| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d1285714-a6ad-688a-1adf-6a41771aa301@gmail.com>
Date: Thu, 14 Sep 2023 16:03:49 +0100
From: Pavel Begunkov <asml.silence@...il.com>
To: syzbot <syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com>,
axboe@...nel.dk, io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in
io_setup_async_msg
On 9/14/23 15:06, Pavel Begunkov wrote:
> On 9/13/23 14:10, Pavel Begunkov wrote:
>> On 9/13/23 13:11, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit: 0bb80ecc33a8 Linux 6.6-rc1
>>> git tree: upstream
>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=12d1eb78680000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a4c6e5ef999b68b26ed1
>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16613002680000
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13912e30680000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/eeb0cac260c7/disk-0bb80ecc.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/a3c360110254/vmlinux-0bb80ecc.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/22b81065ba5f/bzImage-0bb80ecc.xz
>>>
>>> The issue was bisected to:
>>>
>>> commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a
>>> Author: Pavel Begunkov <asml.silence@...il.com>
>>> Date: Thu Aug 24 22:53:32 2023 +0000
>>>
>>> io_uring: add option to remove SQ indirection
>>>
>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15892e30680000
>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=17892e30680000
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13892e30680000
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+a4c6e5ef999b68b26ed1@...kaller.appspotmail.com
>>> Fixes: 2af89abda7d9 ("io_uring: add option to remove SQ indirection")
>>>
>>> ================================================================================
>>> UBSAN: array-index-out-of-bounds in io_uring/net.c:189:55
>>> index 3779567444058 is out of range for type 'iovec [8]'
>>> CPU: 1 PID: 5039 Comm: syz-executor396 Not tainted 6.6.0-rc1-syzkaller #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
>>> Call Trace:
>>> <TASK>
>>> __dump_stack lib/dump_stack.c:88 [inline]
>>> dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
>>> ubsan_epilogue lib/ubsan.c:217 [inline]
>>> __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
>>> io_setup_async_msg+0x2a0/0x2b0 io_uring/net.c:189
>>
>> Which is
>>
>> /* if were using fast_iov, set it to the new one */
>> if (iter_is_iovec(&kmsg->msg.msg_iter) && !kmsg->free_iov) {
>> size_t fast_idx = iter_iov(&kmsg->msg.msg_iter) - kmsg->fast_iov;
>> async_msg->msg.msg_iter.__iov = &async_msg->fast_iov[fast_idx];
>> }
>>
>> The bisection doesn't immediately make sense, I'll try
>> it out
>
> #syz test: https://github.com/isilence/linux.git netmsg-init-base
>
> First just test upstream because I'm curious about reproducibility
#syz test: https://github.com/isilence/linux.git syz-test/netmsg-init-base
--
Pavel Begunkov
Powered by blists - more mailing lists