lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 14 Oct 2021 10:35:20 +0800
From:   Hao Sun <sunhao.th@...il.com>
To:     Greg KH <gregkh@...uxfoundation.org>, len.brown@...el.com,
        linux-pm@...r.kernel.org, rafael@...nel.org, pavel@....cz
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: KASAN: null-ptr-deref Write in __pm_runtime_resume

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
console output:
https://drive.google.com/file/d/1PxZuz-gH7uq_cTOv4acy5QHJJdeDLtUP/view?usp=sharing
kernel config: https://drive.google.com/file/d/1em3xgUIMNN_-LUUdySzwN-UDPc3qiiKD/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1MvRSzjAxkpHTM5OheyQQOjSEsLdSNsFl/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/1tL_4a8DbjmlbQ7pylunO9cCp24bFNh9k/view?usp=sharing

If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@...il.com>

Bluetooth: : Invalid header checksum
Bluetooth: : Invalid header checksum
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write
include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc
include/linux/atomic/atomic-instrumented.h:181 [inline]
BUG: KASAN: null-ptr-deref in __pm_runtime_resume+0x132/0x180
drivers/base/power/runtime.c:1105
Write of size 4 at addr 0000000000000388 by task kworker/u9:4/661

CPU: 0 PID: 661 Comm: kworker/u9:4 Not tainted 5.15.0-rc5 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events_unbound flush_to_ldisc
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 __kasan_report mm/kasan/report.c:446 [inline]
 kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x14e/0x1b0 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline]
 __pm_runtime_resume+0x132/0x180 drivers/base/power/runtime.c:1105
 pm_runtime_get include/linux/pm_runtime.h:374 [inline]
 h5_recv+0x2c4/0x680 drivers/bluetooth/hci_h5.c:590
 hci_uart_tty_receive+0x24d/0x710 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x14d/0x190 drivers/tty/tty_buffer.c:475
 tty_port_default_receive_buf+0x6e/0xa0 drivers/tty/tty_port.c:39
 receive_buf drivers/tty/tty_buffer.c:491 [inline]
 flush_to_ldisc+0x20d/0x380 drivers/tty/tty_buffer.c:543
 process_one_work+0x9df/0x16d0 kernel/workqueue.c:2297
 worker_thread+0x90/0xed0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ