lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e8d6c6ba-e9f0-45ac-219e-c1427424d31a@gmail.com>
Date:   Wed, 13 Sep 2023 14:10:01 +0100
From:   Pavel Begunkov <asml.silence@...il.com>
To:     syzbot <syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com>,
        axboe@...nel.dk, io-uring@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in
 io_setup_async_msg

On 9/13/23 13:11, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    0bb80ecc33a8 Linux 6.6-rc1
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=12d1eb78680000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
> dashboard link: https://syzkaller.appspot.com/bug?extid=a4c6e5ef999b68b26ed1
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16613002680000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13912e30680000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/eeb0cac260c7/disk-0bb80ecc.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/a3c360110254/vmlinux-0bb80ecc.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/22b81065ba5f/bzImage-0bb80ecc.xz
> 
> The issue was bisected to:
> 
> commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a
> Author: Pavel Begunkov <asml.silence@...il.com>
> Date:   Thu Aug 24 22:53:32 2023 +0000
> 
>      io_uring: add option to remove SQ indirection
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15892e30680000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=17892e30680000
> console output: https://syzkaller.appspot.com/x/log.txt?x=13892e30680000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com
> Fixes: 2af89abda7d9 ("io_uring: add option to remove SQ indirection")
> 
> ================================================================================
> UBSAN: array-index-out-of-bounds in io_uring/net.c:189:55
> index 3779567444058 is out of range for type 'iovec [8]'
> CPU: 1 PID: 5039 Comm: syz-executor396 Not tainted 6.6.0-rc1-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
> Call Trace:
>   <TASK>
>   __dump_stack lib/dump_stack.c:88 [inline]
>   dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
>   ubsan_epilogue lib/ubsan.c:217 [inline]
>   __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
>   io_setup_async_msg+0x2a0/0x2b0 io_uring/net.c:189

Which is

/* if were using fast_iov, set it to the new one */
if (iter_is_iovec(&kmsg->msg.msg_iter) && !kmsg->free_iov) {
	size_t fast_idx = iter_iov(&kmsg->msg.msg_iter) - kmsg->fast_iov;
	async_msg->msg.msg_iter.__iov = &async_msg->fast_iov[fast_idx];
}

The bisection doesn't immediately make sense, I'll try
it out

-- 
Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ