lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d1285714-a6ad-688a-1adf-6a41771aa301@gmail.com>
Date:   Thu, 14 Sep 2023 16:03:49 +0100
From:   Pavel Begunkov <asml.silence@...il.com>
To:     syzbot <syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com>,
        axboe@...nel.dk, io-uring@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in
 io_setup_async_msg

On 9/14/23 15:06, Pavel Begunkov wrote:
> On 9/13/23 14:10, Pavel Begunkov wrote:
>> On 9/13/23 13:11, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    0bb80ecc33a8 Linux 6.6-rc1
>>> git tree:       upstream
>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=12d1eb78680000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a4c6e5ef999b68b26ed1
>>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16613002680000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13912e30680000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/eeb0cac260c7/disk-0bb80ecc.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/a3c360110254/vmlinux-0bb80ecc.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/22b81065ba5f/bzImage-0bb80ecc.xz
>>>
>>> The issue was bisected to:
>>>
>>> commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a
>>> Author: Pavel Begunkov <asml.silence@...il.com>
>>> Date:   Thu Aug 24 22:53:32 2023 +0000
>>>
>>>      io_uring: add option to remove SQ indirection
>>>
>>> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15892e30680000
>>> final oops:     https://syzkaller.appspot.com/x/report.txt?x=17892e30680000
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13892e30680000
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com
>>> Fixes: 2af89abda7d9 ("io_uring: add option to remove SQ indirection")
>>>
>>> ================================================================================
>>> UBSAN: array-index-out-of-bounds in io_uring/net.c:189:55
>>> index 3779567444058 is out of range for type 'iovec [8]'
>>> CPU: 1 PID: 5039 Comm: syz-executor396 Not tainted 6.6.0-rc1-syzkaller #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
>>> Call Trace:
>>>   <TASK>
>>>   __dump_stack lib/dump_stack.c:88 [inline]
>>>   dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
>>>   ubsan_epilogue lib/ubsan.c:217 [inline]
>>>   __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
>>>   io_setup_async_msg+0x2a0/0x2b0 io_uring/net.c:189
>>
>> Which is
>>
>> /* if were using fast_iov, set it to the new one */
>> if (iter_is_iovec(&kmsg->msg.msg_iter) && !kmsg->free_iov) {
>>      size_t fast_idx = iter_iov(&kmsg->msg.msg_iter) - kmsg->fast_iov;
>>      async_msg->msg.msg_iter.__iov = &async_msg->fast_iov[fast_idx];
>> }
>>
>> The bisection doesn't immediately make sense, I'll try
>> it out
> 
> #syz test: https://github.com/isilence/linux.git netmsg-init-base
> 
> First just test upstream because I'm curious about reproducibility

#syz test: https://github.com/isilence/linux.git  syz-test/netmsg-init-base

-- 
Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ