lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2116767.1675441821@warthog.procyon.org.uk>
Date:   Fri, 03 Feb 2023 16:30:21 +0000
From:   David Howells <dhowells@...hat.com>
To:     John Hubbard <jhubbard@...dia.com>
Cc:     dhowells@...hat.com, David Hildenbrand <david@...hat.com>,
        syzbot <syzbot+a440341a59e3b7142895@...kaller.appspotmail.com>,
        hch@....de, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] general protection fault in skb_dequeue (3)

David Howells <dhowells@...hat.com> wrote:

> I think I have managed to isolate the bug to the read side of sendfile() or
> the pipe in the middle by the following:
> 
> In iter_file_splice_write(), I allocate a permanent page:
> ...
> and then stick it into the BVEC iter to be handed over to vfs_iter_write()
> instead of buf->page:
> 
> -			array[n].bv_page = buf->page;
> +			array[n].bv_page = splice_tmp;
> +			trace_page_ref_set(splice_tmp, 887);
>  			array[n].bv_len = this_len;
>  			array[n].bv_offset = buf->offset;
> 
> that prevents vfs_iter_write() from ever seeing the pages from the pipe - but
> the crash still happens even with this change.

With the DIO output isolation in iov_iter_extract_pipe_pages(), this change
can be removed without causing oopses to happen.

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ