lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BL0PR11MB31060BABA61005C5C8CBE092E1EEA@BL0PR11MB3106.namprd11.prod.outlook.com>
Date:   Tue, 12 Sep 2023 23:02:23 +0000
From:   Sanan Hasanov <Sanan.Hasanov@....edu>
To:     "willy@...radead.org" <willy@...radead.org>,
        "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
        "contact@...zz.com" <contact@...zz.com>
Subject: KASAN: null-ptr-deref Read in filemap_fault

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1QmELMwhyVxAejCYF8VHxvAsExK6GtR8F/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1Qfns0v9ZZO6kge192F5wUzyFRcM0lHYU/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

BUG: KASAN: null-ptr-deref in filemap_fault+0x538/0x2500
Read of size 4 at addr 0000000000000028 by task syz-executor.2/5967

CPU: 5 PID: 5967 Comm: syz-executor.2 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x178/0x260
 kasan_report+0xc0/0xf0
 kasan_check_range+0x144/0x190
 filemap_fault+0x538/0x2500
 __do_fault+0x103/0x3d0
 do_fault+0x68a/0x11c0
 __handle_mm_fault+0x106f/0x2660
 handle_mm_fault+0x1ab/0xa90
 do_user_addr_fault+0x583/0x12e0
 exc_page_fault+0xb6/0x1d0
 asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297

RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
 </TASK>
==================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 5 PID: 5967 Comm: syz-executor.2 Tainted: G    B              6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS:  0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 __do_fault+0x103/0x3d0
 do_fault+0x68a/0x11c0
 __handle_mm_fault+0x106f/0x2660
 handle_mm_fault+0x1ab/0xa90
 do_user_addr_fault+0x583/0x12e0
 exc_page_fault+0xb6/0x1d0
 asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS:  0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0:   00 00                   add    %al,(%rax)
   2:   e8 8a be d3 ff          call   0xffd3be91
   7:   49 8d 5c 24 34          lea    0x34(%r12),%rbx
   c:   be 04 00 00 00          mov    $0x4,%esi
  11:   48 89 df                mov    %rbx,%rdi
  14:   e8 98 08 23 00          call   0x2308b1
  19:   48 89 da                mov    %rbx,%rdx
  1c:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  23:   fc ff df
  26:   48 c1 ea 03             shr    $0x3,%rdx
* 2a:   0f b6 14 02             movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2e:   48 89 d8                mov    %rbx,%rax
  31:   83 e0 07                and    $0x7,%eax
  34:   83 c0 03                add    $0x3,%eax
  37:   38 d0                   cmp    %dl,%al
  39:   7c 08                   jl     0x43
  3b:   84 d2                   test   %dl,%dl
  3d:   0f                      .byte 0xf
  3e:   85                      .byte 0x85
  3f:   7b                      .byte 0x7b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ