| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Mar 2021 11:47:44 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: syzbot <syzbot+005654dd9b8f26bd4c07@...kaller.appspotmail.com>
Cc: Albert Ou <aou@...s.berkeley.edu>,
LKML <linux-kernel@...r.kernel.org>,
linux-riscv <linux-riscv@...ts.infradead.org>,
Marc Zyngier <maz@...nel.org>,
Palmer Dabbelt <palmer@...belt.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
On Sun, Mar 14, 2021 at 11:14 AM syzbot
<syzbot+005654dd9b8f26bd4c07@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+005654dd9b8f26bd4c07@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
>
> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> Hardware name: riscv-virtio,qemu (DT)
> Workqueue: events nsim_dev_trap_report_work
> Call Trace:
> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>
> Allocated by task 76347056:
> (stack is not available)
>
> Last potentially related work creation:
There seems to be some issue with riscv stack unwinder.
This does not have stacks.
"BUG: unable to handle kernel access to user memory in schedule_tail"
does not have proper stacks:
https://syzkaller.appspot.com/bug?id=9de8c24d24004fd5e482555f5ad8314da2fb1cee
I also found 2 riscv reports in "KASAN: use-after-free Read in
idr_for_each (2)":
https://syzkaller.appspot.com/bug?id=7f84dfc3902878befc22e52eb5c7298d0ad70cf3
both don't have any stacks:
==================================================================
BUG: KASAN: use-after-free in radix_tree_next_slot
include/linux/radix-tree.h:422 [inline]
BUG: KASAN: use-after-free in idr_for_each+0xf4/0x160 lib/idr.c:202
Read of size 8 at addr ffffffe010c00878 by task syz-executor.1/4828
CPU: 0 PID: 4828 Comm: syz-executor.1 Not tainted
5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
Allocated by task 4828:
(stack is not available)
Freed by task 4473:
(stack is not available)
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Powered by blists - more mailing lists