lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 28 Apr 2023 19:37:50 +0800
From:   yang lan <lanyang0908@...il.com>
To:     reiserfs-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: We found BUG: unable to handle kernel paging request in lookup_one_len

Hi,

We use our modified Syzkaller to fuzz the Linux kernel and find a bug
in the reiserfs file system.

This bug can be reproduced on the Linux kernel version 5.10.50.

commit 43b0742ef44c30f202afbf8355e9326710af9ca1

I compile the kernel with the .config provided. And booting the
kernel, compiling, and running the binary in the guest, which leads to
a crash.

root@...kaller:~# uname -a
Linux syzkaller 5.10.50 #1 SMP PREEMPT Fri Apr 28 16:36:15 CST 2023
x86_64 GNU/Linux
root@...kaller:~# gcc poc_lookup.c -o poc_lookup
[   72.792156][ T7592] as (7592) used greatest stack depth: 22240 bytes left
root@...kaller:~# ./poc_lookup
[   78.742588][ T7595] REISERFS (device loop0): found reiserfs format
"3.6" with non-standard journal
[   78.745674][ T7595] REISERFS (device loop0): using ordered data mode
[   78.746115][ T7595] reiserfs: using flush barriers
[   78.747016][ T7595] REISERFS (device loop0): journal params: device
loop0, size 512, journal first block 18, max trans len 256, max batch
225, max commit age 30, max trans age 30
[   78.749039][ T7595] REISERFS (device loop0): checking transaction log (loop0)
[   78.791572][ T7595] init_special_inode: bogus i_mode (174534) for
inode loop0:2
[   78.792229][ T7595] REISERFS (device loop0): Using rupasov hash to sort names
[   78.792891][ T7595] BUG: kernel NULL pointer dereference, address:
0000000000000000
[   78.793421][ T7595] #PF: supervisor instruction fetch in kernel mode
[   78.793843][ T7595] #PF: error_code(0x0010) - not-present page
[   78.794235][ T7595] PGD 16db9067 P4D 16db9067 PUD fcee067 PMD 0
[   78.794646][ T7595] Oops: 0010 [#1] PREEMPT SMP KASAN
[   78.794990][ T7595] CPU: 0 PID: 7595 Comm: poc_lookup Not tainted 5.10.50 #1
[   78.795460][ T7595] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.12.0-1 04/01/2014
[   78.796058][ T7595] RIP: 0010:0x0
[   78.796289][ T7595] Code: Unable to access opcode bytes at RIP
0xffffffffffffffd6.
[   78.796789][ T7595] RSP: 0018:ffff8880426ff7f8 EFLAGS: 00010246
[   78.797203][ T7595] RAX: dffffc0000000000 RBX: ffff888048b0a178
RCX: ffffffff81bbdde8
[   78.797717][ T7595] RDX: 0000000000000000 RSI: ffff888048b0a178
RDI: ffff88801ade0190
[   78.798230][ T7595] RBP: 1ffff110084dff03 R08: ffff8880142ca140
R09: fffffbfff1c1a7c2
[   78.798741][ T7595] R10: ffffffff8e0d3e0f R11: fffffbfff1c1a7c1
R12: ffff88801ade0190
[   78.799252][ T7595] R13: ffffffff88fc15c0 R14: ffff8880426ff838
R15: dffffc0000000000
[   78.799766][ T7595] FS:  00007fc04269c440(0000)
GS:ffff88802d000000(0000) knlGS:0000000000000000
[   78.800339][ T7595] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   78.800763][ T7595] CR2: ffffffffffffffd6 CR3: 0000000016d7b000
CR4: 0000000000350ef0
[   78.801279][ T7595] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   78.801792][ T7595] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   78.802303][ T7595] Call Trace:
[   78.802523][ T7595]  __lookup_slow+0x267/0x490
[   78.802824][ T7595]  ? vfs_unlink+0x610/0x610
[   78.803122][ T7595]  ? d_lookup+0xd4/0x130
[   78.803400][ T7595]  lookup_one_len+0x163/0x190
[   78.803704][ T7595]  ? __lookup_slow+0x490/0x490
[   78.804018][ T7595]  ? down_write_killable_nested+0x170/0x170
[   78.804407][ T7595]  reiserfs_lookup_privroot+0x92/0x290
[   78.804768][ T7595]  reiserfs_fill_super+0x1f22/0x2d80
[   78.805115][ T7595]  ? finish_unfinished+0x1190/0x1190
[   78.805467][ T7595]  ? vsnprintf+0x1bd/0x15c0
[   78.805763][ T7595]  ? pointer+0x790/0x790
[   78.806041][ T7595]  ? down_write_killable_nested+0x170/0x170
[   78.806427][ T7595]  ? wait_for_completion+0x250/0x250
[   78.806775][ T7595]  ? finish_unfinished+0x1190/0x1190
[   78.807120][ T7595]  mount_bdev+0x320/0x400
[   78.807407][ T7595]  ? reiserfs_kill_sb+0x1e0/0x1e0
[   78.807739][ T7595]  legacy_get_tree+0x103/0x210
[   78.808052][ T7595]  vfs_get_tree+0x86/0x2f0
[   78.808343][ T7595]  path_mount+0x6d3/0x1c90
[   78.808636][ T7595]  ? strncpy_from_user+0x2e4/0x460
[   78.808971][ T7595]  ? finish_automount+0x8a0/0x8a0
[   78.809309][ T7595]  ? getname_flags+0x268/0x5a0
[   78.809623][ T7595]  do_mount+0xf1/0x110
[   78.809892][ T7595]  ? path_mount+0x1c90/0x1c90
[   78.810202][ T7595]  ? copy_mount_options+0xed/0x180
[   78.810541][ T7595]  ? __get_user_nocheck_8+0x10/0x13
[   78.810884][ T7595]  __x64_sys_mount+0x1d5/0x220
[   78.811202][ T7595]  do_syscall_64+0x2d/0x70
[   78.811495][ T7595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   78.811883][ T7595] RIP: 0033:0x7fc0421c848a
[   78.812175][ T7595] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83
c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d de f9 2a 00 f7 d8
64 89 01 48
[   78.813472][ T7595] RSP: 002b:00007ffcc92e4558 EFLAGS: 00000202
ORIG_RAX: 00000000000000a5
[   78.814034][ T7595] RAX: ffffffffffffffda RBX: 0000000000000000
RCX: 00007fc0421c848a
[   78.814545][ T7595] RDX: 0000000020000000 RSI: 0000000020000100
RDI: 00007ffcc92e4690
[   78.815054][ T7595] RBP: 00007ffcc92e4710 R08: 00007ffcc92e4590
R09: 00007ffcc92e46d4
[   78.815566][ T7595] R10: 0000000000000000 R11: 0000000000000202
R12: 00005579d7800ad0
[   78.816075][ T7595] R13: 00007ffcc92e4820 R14: 0000000000000000
R15: 0000000000000000
[   78.816591][ T7595] Modules linked in:
[   78.816850][ T7595] CR2: 0000000000000000
[   78.817131][ T7595] ---[ end trace 1163668d158b38e5 ]---
[   78.817482][ T7595] RIP: 0010:0x0
[   78.817709][ T7595] Code: Unable to access opcode bytes at RIP
0xffffffffffffffd6.
[   78.818205][ T7595] RSP: 0018:ffff8880426ff7f8 EFLAGS: 00010246
[   78.818598][ T7595] RAX: dffffc0000000000 RBX: ffff888048b0a178
RCX: ffffffff81bbdde8
[   78.819112][ T7595] RDX: 0000000000000000 RSI: ffff888048b0a178
RDI: ffff88801ade0190
[   78.819623][ T7595] RBP: 1ffff110084dff03 R08: ffff8880142ca140
R09: fffffbfff1c1a7c2
[   78.820136][ T7595] R10: ffffffff8e0d3e0f R11: fffffbfff1c1a7c1
R12: ffff88801ade0190
[   78.820649][ T7595] R13: ffffffff88fc15c0 R14: ffff8880426ff838
R15: dffffc0000000000
[   78.821168][ T7595] FS:  00007fc04269c440(0000)
GS:ffff88802d000000(0000) knlGS:0000000000000000
[   78.821746][ T7595] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   78.822174][ T7595] CR2: ffffffffffffffd6 CR3: 0000000016d7b000
CR4: 0000000000350ef0
[   78.822692][ T7595] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   78.823208][ T7595] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   78.823724][ T7595] Kernel panic - not syncing: Fatal exception
[   78.824426][ T7595] Kernel Offset: disabled
[   78.824732][ T7595] Rebooting in 86400 seconds..

Download attachment "kernel_config" of type "application/octet-stream" (225235 bytes)

Download attachment "log" of type "application/octet-stream" (6404 bytes)

Download attachment "poc_lookup.c" of type "application/octet-stream" (42432 bytes)

Download attachment "poc_syz" of type "application/octet-stream" (18667 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ