| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Dec 2021 07:47:18 -0800
From: syzbot <syzbot+3ae6a2b06f131ab9849f@...kaller.appspotmail.com>
To: akpm@...ux-foundation.org, andreyknvl@...gle.com,
dvyukov@...gle.com, gregkh@...uxfoundation.org,
gustavoars@...nel.org, jun.li@....com, keescook@...omium.org,
kishon@...com, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, m.szyprowski@...sung.com,
noring@...rew.org, pastor.winkley@...ytabernacleint.org,
peter.chen@....com, stern@...land.harvard.edu,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
(2)
syzbot has found a reproducer for the following issue on:
HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2b06f131ab9849f@...kaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607
CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
print_address_description+0x65/0x380 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x71a/0x910 kernel/time/timer.c:1734
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
__do_softirq+0x392/0x7a3 kernel/softirq.c:558
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
_dev_warn+0x11e/0x165 drivers/base/core.c:4661
checkintf drivers/usb/core/devio.c:826 [inline]
do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc8c54137a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
</TASK>
Allocated by task 3616:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:269 [inline]
__kmalloc+0x253/0x380 mm/slub.c:4423
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88801dd0d780
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff88801dd0d780, ffff88801dd0d788)
The buggy address belongs to the page:
page:ffffea0000774340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dd0d
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000077d900 dead000000000002 ffff888011441280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 22, ts 8565550793, free_ts 8556148454
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab+0xcc/0x540 mm/slub.c:1930
new_slab mm/slub.c:1993 [inline]
___slab_alloc+0x41e/0xc40 mm/slub.c:3022
__slab_alloc mm/slub.c:3109 [inline]
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2eb/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
kzalloc include/linux/slab.h:724 [inline]
smk_parse_smack+0x18e/0x220 security/smack/smack_access.c:468
smk_import_entry+0x22/0x400 security/smack/smack_access.c:566
smk_fetch security/smack/smack_lsm.c:300 [inline]
smack_d_instantiate+0x6ac/0xd10 security/smack/smack_lsm.c:3417
security_d_instantiate+0xa5/0x100 security/security.c:2040
d_instantiate+0x51/0x90 fs/dcache.c:2008
shmem_mknod+0x165/0x1b0 mm/shmem.c:2842
shmem_mkdir+0x2e/0x60 mm/shmem.c:2881
vfs_mkdir+0x44d/0x680 fs/namei.c:3883
dev_mkdir drivers/base/devtmpfs.c:165 [inline]
create_path drivers/base/devtmpfs.c:190 [inline]
handle_create drivers/base/devtmpfs.c:209 [inline]
handle drivers/base/devtmpfs.c:380 [inline]
devtmpfs_work_loop+0x386/0x1080 drivers/base/devtmpfs.c:395
devtmpfsd+0x44/0x50 drivers/base/devtmpfs.c:437
kthread+0x468/0x490 kernel/kthread.c:327
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3425
release_pages+0x15a7/0x17d0 mm/swap.c:980
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
exit_mmap+0x3dd/0x6f0 mm/mmap.c:3172
__mmput+0x111/0x3a0 kernel/fork.c:1113
free_bprm+0x136/0x2f0 fs/exec.c:1481
kernel_execve+0x740/0x9a0 fs/exec.c:1978
call_usermodehelper_exec_async+0x262/0x3b0 kernel/umh.c:112
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff88801dd0d680: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc
ffff88801dd0d700: fc 00 fc fc fc fc 00 fc fc fc fc fb fc fc fc fc
>ffff88801dd0d780: 01 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa
^
ffff88801dd0d800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc
ffff88801dd0d880: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e9 71 fa ff ff jmpq 0xfffffa76
5: e8 a7 70 1a 00 callq 0x1a70b1
a: e8 62 4b a0 08 callq 0x8a04b71
f: 48 83 7c 24 38 00 cmpq $0x0,0x38(%rsp)
15: 74 dd je 0xfffffff4
17: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1e: 00 00 00
21: e8 8b 70 1a 00 callq 0x1a70b1
26: fb sti
27: 31 ff xor %edi,%edi
* 29: 44 89 f6 mov %r14d,%esi <-- trapping instruction
2c: e8 90 74 1a 00 callq 0x1a74c1
31: 31 db xor %ebx,%ebx
33: 45 85 f6 test %r14d,%r14d
36: 0f 95 c0 setne %al
39: 89 c1 mov %eax,%ecx
3b: 0a 4c 24 0f or 0xf(%rsp),%cl
Powered by blists - more mailing lists