| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Dec 2023 02:33:24 +0000
From: "Yang, Chenyuan" <cy54@...inois.edu>
To: "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "jani.nikula@...el.com" <jani.nikula@...el.com>,
"hverkuil-cisco@...all.nl" <hverkuil-cisco@...all.nl>,
"syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
"mchehab@...nel.org" <mchehab@...nel.org>,
"Zhao, Zijie"
<zijie4@...inois.edu>,
"Zhang, Lingming" <lingming@...inois.edu>
Subject: [Linux Kernel Bugs] KASAN: slab-use-after-free Read in
cec_queue_msg_fh and 4 other crashes in the cec device (`cec_ioctl`)
Hello,
We encountered 5 different crashes in the cec device by using our generated syscall specification for it, here are the descriptions of these 5 crashes and the related files are attached:
1. KASAN: slab-use-after-free Read in cec_queue_msg_fh (Reproducible)
2. WARNING: ODEBUG bug in cec_transmit_msg_fh
3. WARNING in cec_data_cancel
4. INFO: task hung in cec_claim_log_addrs (Reproducible)
5. general protection fault in cec_transmit_done_ts
For “KASAN: slab-use-after-free Read in cec_queue_msg_fh”, we attached a syzkaller program to reproduce it. This crash is caused by ` list_add_tail(&entry->list, &fh->msgs);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L224), which reads a variable freed by `kfree(fh);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-api.c#L684). The reproducible program is a Syzkaller program, which can be executed following this document: https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md.
For “WARNING: ODEBUG bug in cec_transmit_msg_fh”, unfortunately we failed to reproduce it but we indeed trigger this crash almost every time when we fuzz the cec device only. We attached the report and log for this bug. It tries freeing an active object by using `kfree(data);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L930).
For “WARNING in cec_data_cancel”, it is an internal warning used in cec_data_cancel (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L365), which checks whether the transmit is the current or pending. Unfortunately, we also don't have the reproducible program for this bug, but we attach the report and log.
For “INFO: task hung in cec_claim_log_addrs”, the kernel hangs when the cec device ` wait_for_completion(&adap->config_completion);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L1579). We have a reproducible C program for this.
For “general protection fault in cec_transmit_done_ts”, the cec device tries derefencing a non-canonical address 0xdffffc00000000e0: 0000 [#1], which is related to the invocation ` cec_transmit_attempt_done_ts ` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L697). It seems that the address of cec_adapter is totally wrong. We do not have a reproducible program for this bug, but the log and report for it are attached.
If you have any questions or require more information, please feel free to contact us.
Best,
Chenyuan
Content of type "text/html" skipped
Download attachment "general-protection-fault_cec_transmit_done_ts-machineInfo" of type "application/octet-stream" (3684 bytes)
Download attachment "general-protection-fault_cec_transmit_done_ts.log" of type "application/octet-stream" (1058864 bytes)
Download attachment "general-protection-fault_cec_transmit_done_ts.report" of type "application/octet-stream" (3401 bytes)
Download attachment "INFO-cec_claim_log_addrs-repro.cprog" of type "application/octet-stream" (22787 bytes)
Download attachment "INFO-cec_claim_log_addrs-repro.log" of type "application/octet-stream" (1066547 bytes)
Download attachment "INFO-cec_claim_log_addrs-repro.prog" of type "application/octet-stream" (2130 bytes)
Download attachment "INFO-cec_claim_log_addrs-repro.report" of type "application/octet-stream" (6544 bytes)
Download attachment "KASAN-UAF-cec_queue_msg_fh.log" of type "application/octet-stream" (69890 bytes)
Download attachment "KASAN-UAF-cec_queue_msg_fh.prog" of type "application/octet-stream" (3054 bytes)
Download attachment "KASAN-UAF-cec_queue_msg_fh.report" of type "application/octet-stream" (9211 bytes)
Download attachment "WARNING_cec_data_cancel-machineInfo" of type "application/octet-stream" (3677 bytes)
Download attachment "WARNING_cec_data_cancel.log" of type "application/octet-stream" (1061637 bytes)
Download attachment "WARNING_cec_data_cancel.report" of type "application/octet-stream" (2341 bytes)
Download attachment "WARNING_ODEBUG_cec_transmit_msg_fh-machineInfo" of type "application/octet-stream" (3678 bytes)
Download attachment "WARNING_ODEBUG_cec_transmit_msg_fh.log" of type "application/octet-stream" (1062549 bytes)
Download attachment "WARNING_ODEBUG_cec_transmit_msg_fh.report" of type "application/octet-stream" (2754 bytes)
Powered by blists - more mailing lists