lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BN9PR11MB52761AA391479A55533BFE718C9EA@BN9PR11MB5276.namprd11.prod.outlook.com>
Date: Thu, 28 Dec 2023 07:28:32 +0000
From: "Tian, Kevin" <kevin.tian@...el.com>
To: Zhang Zhiyu <zhiyuzhang999@...il.com>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "iommu@...ts.linux.dev"
	<iommu@...ts.linux.dev>, "jgg@...pe.ca" <jgg@...pe.ca>, "joro@...tes.org"
	<joro@...tes.org>, "will@...nel.org" <will@...nel.org>,
	"robin.murphy@....com" <robin.murphy@....com>
Subject: RE: A bug was found in Linux Kernel 6.6+: KASAN: slab-use-after-free
 in iommufd_test (with POC)

> From: Zhang Zhiyu <zhiyuzhang999@...il.com>
> Sent: Wednesday, December 27, 2023 5:03 PM
> 
> Hi upstream community,
> 
> I am fuzzing a LTS version of Linux kernel 6.6 with my modified
> syzkaller and I find a bug named "KASAN: slab-use-after-free in
> iommufd_test". By analyzing the call trace in bug report, I address
> the root cause of this bug at drivers/iommu/iommufd. An iommufd_object
> is allocated in one task through
> iommufd_fops_ioctl->iommufd_ioas_alloc_ioctl->iommufd_ioas_alloc and
> freed in another task through iommufd_fops_ioctl->iommufd_destroy.
> Then when the kernel invokes the calls
> iommufd_fops_ioctl->iommufd_test->iommufd_test_add_reserved-
> >iommufd_put_object,
> an use-after-free read will occur. Detailed report, log, repro, config
> can be found in this google drive link:
> https://drive.usercontent.google.com/download?id=1nDJWUstYJNcC1zJ6q1r
> hB5zB0uV2yGvg&export=download&authuser=0&confirm=t
> 
> The steps to reproduce the bug:
> 1. compile the kernel 6.6 with provided Linux-6.6.config
> 2. boot a qemu vm that runs the compiled kernel
> 3. scp the repro.c (repro.prog is not recommended) to the vm and
> compile it with gcc -pthread repro.c -o repro
> 4. execute ./repro and you will see the output stucks for a while and
> then KASAN is triggered and kernel panic.
> 5. you can speed up the crash by setting up another ssh shell to
> execute ./repro again.
> 
> I have reproduced it on 6.6 and 6.6.1 (but haven't verified on the
> latest ver 6.6.8 yet). I didn't find any related reports on the
> internet, which indicates that it may be a 0day. Hope the upstream can
> help check and fix it. And I'll be happy to assist if needed.
> 

Could you try below fix? or just use latest kernel which already includes it:

https://lore.kernel.org/all/2-v2-ca9e00171c5b+123-iommufd_syz4_jgg@nvidia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ