lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: 
 <PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com>
Date: Thu, 28 Dec 2023 02:33:24 +0000
From: "Yang, Chenyuan" <cy54@...inois.edu>
To: "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "jani.nikula@...el.com" <jani.nikula@...el.com>,
        "hverkuil-cisco@...all.nl" <hverkuil-cisco@...all.nl>,
        "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
        "mchehab@...nel.org" <mchehab@...nel.org>,
        "Zhao, Zijie"
	<zijie4@...inois.edu>,
        "Zhang, Lingming" <lingming@...inois.edu>
Subject: [Linux Kernel Bugs] KASAN: slab-use-after-free Read in
 cec_queue_msg_fh and 4 other crashes in the cec device (`cec_ioctl`)

Hello,

We encountered 5 different crashes in the cec device by using our generated syscall specification for it, here are the descriptions of these 5 crashes and the related files are attached:

1. KASAN: slab-use-after-free Read in cec_queue_msg_fh (Reproducible)
2. WARNING: ODEBUG bug in cec_transmit_msg_fh
3. WARNING in cec_data_cancel
4. INFO: task hung in cec_claim_log_addrs (Reproducible)
5. general protection fault in cec_transmit_done_ts

For “KASAN: slab-use-after-free Read in cec_queue_msg_fh”, we attached a syzkaller program to reproduce it. This crash is caused by ` list_add_tail(&entry->list, &fh->msgs);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L224), which reads a variable freed by `kfree(fh);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-api.c#L684). The reproducible program is a Syzkaller program, which can be executed following this document: https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md.

For “WARNING: ODEBUG bug in cec_transmit_msg_fh”, unfortunately we failed to reproduce it but we indeed trigger this crash almost every time when we fuzz the cec device only. We attached the report and log for this bug. It tries freeing an active object by using `kfree(data);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L930).

For “WARNING in cec_data_cancel”, it is an internal warning used in cec_data_cancel (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L365), which checks whether the transmit is the current or pending. Unfortunately, we also don't have the reproducible program for this bug, but we attach the report and log.

For “INFO: task hung in cec_claim_log_addrs”, the kernel hangs when the cec device ` wait_for_completion(&adap->config_completion);` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L1579). We have a reproducible C program for this.

For “general protection fault in cec_transmit_done_ts”, the cec device tries derefencing a non-canonical address 0xdffffc00000000e0: 0000 [#1], which is related to the invocation ` cec_transmit_attempt_done_ts ` (https://elixir.bootlin.com/linux/v6.7-rc7/source/drivers/media/cec/core/cec-adap.c#L697). It seems that the address of cec_adapter is totally wrong. We do not have a reproducible program for this bug, but the log and report for it are attached.

If you have any questions or require more information, please feel free to contact us.

Best,
Chenyuan

Content of type "text/html" skipped

Download attachment "general-protection-fault_cec_transmit_done_ts-machineInfo" of type "application/octet-stream" (3684 bytes)

Download attachment "general-protection-fault_cec_transmit_done_ts.log" of type "application/octet-stream" (1058864 bytes)

Download attachment "general-protection-fault_cec_transmit_done_ts.report" of type "application/octet-stream" (3401 bytes)

Download attachment "INFO-cec_claim_log_addrs-repro.cprog" of type "application/octet-stream" (22787 bytes)

Download attachment "INFO-cec_claim_log_addrs-repro.log" of type "application/octet-stream" (1066547 bytes)

Download attachment "INFO-cec_claim_log_addrs-repro.prog" of type "application/octet-stream" (2130 bytes)

Download attachment "INFO-cec_claim_log_addrs-repro.report" of type "application/octet-stream" (6544 bytes)

Download attachment "KASAN-UAF-cec_queue_msg_fh.log" of type "application/octet-stream" (69890 bytes)

Download attachment "KASAN-UAF-cec_queue_msg_fh.prog" of type "application/octet-stream" (3054 bytes)

Download attachment "KASAN-UAF-cec_queue_msg_fh.report" of type "application/octet-stream" (9211 bytes)

Download attachment "WARNING_cec_data_cancel-machineInfo" of type "application/octet-stream" (3677 bytes)

Download attachment "WARNING_cec_data_cancel.log" of type "application/octet-stream" (1061637 bytes)

Download attachment "WARNING_cec_data_cancel.report" of type "application/octet-stream" (2341 bytes)

Download attachment "WARNING_ODEBUG_cec_transmit_msg_fh-machineInfo" of type "application/octet-stream" (3678 bytes)

Download attachment "WARNING_ODEBUG_cec_transmit_msg_fh.log" of type "application/octet-stream" (1062549 bytes)

Download attachment "WARNING_ODEBUG_cec_transmit_msg_fh.report" of type "application/octet-stream" (2754 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ