| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <eba841a8-d61a-b404-9e92-d310a0f805f6@redhat.com>
Date: Thu, 17 Nov 2022 18:52:28 -0500
From: Waiman Long <longman@...hat.com>
To: Sanan Hasanov <sanan.hasanov@...ghts.ucf.edu>,
"peterz@...radead.org" <peterz@...radead.org>,
"mingo@...hat.com" <mingo@...hat.com>,
"will@...nel.org" <will@...nel.org>,
"boqun.feng@...il.com" <boqun.feng@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"glider@...gle.com" <glider@...gle.com>,
"elver@...gle.com" <elver@...gle.com>,
"arnd@...db.de" <arnd@...db.de>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"juri.lelli@...hat.com" <juri.lelli@...hat.com>,
"vincent.guittot@...aro.org" <vincent.guittot@...aro.org>,
"dietmar.eggemann@....com" <dietmar.eggemann@....com>,
"rostedt@...dmis.org" <rostedt@...dmis.org>,
"bsegall@...gle.com" <bsegall@...gle.com>,
"mgorman@...e.de" <mgorman@...e.de>,
"bristot@...hat.com" <bristot@...hat.com>,
"vschneid@...hat.com" <vschneid@...hat.com>
Cc: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
Paul Gazzillo <Paul.Gazzillo@....edu>
Subject: Re: Syzkaller found a bug: KASAN: null-ptr-deref Write in
prepare_to_wait
On 11/17/22 17:17, Sanan Hasanov wrote:
> Good day, dear maintainers,
>
> We found a bug using a modified kernel configuration file used by syzbot.
>
> We enhanced the coverage of the configuration file using our tool, klocalizer.
>
> Kernel branch: linux-next 5.11.0+ (HEAD detached at 8310b77b48c5)
>
> config file and c reproducer are attached.
>
> Thank you!
>
> ==================================================================
> BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:705 [inline]
> BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
> BUG: KASAN: null-ptr-deref in do_raw_spin_lock_flags include/linux/spinlock.h:195 [inline]
> BUG: KASAN: null-ptr-deref in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
> BUG: KASAN: null-ptr-deref in _raw_spin_lock_irqsave+0x6c/0xd0 kernel/locking/spinlock.c:159
> Write of size 4 at addr 0000000000000010 by task syz-executor.3/1879
>
> CPU: 1 PID: 1879 Comm: syz-executor.3 Not tainted 5.11.0+ #4
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:79 [inline]
> dump_stack+0xb0/0xf3 lib/dump_stack.c:120
> __kasan_report mm/kasan/report.c:400 [inline]
> kasan_report.cold+0x10c/0x10e mm/kasan/report.c:413
> check_memory_region_inline mm/kasan/generic.c:179 [inline]
> check_memory_region+0x17c/0x1e0 mm/kasan/generic.c:185
> instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> atomic_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:705 [inline]
> queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
> do_raw_spin_lock_flags include/linux/spinlock.h:195 [inline]
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
> _raw_spin_lock_irqsave+0x6c/0xd0 kernel/locking/spinlock.c:159
> prepare_to_wait+0x79/0x3c0 kernel/sched/wait.c:259
> io_uring_cancel_files fs/io_uring.c:9014 [inline]
> io_uring_cancel_task_requests+0x986/0xfa0 fs/io_uring.c:9054
> io_uring_flush+0x311/0x470 fs/io_uring.c:9236
> filp_close+0xad/0x150 fs/open.c:1286
> close_files fs/file.c:403 [inline]
> put_files_struct fs/file.c:418 [inline]
> put_files_struct+0x193/0x280 fs/file.c:415
> exit_files+0xa4/0xd0 fs/file.c:435
> do_exit+0xa35/0x27d0 kernel/exit.c:820
> do_group_exit+0xee/0x310 kernel/exit.c:922
> get_signal+0x3b5/0x1a60 kernel/signal.c:2773
> arch_do_signal_or_restart+0x2eb/0x18e0 arch/x86/kernel/signal.c:811
> handle_signal_work kernel/entry/common.c:147 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
> exit_to_user_mode_prepare+0xba/0x130 kernel/entry/common.c:208
> __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
> syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:301
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f06219f6dcd
> Code: Unable to access opcode bytes at RIP 0x7f06219f6da3.
> RSP: 002b:00007f0620b66c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 00007f0621b23f80 RCX: 00007f06219f6dcd
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0621b23f88
> RBP: 00007f0621b23f88 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0621b23f8c
> R13: 00007ffcf7101edf R14: 00007ffcf7102080 R15: 00007f0620b66d80
> ==================================================================
> BUG: kernel NULL pointer dereference, address: 0000000000000010
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 0 P4D 0
> Oops: 0002 [#1] SMP KASAN NOPTI
According to this kernel splat, the spinlock address is at 0x10.
253 void
254 prepare_to_wait(struct wait_queue_head *wq_head, struct
wait_queue_entry *wq_entry, int state)
255 {
256 unsigned long flags;
257
258 wq_entry->flags &= ~WQ_FLAG_EXCLUSIVE;
259 spin_lock_irqsave(&wq_head->lock, flags);
260 if (list_empty(&wq_entry->entry))
261 __add_wait_queue(wq_head, wq_entry);
262 set_current_state(state);
263 spin_unlock_irqrestore(&wq_head->lock, flags);
264 }
265 EXPORT_SYMBOL(prepare_to_wait);
The first element of wait_queue_head structure is a spinlock. That means
wq_head has a value of 0x10 too. Since it is called by
io_uring_cancel_files(), I think the bug is in the io_uring code as it
passed the wrong value to prepare_to_wait(). I didn't try to go further
as I am not that familiar with the io_uring code.
Cheers,
Longman
Powered by blists - more mailing lists