[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <B83C9F6F-569B-4DCB-9FFE-45D9B1E32B21@kernel.org>
Date: Sat, 11 Feb 2023 08:36:50 -0800
From: Kees Cook <kees@...nel.org>
To: syzbot <syzbot+cdd9922704fc75e03ffc@...kaller.appspotmail.com>,
akpm@...ux-foundation.org, keescook@...omium.org,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, syzkaller-bugs@...glegroups.com,
io-uring@...r.kernel.org
Subject: Re: [syzbot] BUG: bad usercopy in io_openat2_prep
On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@...kaller.appspotmail.com> wrote:
>Hello,
>
>syzbot found the following issue on:
>
>HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
>kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
>dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
>compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>userspace arch: arm64
>syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
>C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
>
>Downloadable assets:
>disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
>vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
>kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
>
>IMPORTANT: if you fix the issue, please add the following tag to the commit:
>Reported-by: syzbot+cdd9922704fc75e03ffc@...kaller.appspotmail.com
>
>usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
-Kees
> [...]
>Call trace:
> usercopy_abort+0x90/0x94
> __check_heap_object+0xa8/0x100
> __check_object_size+0x208/0x6b8
> io_openat2_prep+0xcc/0x2b8
> io_submit_sqes+0x338/0xbb8
> __arm64_sys_io_uring_enter+0x168/0x1308
> invoke_syscall+0x64/0x178
> el0_svc_common+0xbc/0x180
> do_el0_svc+0x48/0x110
> el0_svc+0x58/0x14c
> el0t_64_sync_handler+0x84/0xf0
> el0t_64_sync+0x190/0x194
--
Kees Cook
Powered by blists - more mailing lists