| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Sep 2023 23:02:23 +0000
From: Sanan Hasanov <Sanan.Hasanov@....edu>
To: "willy@...radead.org" <willy@...radead.org>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
"contact@...zz.com" <contact@...zz.com>
Subject: KASAN: null-ptr-deref Read in filemap_fault
Good day, dear maintainers,
We found a bug using a modified kernel configuration file used by syzbot.
We enhanced the coverage of the configuration file using our tool, klocalizer.
Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1QmELMwhyVxAejCYF8VHxvAsExK6GtR8F/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1Qfns0v9ZZO6kge192F5wUzyFRcM0lHYU/view?usp=sharing
Thank you!
Best regards,
Sanan Hasanov
BUG: KASAN: null-ptr-deref in filemap_fault+0x538/0x2500
Read of size 4 at addr 0000000000000028 by task syz-executor.2/5967
CPU: 5 PID: 5967 Comm: syz-executor.2 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x178/0x260
kasan_report+0xc0/0xf0
kasan_check_range+0x144/0x190
filemap_fault+0x538/0x2500
__do_fault+0x103/0x3d0
do_fault+0x68a/0x11c0
__handle_mm_fault+0x106f/0x2660
handle_mm_fault+0x1ab/0xa90
do_user_addr_fault+0x583/0x12e0
exc_page_fault+0xb6/0x1d0
asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
</TASK>
==================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 5 PID: 5967 Comm: syz-executor.2 Tainted: G B 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS: 0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
Call Trace:
<TASK>
__do_fault+0x103/0x3d0
do_fault+0x68a/0x11c0
__handle_mm_fault+0x106f/0x2660
handle_mm_fault+0x1ab/0xa90
do_user_addr_fault+0x583/0x12e0
exc_page_fault+0xb6/0x1d0
asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS: 0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: e8 8a be d3 ff call 0xffd3be91
7: 49 8d 5c 24 34 lea 0x34(%r12),%rbx
c: be 04 00 00 00 mov $0x4,%esi
11: 48 89 df mov %rbx,%rdi
14: e8 98 08 23 00 call 0x2308b1
19: 48 89 da mov %rbx,%rdx
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 .byte 0x85
3f: 7b .byte 0x7b
Powered by blists - more mailing lists