lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALGdzuoq_UGZqRGavkoLrtnZAfEYTAb57Pj2H=MYLfXh6-gqqw@mail.gmail.com>
Date: Sat, 28 Sep 2024 11:34:49 -0500
From: Chenyuan Yang <chenyuan0y@...il.com>
To: mchehab@...nel.org, linux-media@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Cc: "cc: Zijie Zhao" <zzjas98@...il.com>, syzkaller@...glegroups.com
Subject: [Linux Kernel Bug] general protection fault in dvb_vb2_expbuf

Dear Linux Developers for DVB,

We encountered "general protection fault in dvb_vb2_expbuf" when testing the
DVB driver with Syzkaller and our generated specifications.

It seems that this issue can also cause:
- KASAN: slab-out-of-bounds Read in dvb_vb2_expbuf
- KASAN: slab-use-after-free Read in dvb_vb2_expbuf
- KASAN: use-after-free Read in dvb_vb2_expbuf

Linux version: Linux 6.11-rc7 (da3ea35007d0af457a0afc87e84fddaebc4e0b63)
Configuration is attached (with `CONFIG_DVB_MMAP=y`)
Syz and C reproducers are as below:

```
Syzkaller hit 'general protection fault in dvb_vb2_expbuf' bug.

Oops: general protection fault, probably for non-canonical address
0xdffffc00000003ff: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: probably user-memory-access in range
[0x0000000000001ff8-0x0000000000001fff]
CPU: 1 UID: 0 PID: 8089 Comm: syz-executor424 Not tainted
6.11.0-rc7-gda3ea35007d0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:dvb_vb2_expbuf+0xb7/0x2e0 drivers/media/dvb-core/dvb_vb2.c:371
Code: d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 c3 01 00 00 8b 03
4d 8d 24 c4 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 0f 85 f1 01 00 00 48 89 ea 49 8b 0c 24 48 b8 00 00 00
RSP: 0018:ffffc9000c33fd10 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffffc9000c33fdd8 RCX: ffffffff8742caec
RDX: 00000000000003ff RSI: ffffffff8745d28b RDI: ffff88801c6fc758
RBP: ffff88801c6fc618 R08: 0000000000000000 R09: 0000000000000df3
R10: 00000000c00c6f3e R11: 0000000000000000 R12: 0000000000001ff8
R13: 00000000c00c6f3e R14: 0000000000000000 R15: 0000000000000000
FS:  0000555573b063c0(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000050 CR3: 000000002802a000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 dvb_dvr_do_ioctl+0xe9/0x3a0 drivers/media/dvb-core/dmxdev.c:1309
 dvb_usercopy+0x168/0x320 drivers/media/dvb-core/dvbdev.c:993
 dvb_dvr_ioctl+0x2c/0x40 drivers/media/dvb-core/dmxdev.c:1333
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl fs/ioctl.c:893 [inline]
 __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff1a9066a8d
Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7651c8c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc7651cac8 RCX: 00007ff1a9066a8d
RDX: 00000000200000c0 RSI: 00000000c00c6f3e RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffc7651cac8
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc7651cab8 R14: 00007ff1a90e4530 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dvb_vb2_expbuf+0xb7/0x2e0 drivers/media/dvb-core/dvb_vb2.c:371
Code: d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 c3 01 00 00 8b 03
4d 8d 24 c4 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 0f 85 f1 01 00 00 48 89 ea 49 8b 0c 24 48 b8 00 00 00
RSP: 0018:ffffc9000c33fd10 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: ffffc9000c33fdd8 RCX: ffffffff8742caec
RDX: 00000000000003ff RSI: ffffffff8745d28b RDI: ffff88801c6fc758
RBP: ffff88801c6fc618 R08: 0000000000000000 R09: 0000000000000df3
R10: 00000000c00c6f3e R11: 0000000000000000 R12: 0000000000001ff8
R13: 00000000c00c6f3e R14: 0000000000000000 R15: 0000000000000000
FS:  0000555573b063c0(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efcdb405240 CR3: 000000002802a000 CR4: 0000000000750ef0
PKRU: 55555554
----------------
Code disassembly (best guess), 1 bytes skipped:
   0: 83 e0 07             and    $0x7,%eax
   3: 83 c0 03             add    $0x3,%eax
   6: 38 d0                 cmp    %dl,%al
   8: 7c 08                 jl     0x12
   a: 84 d2                 test   %dl,%dl
   c: 0f 85 c3 01 00 00     jne    0x1d5
  12: 8b 03                 mov    (%rbx),%eax
  14: 4d 8d 24 c4           lea    (%r12,%rax,8),%r12
  18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
  1f: fc ff df
  22: 4c 89 e2             mov    %r12,%rdx
  25: 48 c1 ea 03           shr    $0x3,%rdx
* 29: 80 3c 02 00           cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2d: 0f 85 f1 01 00 00     jne    0x224
  33: 48 89 ea             mov    %rbp,%rdx
  36: 49 8b 0c 24           mov    (%r12),%rcx
  3a: 48                   rex.W
  3b: b8                   .byte 0xb8
  3c: 00 00                 add    %al,(%rax)


Syzkaller reproducer:
# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false
FaultCall:0 FaultNth:0}}
r0 = syz_open_dev$KGPT_dvb_dvr(&(0x7f0000000040), 0x0, 0x82d83)
ioctl$KGPT_DMX_EXPBUF(r0, 0xc00c6f3e, &(0x7f00000000c0)={0x3ff, 0xdf3, 0x3})


C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
            (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf) - 1);
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
          /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
          /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
          /*offset=*/0ul);
  const char* reason;
  (void)reason;
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  memcpy((void*)0x20000040, "/dev/dvb/adapter#/dvr#\000", 23);
  res = -1;
  res = syz_open_dev(
      /*dev=*/0x20000040, /*id=*/0,
      /*flags=O_NONBLOCK|O_NOCTTY|O_EXCL|O_CLOEXEC|FASYNC|0x403*/ 0x82d83);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x200000c0 = 0x3ff;
  *(uint32_t*)0x200000c4 = 0xdf3;
  *(uint32_t*)0x200000c8 = 3;
  syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc00c6f3e, /*arg=*/0x200000c0ul);
  return 0;
}
```

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@...il.com>

Best,
Chenyuan

Download attachment "kernel.config" of type "application/octet-stream" (246243 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ