lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANp29Y7RA00bKOinkjSDBchbkx3RDvWXGs4hr0PrPKyqSEC-_g@mail.gmail.com>
Date: Wed, 13 Nov 2024 11:46:00 +0100
From: Aleksandr Nogikh <nogikh@...gle.com>
To: Alan Stern <stern@...land.harvard.edu>
Cc: syzbot <syzbot+e8e879922808870c3437@...kaller.appspotmail.com>, 
	gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org, 
	linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com, 
	syzkaller <syzkaller@...glegroups.com>
Subject: Re: [syzbot] [usb?] KASAN: slab-use-after-free Read in ld_usb_release

Hi Alan,

On Mon, Nov 11, 2024 at 4:45 PM Alan Stern <stern@...land.harvard.edu> wrote:
>
> On Mon, Nov 11, 2024 at 01:49:31AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1650d6a7980000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=b77c8a55ccf1d9e2
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e8e879922808870c3437
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > userspace arch: i386
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
>
> Question for the syzbot people:
>
> If I have a patch which I think will cause the issue to become
> reproducible, is there any way to ask syzbot to apply the same test that
> failed here to a kernel including my patch?

No, that's unfortunately not supported.

In this particular case, it's at least evident from `Comm: ` which
exact program was being executed when the kernel crashed:

[  178.539707][ T8305] BUG: KASAN: slab-use-after-free in
do_raw_spin_lock+0x271/0x2c0
[  178.542477][ T8305] Read of size 4 at addr ffff888022387c0c by task
syz.3.600/8305
[  178.546823][ T8305]
[  178.548202][ T8305] CPU: 3 UID: 0 PID: 8305 Comm: syz.3.600 Not
tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0

syz.3.600 means procid=3 and id=600, so it's the program that comes
after the following line in
https://syzkaller.appspot.com/x/log.txt?x=1650d6a7980000:

551.627007ms ago: executing program 3 (id=600):
<...>

You may try to treat that program as a normal syz reproducer and run
it against your patched kernel locally, that should be quite
straightforward to do (just several commands). See e.g. the
instructions here:
https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md#run-a-syz-reproducer-directly

-- 
Aleksandr

>
> Alan Stern
>
> --

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ