| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Mar 2021 20:21:15 +0800
From: Kefeng Wang <wangkefeng.wang@...wei.com>
To: Dmitry Vyukov <dvyukov@...gle.com>,
syzbot <syzbot+005654dd9b8f26bd4c07@...kaller.appspotmail.com>
CC: Albert Ou <aou@...s.berkeley.edu>,
LKML <linux-kernel@...r.kernel.org>,
linux-riscv <linux-riscv@...ts.infradead.org>,
Marc Zyngier <maz@...nel.org>,
Palmer Dabbelt <palmer@...belt.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [syzbot] KASAN: slab-out-of-bounds Read in riscv_intc_irq
On 2021/3/14 18:47, Dmitry Vyukov wrote:
> On Sun, Mar 14, 2021 at 11:14 AM syzbot
> <syzbot+005654dd9b8f26bd4c07@...kaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas..
>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15a35756d00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=81c0b708b31626cc
>> dashboard link: https://syzkaller.appspot.com/bug?extid=005654dd9b8f26bd4c07
>> userspace arch: riscv64
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+005654dd9b8f26bd4c07@...kaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in riscv_intc_irq+0x24/0xcc drivers/irqchip/irq-riscv-intc.c:24
>> Read of size 8 at addr ffffffe00c963bd0 by task kworker/1:1/4388
>>
>> CPU: 1 PID: 4388 Comm: kworker/1:1 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
>> Hardware name: riscv-virtio,qemu (DT)
>> Workqueue: events nsim_dev_trap_report_work
>> Call Trace:
>> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>>
>> Allocated by task 76347056:
>> (stack is not available)
>>
>> Last potentially related work creation:
> There seems to be some issue with riscv stack unwinder.
> This does not have stacks.
Hi, could you test with the following patch about the no stack
issue(from v5.11-rc4), I made a mistake when do some cleanup...
https://lore.kernel.org/linux-riscv/ce5b3533-b75d-c31c-4319-9d29769bbbd5@huawei.com/T/#t
> "BUG: unable to handle kernel access to user memory in schedule_tail"
> does not have proper stacks:
> https://syzkaller.appspot.com/bug?id=9de8c24d24004fd5e482555f5ad8314da2fb1cee
>
> I also found 2 riscv reports in "KASAN: use-after-free Read in
> idr_for_each (2)":
> https://syzkaller.appspot.com/bug?id=7f84dfc3902878befc22e52eb5c7298d0ad70cf3
>
> both don't have any stacks:
>
> ==================================================================
> BUG: KASAN: use-after-free in radix_tree_next_slot
> include/linux/radix-tree.h:422 [inline]
> BUG: KASAN: use-after-free in idr_for_each+0xf4/0x160 lib/idr.c:202
> Read of size 8 at addr ffffffe010c00878 by task syz-executor.1/4828
>
> CPU: 0 PID: 4828 Comm: syz-executor.1 Not tainted
> 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> Hardware name: riscv-virtio,qemu (DT)
> Call Trace:
> [<ffffffe0000096c0>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>
> Allocated by task 4828:
> (stack is not available)
>
> Freed by task 4473:
> (stack is not available)
>
>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@...glegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@...ts.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .
>
Powered by blists - more mailing lists