lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADCV8srK13xwa82Sr9vNWH6ZKTKuPFw0FLcc7Zy9p78TMaxKbA@mail.gmail.com>
Date: Mon, 30 Dec 2024 14:28:05 +0800
From: Liebes Wang <wanghaichi0403@...il.com>
To: herbert@...dor.apana.org.au, davem@...emloft.net, 
	linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: syzkaller@...glegroups.com
Subject: KASAN: use-after-free Read in poly1305_core_blocks

Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **KASAN: use-after-free Read in
poly1305_core_blocks**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is
also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The KASAN report is (The full report is attached):

BUG: KASAN: use-after-free in get_unaligned_le64
include/linux/unaligned.h:28 [inline]
BUG: KASAN: use-after-free in poly1305_core_blocks
lib/crypto/poly1305-donna64.c:64 [inline]
BUG: KASAN: use-after-free in poly1305_core_blocks+0x404/0x480
lib/crypto/poly1305-donna64.c:32
Read of size 8 at addr ff11000187440000 by task syz.0.5831/33784

CPU: 0 UID: 0 PID: 33784 Comm: syz.0.5831 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xcb/0x620 mm/kasan/report.c:488
 kasan_report+0xbd/0xf0 mm/kasan/report.c:601
 get_unaligned_le64 include/linux/unaligned.h:28 [inline]
 poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline]
 poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32
 crypto_poly1305_update+0x83/0x1e0 crypto/poly1305_generic.c:93
 bch2_checksum+0x1da/0x2a0 fs/bcachefs/checksum.c:238
 bch2_btree_node_read_done+0xfa4/0x4e70 fs/bcachefs/btree_io.c:1101
 btree_node_read_work+0x63e/0xf70 fs/bcachefs/btree_io.c:1327
 bch2_btree_node_read+0x76c/0xdf0 fs/bcachefs/btree_io.c:1712
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
 bch2_btree_root_read+0x2c5/0x460 fs/bcachefs/btree_io.c:1775
 read_btree_roots fs/bcachefs/recovery.c:523 [inline]
 bch2_fs_recovery+0x1db7/0x3c60 fs/bcachefs/recovery.c:853
 bch2_fs_start+0x2d8/0x610 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xfda/0x15d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x94/0x380 fs/super.c:1814
 do_new_mount fs/namespace.c:3507 [inline]
 path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount fs/namespace.c:4034 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Feel free to reach out if additional information or clarifications are
needed. We hope this report aids in identifying and fixing the bug.

Best regards,

Haichi Wang

Tianjin University

Content of type "text/html" skipped

Download attachment "report" of type "application/octet-stream" (7197 bytes)

Download attachment "repro.c" of type "application/octet-stream" (341236 bytes)

Download attachment "config" of type "application/octet-stream" (148405 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ