lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 17 Nov 2022 18:52:28 -0500
From:   Waiman Long <longman@...hat.com>
To:     Sanan Hasanov <sanan.hasanov@...ghts.ucf.edu>,
        "peterz@...radead.org" <peterz@...radead.org>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "will@...nel.org" <will@...nel.org>,
        "boqun.feng@...il.com" <boqun.feng@...il.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
        "glider@...gle.com" <glider@...gle.com>,
        "elver@...gle.com" <elver@...gle.com>,
        "arnd@...db.de" <arnd@...db.de>,
        "linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
        "juri.lelli@...hat.com" <juri.lelli@...hat.com>,
        "vincent.guittot@...aro.org" <vincent.guittot@...aro.org>,
        "dietmar.eggemann@....com" <dietmar.eggemann@....com>,
        "rostedt@...dmis.org" <rostedt@...dmis.org>,
        "bsegall@...gle.com" <bsegall@...gle.com>,
        "mgorman@...e.de" <mgorman@...e.de>,
        "bristot@...hat.com" <bristot@...hat.com>,
        "vschneid@...hat.com" <vschneid@...hat.com>
Cc:     "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
        Paul Gazzillo <Paul.Gazzillo@....edu>
Subject: Re: Syzkaller found a bug: KASAN: null-ptr-deref Write in
 prepare_to_wait

On 11/17/22 17:17, Sanan Hasanov wrote:
> Good day, dear maintainers,
>
> We found a bug using a modified kernel configuration file used by syzbot.
>
> We enhanced the coverage of the configuration file using our tool, klocalizer.
>
> Kernel branch: linux-next 5.11.0+ (HEAD detached at 8310b77b48c5)
>
> config file and c reproducer are attached.
>
> Thank you!
>
> ==================================================================
> BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:705 [inline]
> BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
> BUG: KASAN: null-ptr-deref in do_raw_spin_lock_flags include/linux/spinlock.h:195 [inline]
> BUG: KASAN: null-ptr-deref in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
> BUG: KASAN: null-ptr-deref in _raw_spin_lock_irqsave+0x6c/0xd0 kernel/locking/spinlock.c:159
> Write of size 4 at addr 0000000000000010 by task syz-executor.3/1879
>
> CPU: 1 PID: 1879 Comm: syz-executor.3 Not tainted 5.11.0+ #4
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
>   __dump_stack lib/dump_stack.c:79 [inline]
>   dump_stack+0xb0/0xf3 lib/dump_stack.c:120
>   __kasan_report mm/kasan/report.c:400 [inline]
>   kasan_report.cold+0x10c/0x10e mm/kasan/report.c:413
>   check_memory_region_inline mm/kasan/generic.c:179 [inline]
>   check_memory_region+0x17c/0x1e0 mm/kasan/generic.c:185
>   instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>   atomic_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:705 [inline]
>   queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
>   do_raw_spin_lock_flags include/linux/spinlock.h:195 [inline]
>   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
>   _raw_spin_lock_irqsave+0x6c/0xd0 kernel/locking/spinlock.c:159
>   prepare_to_wait+0x79/0x3c0 kernel/sched/wait.c:259
>   io_uring_cancel_files fs/io_uring.c:9014 [inline]
>   io_uring_cancel_task_requests+0x986/0xfa0 fs/io_uring.c:9054
>   io_uring_flush+0x311/0x470 fs/io_uring.c:9236
>   filp_close+0xad/0x150 fs/open.c:1286
>   close_files fs/file.c:403 [inline]
>   put_files_struct fs/file.c:418 [inline]
>   put_files_struct+0x193/0x280 fs/file.c:415
>   exit_files+0xa4/0xd0 fs/file.c:435
>   do_exit+0xa35/0x27d0 kernel/exit.c:820
>   do_group_exit+0xee/0x310 kernel/exit.c:922
>   get_signal+0x3b5/0x1a60 kernel/signal.c:2773
>   arch_do_signal_or_restart+0x2eb/0x18e0 arch/x86/kernel/signal.c:811
>   handle_signal_work kernel/entry/common.c:147 [inline]
>   exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
>   exit_to_user_mode_prepare+0xba/0x130 kernel/entry/common.c:208
>   __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
>   syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:301
>   entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f06219f6dcd
> Code: Unable to access opcode bytes at RIP 0x7f06219f6da3.
> RSP: 002b:00007f0620b66c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 00007f0621b23f80 RCX: 00007f06219f6dcd
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0621b23f88
> RBP: 00007f0621b23f88 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0621b23f8c
> R13: 00007ffcf7101edf R14: 00007ffcf7102080 R15: 00007f0620b66d80
> ==================================================================
> BUG: kernel NULL pointer dereference, address: 0000000000000010
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 0 P4D 0
> Oops: 0002 [#1] SMP KASAN NOPTI

According to this kernel splat, the spinlock address is at 0x10.

253 void
254 prepare_to_wait(struct wait_queue_head *wq_head, struct 
wait_queue_entry *wq_entry, int state)
255 {
256         unsigned long flags;
257
258         wq_entry->flags &= ~WQ_FLAG_EXCLUSIVE;
259         spin_lock_irqsave(&wq_head->lock, flags);
260         if (list_empty(&wq_entry->entry))
261                 __add_wait_queue(wq_head, wq_entry);
262         set_current_state(state);
263         spin_unlock_irqrestore(&wq_head->lock, flags);
264 }
265 EXPORT_SYMBOL(prepare_to_wait);

The first element of wait_queue_head structure is a spinlock. That means 
wq_head has a value of 0x10 too. Since it is called by 
io_uring_cancel_files(), I think the bug is in the io_uring code as it 
passed the wrong value to prepare_to_wait(). I didn't try to go further 
as I am not that familiar with the io_uring code.

Cheers,
Longman

Powered by blists - more mailing lists