lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a47b250f-4008-321d-fca6-73f766115a8b@gmail.com>
Date:   Tue, 14 Jun 2022 22:53:24 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     syzbot <syzbot+b17d3e853d5dce65f981@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: stack-out-of-bounds Read in __show_regs

Hi Syzbot,

On 6/14/22 22:05, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    2f3064574275 README.md: ORC is no more a problem
> git tree:       https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=169a2310080000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8e6293529531e9ca
> dashboard link: https://syzkaller.appspot.com/bug?extid=b17d3e853d5dce65f981
> compiler:       clang version 15.0.0 (https://github.com/llvm/llvm-project.git 9ffb5944a699b6a0d69c169ceff97636395ee30f), GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14917c2ff00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1303752ff00000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+b17d3e853d5dce65f981@...kaller.appspotmail.com
> 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:j1939_session_deactivate net/can/j1939/transport.c:1090 [inline]
> RIP: 0010:j1939_session_deactivate_activate_next+0x271/0x480 net/can/j1939/transport.c:1100
> Code: f4 e9 ed fd ff ff 8b 7d d4 e8 fb 31 13 f4 e9 24 fe ff ff 44 89 ff e8 ee 31 13 f4 41 83 fc 02 0f 83 68 fe ff ff e8 df 70 82 f3 <0f> 0b e9 61 fe ff ff 8b 7d d4 e8 d0 31 13 f4 e9 68 fe ff ff 44 89
> RSP: 0018:ffff888102e3f5c8 EFLAGS: 00010246
> =====================================================
> BUG: KMSAN: uninit-value in __show_regs+0xe6/0x1040 arch/x86/kernel/process_64.c:76

This bug looks unrelated to initial `stack-out-of-bounds Read in 
__show_regs`

>   __show_regs+0xe6/0x1040 arch/x86/kernel/process_64.c:76
>   show_regs+0xc0/0x160 arch/x86/kernel/dumpstack.c:463
>   __warn+0x3c2/0x730 kernel/panic.c:596
>   report_bug+0x8eb/0xae0 lib/bug.c:199
>   handle_bug+0x41/0x70 arch/x86/kernel/traps.c:315
>   exc_invalid_op+0x1b/0x50 arch/x86/kernel/traps.c:335
>   asm_exc_invalid_op+0x12/0x20
>   j1939_session_deactivate_activate_next+0x271/0x480 net/can/j1939/transport.c:1100
>   j1939_xtp_rx_abort_one+0x861/0x900 net/can/j1939/transport.c:1340
>   j1939_xtp_rx_abort net/can/j1939/transport.c:1351 [inline]
>   j1939_tp_cmd_recv net/can/j1939/transport.c:2100 [inline]
>   j1939_tp_recv+0x1534/0x1cd0 net/can/j1939/transport.c:2133
>   j1939_can_recv+0xed0/0x1070 net/can/j1939/main.c:108
>   deliver net/can/af_can.c:574 [inline]
>   can_rcv_filter+0x74b/0x1110 net/can/af_can.c:608
>   can_receive+0x4fb/0x6d0 net/can/af_can.c:665
>   can_rcv+0x1f0/0x490 net/can/af_can.c:696
>   __netif_receive_skb_one_core net/core/dev.c:5405 [inline]
>   __netif_receive_skb+0x1f1/0x640 net/core/dev.c:5519
>   process_backlog+0x4e7/0xb50 net/core/dev.c:5847
>   __napi_poll+0x14e/0xb80 net/core/dev.c:6413
>   napi_poll net/core/dev.c:6480 [inline]
>   net_rx_action+0x7e8/0x1830 net/core/dev.c:6567
>   __do_softirq+0x206/0x809 kernel/softirq.c:558
>   run_ksoftirqd+0x37/0x50 kernel/softirq.c:921
>   smpboot_thread_fn+0x626/0xbf0 kernel/smpboot.c:164
>   kthread+0x3c7/0x500 kernel/kthread.c:376
>   ret_from_fork+0x1f/0x30
> 
> Local variable mic created at:
>   ieee80211_rx_h_michael_mic_verify+0x54/0x10f0 net/mac80211/wpa.c:100
>   ieee80211_rx_handlers+0x2d31/0xf170 net/mac80211/rx.c:3929
> 

Anyway, looks like missing error handling of michael_mic. `michael_mic` 
may fail in a lot of cases and mic will be uninitialized in case of 
michael_mic failure.


#syz test: https://github.com/google/kmsan.git master




With regards,
Pavel Skripkin

View attachment "ph" of type "text/plain" (569 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ