lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 30 Apr 2024 09:34:33 +0800
From: Sam Sun <samsun1006219@...il.com>
To: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org
Cc: syzkaller-bugs@...glegroups.com, xrivendell7@...il.com
Subject: [Linux kernel bug] UBSAN: shift-out-of-bounds in idr_get_free

Dear developers and maintainers,

We found a shift-out-of-bounds bug in lib/radix-tree.c. It is tested
against upstream linux (tag 6.9-rc5). C repro and kernel config are
attached to this email. UBSAN report is listed below.
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in lib/radix-tree.c:88:31
shift exponent 72 is too large for 64-bit type 'unsigned long'
CPU: 1 PID: 950 Comm: kworker/u10:3 Not tainted 6.9.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events_unbound call_usermodehelper_exec_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
 radix_tree_descend lib/radix-tree.c:88 [inline]
 idr_get_free+0x6a5/0xae0 lib/radix-tree.c:1518
 idr_alloc_u32 lib/idr.c:46 [inline]
 idr_alloc_cyclic+0x1d0/0x5b0 lib/idr.c:125
 alloc_pid+0x33c/0xcc0 kernel/pid.c:240
 copy_process+0x1c9a/0x3d70 kernel/fork.c:2406
 kernel_clone+0x228/0x6b0 kernel/fork.c:2797
 user_mode_thread+0x131/0x190 kernel/fork.c:2875
 call_usermodehelper_exec_work+0x5b/0x220 kernel/umh.c:172
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3335
 worker_thread+0x85c/0xd50 kernel/workqueue.c:3416
 kthread+0x2ed/0x390 kernel/kthread.c:388
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---

If you have any questions, please contact us.

Reported by Yue Sun <samsun1006219@...il.com>
Reported by xingwei lee <xrivendell7@...il.com>

Best Regards,
Yue

Download attachment "config" of type "application/octet-stream" (247888 bytes)

View attachment "idr_get_free.c" of type "text/x-csrc" (38455 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ