.org>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
Hillf Danton <hdanton@...a.com>,
syzbot <syzbot+95ce4b142579611ef0a9@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Andrey Konovalov <andreyknvl@...gle.com>,
Valentina Manea <valentina.manea.m@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
syzkaller-bugs@...glegroups.com,
Shuah Khan <skhan@...uxfoundation.org>
Subject: Re: general protection fault in tomoyo_socket_sendmsg_permission
On 1/29/21 7:25 PM, Tetsuo Handa wrote:
> On 2021/01/30 6:18, Shuah Khan wrote:
>> In this console log:
>
> It seems "this console log" refers to https://syzkaller.appspot.com/x/log.txt?x=10453034500000 .
>
>>
>> 06:57:50 executing program 1:
>> socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f00000000c0)={<r0=>0xffffffffffffffff})
>> sendmsg$BATADV_CMD_GET_TRANSTABLE_LOCAL(r0, &(0x7f00000002c0)={&(0x7f00000001c0), 0xc, &(0x7f0000000280)={0x0, 0xd001010000000000}}, 0x0)
>>
>> [ 1151.090883][T23361] vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(4)
>> [ 1151.097445][T23361] vhci_hcd vhci_hcd.0: devid(0) speed(1) speed_str(low-speed)
>> 06:57:50 executing program 0:
>> r0 = syz_open_dev$binderN(&(0x7f0000000680)='/dev/binder#\x00', 0x0, 0x0)
>> ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000cc0)={0x88, 0x0, &(0x7f0000000b80)=[@transaction={0x40406300, {0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
>>
>> [ 1151.164402][T23363] vhci_hcd: connection closed
>> [ 1151.167346][ T240] vhci_hcd: stop threads
>>
>>
>> [ 1151.178329][T26761] usb 17-1: new low-speed USB device number 2 using vhci_hcd
>>
>>
>> SK: Looking at the console log, it looks like while connection is being
>> torn down,
>
> Excuse me, but it looks like (what comes here) while connection is being torn down ?
> I'm not familiar with driver code.
>
>>
>>
>> [ 1151.181245][ T240] vhci_hcd: release socket
>>
>>
>> Can you share your your test code for this program:
>> "executing program 1"
>
> I don't think program 1 is relevant. I think program 4
>
> 06:57:50 executing program 4:
> r0 = socket$tipc(0x1e, 0x2, 0x0)
> syz_usbip_server_init(0x1)
> close_range(r0, 0xffffffffffffffff, 0x0)
>
> which calls syz_usbip_server_init() as with other duplicates is relevant.
>
>>
>> Also your setup? Do you run usbip_host and vhci_hcd both?
>
> Who are you referring to with "you/your" ? I'm not running syzkaller in my setup
> and I don't have test code.
>
> I'm just proposing printing more messages in order to confirm the ordering of
> events and member values in structures.
>
I am looking to understand the syzbot configuration and a reproducer
to be able to debug and fix the problem. How is syzbot triggering the
vhci_hcd attach and detach sequence?
This helps me determine all these fix suggestions that are coming in
are fixes or papering over a real problem.
thanks,
-- Shuah
Powered by blists - more mailing lists