lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 14 Sep 2023 15:06:30 +0100
From:   Pavel Begunkov <asml.silence@...il.com>
To:     syzbot <syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com>,
        axboe@...nel.dk, io-uring@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in
 io_setup_async_msg

On 9/13/23 14:10, Pavel Begunkov wrote:
> On 9/13/23 13:11, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    0bb80ecc33a8 Linux 6.6-rc1
>> git tree:       upstream
>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=12d1eb78680000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
>> dashboard link: https://syzkaller.appspot.com/bug?extid=a4c6e5ef999b68b26ed1
>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16613002680000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13912e30680000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/eeb0cac260c7/disk-0bb80ecc.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/a3c360110254/vmlinux-0bb80ecc.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/22b81065ba5f/bzImage-0bb80ecc.xz
>>
>> The issue was bisected to:
>>
>> commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a
>> Author: Pavel Begunkov <asml.silence@...il.com>
>> Date:   Thu Aug 24 22:53:32 2023 +0000
>>
>>      io_uring: add option to remove SQ indirection
>>
>> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15892e30680000
>> final oops:     https://syzkaller.appspot.com/x/report.txt?x=17892e30680000
>> console output: https://syzkaller.appspot.com/x/log.txt?x=13892e30680000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com
>> Fixes: 2af89abda7d9 ("io_uring: add option to remove SQ indirection")
>>
>> ================================================================================
>> UBSAN: array-index-out-of-bounds in io_uring/net.c:189:55
>> index 3779567444058 is out of range for type 'iovec [8]'
>> CPU: 1 PID: 5039 Comm: syz-executor396 Not tainted 6.6.0-rc1-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
>> Call Trace:
>>   <TASK>
>>   __dump_stack lib/dump_stack.c:88 [inline]
>>   dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
>>   ubsan_epilogue lib/ubsan.c:217 [inline]
>>   __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
>>   io_setup_async_msg+0x2a0/0x2b0 io_uring/net.c:189
> 
> Which is
> 
> /* if were using fast_iov, set it to the new one */
> if (iter_is_iovec(&kmsg->msg.msg_iter) && !kmsg->free_iov) {
>      size_t fast_idx = iter_iov(&kmsg->msg.msg_iter) - kmsg->fast_iov;
>      async_msg->msg.msg_iter.__iov = &async_msg->fast_iov[fast_idx];
> }
> 
> The bisection doesn't immediately make sense, I'll try
> it out

#syz test: https://github.com/isilence/linux.git netmsg-init-base

First just test upstream because I'm curious about reproducibility


-- 
Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ