| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 May 2024 14:14:03 +0800 From: Sam Sun <samsun1006219@...il.com> To: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org Cc: viro@...iv.linux.org.uk, brauner@...nel.org, jack@...e.cz, syzkaller-bugs@...glegroups.com, xrivendell7@...il.com Subject: [Linux kernel bug] KASAN: user-memory-access Read in __fput Dear developers and maintainers, We encountered a slab-out-of-bounds bug while using our modified syzkaller. It was tested against the latest upstream kernel (6.9-rc7). The kernel was compiled by clang 14.0.0, and kernel config and C repro are attached to this email. Kernel crash log is listed below. ================================================================== BUG: KASAN: user-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: user-memory-access in atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline] BUG: KASAN: user-memory-access in fsnotify_sb_has_watchers include/linux/fsnotify.h:23 [inline] BUG: KASAN: user-memory-access in fsnotify_parent include/linux/fsnotify.h:68 [inline] BUG: KASAN: user-memory-access in fsnotify_file include/linux/fsnotify.h:106 [inline] BUG: KASAN: user-memory-access in fsnotify_close include/linux/fsnotify.h:387 [inline] BUG: KASAN: user-memory-access in __fput+0x1fe/0x890 fs/file_table.c:408 Read of size 8 at addr 0000000200000779 by task sshd/8113 CPU: 0 PID: 8113 Comm: sshd Not tainted 6.9.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 print_report+0xe3/0x1e0 mm/kasan/report.c:491 kasan_report+0xce/0x100 mm/kasan/report.c:601 kasan_check_range+0x299/0x2a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline] fsnotify_sb_has_watchers include/linux/fsnotify.h:23 [inline] fsnotify_parent include/linux/fsnotify.h:68 [inline] fsnotify_file include/linux/fsnotify.h:106 [inline] fsnotify_close include/linux/fsnotify.h:387 [inline] __fput+0x1fe/0x890 fs/file_table.c:408 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa2e/0x26a0 kernel/exit.c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 get_signal+0x1691/0x1720 kernel/signal.c:2911 arch_do_signal_or_restart+0x87/0x820 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] irqentry_exit_to_user_mode+0x71/0x260 kernel/entry/common.c:231 exc_page_fault+0xa0/0x120 arch/x86/mm/fault.c:1566 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x200000001 Code: Unable to access opcode bytes at 0x1ffffffd7. RSP: 002b:00007ffea1d39618 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00007ffea1d397bf RCX: 0000000000000005 RDX: 0000000000000000 RSI: 0000556fe56fa900 RDI: 00007ffea1d396b0 RBP: 0000556fe56ffb90 R08: 0000000000000000 R09: 0000000000000100 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffea1d39630 R13: 00007ffea1d396b0 R14: 0000000000000004 R15: 0000556fdfd6ca80 </TASK> ================================================================== If you have any questions, please contact us. Reported by Yue Sun <samsun1006219@...il.com> Reported by xingwei lee <xrivendell7@...il.com> Best Regards, Yue Download attachment "config" of type "application/octet-stream" (247919 bytes) View attachment "fput.c" of type "text/x-csrc" (37673 bytes)
Powered by blists - more mailing lists