| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Feb 2023 08:08:52 -0800
From: syzbot <syzbot+cdd9922704fc75e03ffc@...kaller.appspotmail.com>
To: akpm@...ux-foundation.org, keescook@...omium.org,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] BUG: bad usercopy in io_openat2_prep
Hello,
syzbot found the following issue on:
HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdd9922704fc75e03ffc@...kaller.appspotmail.com
usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4411 Comm: syz-executor101 Not tainted 6.2.0-rc6-syzkaller-17549-gca72d58361ee #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94
lr : usercopy_abort+0x90/0x94
sp : ffff80000fb8bb90
x29: ffff80000fb8bba0 x28: 000000000000001c x27: ffff0000c76d1a00
x26: 00000000200000c0 x25: ffff80000cf42000 x24: fffffc0000000000
x23: 05ffc00000000200 x22: fffffc0003250440 x21: ffff0000c9411618
x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000002bee
x17: 63656a626f204255 x16: ffff0000c76d23f8 x15: ffff80000dbc2118
x14: ffff0000c76d1a00 x13: 00000000ffffffff x12: ffff0000c76d1a00
x11: ff808000081bbb4c x10: 0000000000000000 x9 : 295e44a4d7b9f900
x8 : 295e44a4d7b9f900 x7 : ffff80000bf60b80 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefbef08 x1 : 0000000100000000 x0 : 000000000000005d
Call trace:
usercopy_abort+0x90/0x94
__check_heap_object+0xa8/0x100
__check_object_size+0x208/0x6b8
io_openat2_prep+0xcc/0x2b8
io_submit_sqes+0x338/0xbb8
__arm64_sys_io_uring_enter+0x168/0x1308
invoke_syscall+0x64/0x178
el0_svc_common+0xbc/0x180
do_el0_svc+0x48/0x110
el0_svc+0x58/0x14c
el0t_64_sync_handler+0x84/0xf0
el0t_64_sync+0x190/0x194
Code: 9133a800 aa0903e1 f90003e8 94e6c80f (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Powered by blists - more mailing lists