| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALGdzuoq_UGZqRGavkoLrtnZAfEYTAb57Pj2H=MYLfXh6-gqqw@mail.gmail.com>
Date: Sat, 28 Sep 2024 11:34:49 -0500
From: Chenyuan Yang <chenyuan0y@...il.com>
To: mchehab@...nel.org, linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: "cc: Zijie Zhao" <zzjas98@...il.com>, syzkaller@...glegroups.com
Subject: [Linux Kernel Bug] general protection fault in dvb_vb2_expbuf
Dear Linux Developers for DVB,
We encountered "general protection fault in dvb_vb2_expbuf" when testing the
DVB driver with Syzkaller and our generated specifications.
It seems that this issue can also cause:
- KASAN: slab-out-of-bounds Read in dvb_vb2_expbuf
- KASAN: slab-use-after-free Read in dvb_vb2_expbuf
- KASAN: use-after-free Read in dvb_vb2_expbuf
Linux version: Linux 6.11-rc7 (da3ea35007d0af457a0afc87e84fddaebc4e0b63)
Configuration is attached (with `CONFIG_DVB_MMAP=y`)
Syz and C reproducers are as below:
```
Syzkaller hit 'general protection fault in dvb_vb2_expbuf' bug.
Oops: general protection fault, probably for non-canonical address
0xdffffc00000003ff: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: probably user-memory-access in range
[0x0000000000001ff8-0x0000000000001fff]
CPU: 1 UID: 0 PID: 8089 Comm: syz-executor424 Not tainted
6.11.0-rc7-gda3ea35007d0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:dvb_vb2_expbuf+0xb7/0x2e0 drivers/media/dvb-core/dvb_vb2.c:371
Code: d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 c3 01 00 00 8b 03
4d 8d 24 c4 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 0f 85 f1 01 00 00 48 89 ea 49 8b 0c 24 48 b8 00 00 00
RSP: 0018:ffffc9000c33fd10 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffffc9000c33fdd8 RCX: ffffffff8742caec
RDX: 00000000000003ff RSI: ffffffff8745d28b RDI: ffff88801c6fc758
RBP: ffff88801c6fc618 R08: 0000000000000000 R09: 0000000000000df3
R10: 00000000c00c6f3e R11: 0000000000000000 R12: 0000000000001ff8
R13: 00000000c00c6f3e R14: 0000000000000000 R15: 0000000000000000
FS: 0000555573b063c0(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000050 CR3: 000000002802a000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
dvb_dvr_do_ioctl+0xe9/0x3a0 drivers/media/dvb-core/dmxdev.c:1309
dvb_usercopy+0x168/0x320 drivers/media/dvb-core/dvbdev.c:993
dvb_dvr_ioctl+0x2c/0x40 drivers/media/dvb-core/dmxdev.c:1333
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff1a9066a8d
Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7651c8c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc7651cac8 RCX: 00007ff1a9066a8d
RDX: 00000000200000c0 RSI: 00000000c00c6f3e RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffc7651cac8
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc7651cab8 R14: 00007ff1a90e4530 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dvb_vb2_expbuf+0xb7/0x2e0 drivers/media/dvb-core/dvb_vb2.c:371
Code: d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 c3 01 00 00 8b 03
4d 8d 24 c4 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 0f 85 f1 01 00 00 48 89 ea 49 8b 0c 24 48 b8 00 00 00
RSP: 0018:ffffc9000c33fd10 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffffc9000c33fdd8 RCX: ffffffff8742caec
RDX: 00000000000003ff RSI: ffffffff8745d28b RDI: ffff88801c6fc758
RBP: ffff88801c6fc618 R08: 0000000000000000 R09: 0000000000000df3
R10: 00000000c00c6f3e R11: 0000000000000000 R12: 0000000000001ff8
R13: 00000000c00c6f3e R14: 0000000000000000 R15: 0000000000000000
FS: 0000555573b063c0(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efcdb405240 CR3: 000000002802a000 CR4: 0000000000750ef0
PKRU: 55555554
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 83 e0 07 and $0x7,%eax
3: 83 c0 03 add $0x3,%eax
6: 38 d0 cmp %dl,%al
8: 7c 08 jl 0x12
a: 84 d2 test %dl,%dl
c: 0f 85 c3 01 00 00 jne 0x1d5
12: 8b 03 mov (%rbx),%eax
14: 4d 8d 24 c4 lea (%r12,%rax,8),%r12
18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1f: fc ff df
22: 4c 89 e2 mov %r12,%rdx
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 0f 85 f1 01 00 00 jne 0x224
33: 48 89 ea mov %rbp,%rdx
36: 49 8b 0c 24 mov (%r12),%rcx
3a: 48 rex.W
3b: b8 .byte 0xb8
3c: 00 00 add %al,(%rax)
Syzkaller reproducer:
# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false
FaultCall:0 FaultNth:0}}
r0 = syz_open_dev$KGPT_dvb_dvr(&(0x7f0000000040), 0x0, 0x82d83)
ioctl$KGPT_DMX_EXPBUF(r0, 0xc00c6f3e, &(0x7f00000000c0)={0x3ff, 0xdf3, 0x3})
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
(uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
memcpy((void*)0x20000040, "/dev/dvb/adapter#/dvr#\000", 23);
res = -1;
res = syz_open_dev(
/*dev=*/0x20000040, /*id=*/0,
/*flags=O_NONBLOCK|O_NOCTTY|O_EXCL|O_CLOEXEC|FASYNC|0x403*/ 0x82d83);
if (res != -1)
r[0] = res;
*(uint32_t*)0x200000c0 = 0x3ff;
*(uint32_t*)0x200000c4 = 0xdf3;
*(uint32_t*)0x200000c8 = 3;
syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc00c6f3e, /*arg=*/0x200000c0ul);
return 0;
}
```
If you have any questions or require more information, please feel
free to contact us.
Reported-by: Chenyuan Yang <chenyuan0y@...il.com>
Best,
Chenyuan
Download attachment "kernel.config" of type "application/octet-stream" (246243 bytes)
Powered by blists - more mailing lists