lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <67aff996.050a0220.21dd3.0062.GAE@google.com>
Date: Fri, 14 Feb 2025 18:19:02 -0800
From: syzbot <syzbot+e1dc29a4daf3f8051130@...kaller.appspotmail.com>
To: eadavis@...com, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [netfs?] KASAN: slab-use-after-free Write in io_submit_one

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in netfs_read_collection

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 103 Comm: kworker/u32:5 Not tainted 6.14.0-rc2-syzkaller-g78a632a2086c-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound netfs_read_collection_worker
RIP: 0010:netfs_rreq_assess_dio fs/netfs/read_collect.c:374 [inline]
RIP: 0010:netfs_read_collection+0x3045/0x3ce0 fs/netfs/read_collect.c:440
Code: 0f 85 16 0b 00 00 4d 03 a6 88 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 65 08 49 8b 6e 58 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 de 0a 00 00 4c 8b 65 10 4d 85 e4 74 7d e8 e3 55
RSP: 0018:ffffc9000171fb10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88804a5f6dd8 RCX: ffffffff82668821
RDX: 0000000000000002 RSI: ffffffff826680c3 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 00000000ff010000
R13: ffff88804a5f7008 R14: ffff88804a5f6d80 R15: ffff88804a5f6f98
FS:  0000000000000000(0000) GS:ffff88806a700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3185ffff CR3: 000000002a4a6000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 netfs_read_collection_worker+0x285/0x350 fs/netfs/read_collect.c:466
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_rreq_assess_dio fs/netfs/read_collect.c:374 [inline]
RIP: 0010:netfs_read_collection+0x3045/0x3ce0 fs/netfs/read_collect.c:440
Code: 0f 85 16 0b 00 00 4d 03 a6 88 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 65 08 49 8b 6e 58 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 de 0a 00 00 4c 8b 65 10 4d 85 e4 74 7d e8 e3 55
RSP: 0018:ffffc9000171fb10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88804a5f6dd8 RCX: ffffffff82668821
RDX: 0000000000000002 RSI: ffffffff826680c3 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 00000000ff010000
R13: ffff88804a5f7008 R14: ffff88804a5f6d80 R15: ffff88804a5f6f98
FS:  0000000000000000(0000) GS:ffff88806a700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3185ffff CR3: 000000002a4a6000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0f 85 16 0b 00 00    	jne    0xb1c
   6:	4d 03 a6 88 02 00 00 	add    0x288(%r14),%r12
   d:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  14:	fc ff df
  17:	4c 89 65 08          	mov    %r12,0x8(%rbp)
  1b:	49 8b 6e 58          	mov    0x58(%r14),%rbp
  1f:	48 8d 7d 10          	lea    0x10(%rbp),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 de 0a 00 00    	jne    0xb12
  34:	4c 8b 65 10          	mov    0x10(%rbp),%r12
  38:	4d 85 e4             	test   %r12,%r12
  3b:	74 7d                	je     0xba
  3d:	e8                   	.byte 0xe8
  3e:	e3 55                	jrcxz  0x95


Tested on:

commit:         78a632a2 Merge tag 'pci-v6.14-fixes-3' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109b19a4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c09dc55ba7f798e3
dashboard link: https://syzkaller.appspot.com/bug?extid=e1dc29a4daf3f8051130
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17df8bf8580000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ