lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAEkJfYNFSoacPcDwsUAaCPDEEXB2-FUT14y+VFtJvX+NCu3KLQ@mail.gmail.com>
Date: Tue, 7 May 2024 14:14:03 +0800
From: Sam Sun <samsun1006219@...il.com>
To: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Cc: viro@...iv.linux.org.uk, brauner@...nel.org, jack@...e.cz, 
	syzkaller-bugs@...glegroups.com, xrivendell7@...il.com
Subject: [Linux kernel bug] KASAN: user-memory-access Read in __fput

Dear developers and maintainers,

We encountered a slab-out-of-bounds bug while using our modified
syzkaller. It was tested against the latest upstream kernel (6.9-rc7).
The kernel was compiled by clang 14.0.0, and kernel config and C repro
are attached to this email. Kernel crash log is listed below.

==================================================================
BUG: KASAN: user-memory-access in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: user-memory-access in atomic_long_read
include/linux/atomic/atomic-instrumented.h:3188 [inline]
BUG: KASAN: user-memory-access in fsnotify_sb_has_watchers
include/linux/fsnotify.h:23 [inline]
BUG: KASAN: user-memory-access in fsnotify_parent
include/linux/fsnotify.h:68 [inline]
BUG: KASAN: user-memory-access in fsnotify_file
include/linux/fsnotify.h:106 [inline]
BUG: KASAN: user-memory-access in fsnotify_close
include/linux/fsnotify.h:387 [inline]
BUG: KASAN: user-memory-access in __fput+0x1fe/0x890 fs/file_table.c:408
Read of size 8 at addr 0000000200000779 by task sshd/8113

CPU: 0 PID: 8113 Comm: sshd Not tainted 6.9.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
 print_report+0xe3/0x1e0 mm/kasan/report.c:491
 kasan_report+0xce/0x100 mm/kasan/report.c:601
 kasan_check_range+0x299/0x2a0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
 fsnotify_sb_has_watchers include/linux/fsnotify.h:23 [inline]
 fsnotify_parent include/linux/fsnotify.h:68 [inline]
 fsnotify_file include/linux/fsnotify.h:106 [inline]
 fsnotify_close include/linux/fsnotify.h:387 [inline]
 __fput+0x1fe/0x890 fs/file_table.c:408
 task_work_run+0x23b/0x300 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa2e/0x26a0 kernel/exit.c:878
 do_group_exit+0x201/0x2b0 kernel/exit.c:1027
 get_signal+0x1691/0x1720 kernel/signal.c:2911
 arch_do_signal_or_restart+0x87/0x820 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 irqentry_exit_to_user_mode+0x71/0x260 kernel/entry/common.c:231
 exc_page_fault+0xa0/0x120 arch/x86/mm/fault.c:1566
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x200000001
Code: Unable to access opcode bytes at 0x1ffffffd7.
RSP: 002b:00007ffea1d39618 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00007ffea1d397bf RCX: 0000000000000005
RDX: 0000000000000000 RSI: 0000556fe56fa900 RDI: 00007ffea1d396b0
RBP: 0000556fe56ffb90 R08: 0000000000000000 R09: 0000000000000100
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffea1d39630
R13: 00007ffea1d396b0 R14: 0000000000000004 R15: 0000556fdfd6ca80
 </TASK>
==================================================================
If you have any questions, please contact us.

Reported by Yue Sun <samsun1006219@...il.com>
Reported by xingwei lee <xrivendell7@...il.com>

Best Regards,
Yue

Download attachment "config" of type "application/octet-stream" (247919 bytes)

View attachment "fput.c" of type "text/x-csrc" (37673 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ