lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <245f52f4-8b27-6477-2012-78e42398167d@gmail.com>
Date:   Tue, 3 Aug 2021 14:18:47 +0100
From:   Pavel Begunkov <asml.silence@...il.com>
To:     Sudip Mukherjee <sudipm.mukherjee@...il.com>
Cc:     Jens Axboe <axboe@...nel.dk>, io-uring@...r.kernel.org,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: KASAN: stack-out-of-bounds in iov_iter_revert

On 8/3/21 11:34 AM, Pavel Begunkov wrote:
> On 8/3/21 8:47 AM, Sudip Mukherjee wrote:
>> On Mon, Aug 2, 2021 at 12:55 PM Pavel Begunkov <asml.silence@...il.com> wrote:
>>> On 8/1/21 9:28 PM, Sudip Mukherjee wrote:
>>>> On Sun, Aug 1, 2021 at 9:52 AM Pavel Begunkov <asml.silence@...il.com> wrote:
>>>>> On 8/1/21 1:10 AM, Pavel Begunkov wrote:
>>>>>> On 7/31/21 7:21 PM, Sudip Mukherjee wrote:
>>>>>>> Hi Jens, Pavel,
>>>>>>>
>>>>>>> We had been running syzkaller on v5.10.y and a "KASAN:
>>>>>>> stack-out-of-bounds in iov_iter_revert" was being reported on it. I
>>>>>>> got some time to check that today and have managed to get a syzkaller
>>>>>>> reproducer. I dont have a C reproducer which I can share but I can use
>>>>>>> the syz-reproducer to reproduce this with v5.14-rc3 and also with
>>>>>>> next-20210730.
>>>>>>
>>>>>> Can you try out the diff below? Not a full-fledged fix, but need to
>>>>>> check a hunch.
>>>>>>
>>>>>> If that's important, I was using this branch:
>>>>>> git://git.kernel.dk/linux-block io_uring-5.14
>>>>>
>>>>> Or better this one, just in case it ooopses on warnings.
>>>>
>>>> I tested this one on top of "git://git.kernel.dk/linux-block
>>>> io_uring-5.14" and the issue was still seen, but after the BUG trace I
>>>> got lots of "truncated wr" message. The trace is:
>>>
>>> That's interesting, thanks
>>> Can you share the syz reproducer?
>>
>> Unfortunately I dont have a C reproducer, but this is the reproducer
>> for syzkaller:
> 
> Thanks. Maybe I'm not perfectly familiar with syz, but were there
> any options? Like threaded, collide, etc.?

Never mind, reproduced the issue.

fwiw, I was too optimistic with u16 in the diff, but if
replaced with size_t, it solves the out-of-bounds bug,
but it has another issue.

In any case, need to patch it up, thanks

-- 
Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ