lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <BB5BB1E2-2146-4F79-8EE9-0DCFA5F0D381@m.fudan.edu.cn>
Date: Fri, 28 Feb 2025 13:37:08 +0800
From: Kun Hu <huk23@...udan.edu.cn>
To: Kent Overstreet <kent.overstreet@...ux.dev>
Cc: linux-bcachefs@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 syzkaller@...glegroups.com,
 "jjtan24@...udan.edu.cn" <jjtan24@...udan.edu.cn>,
 baishuoran@...eu.edu.cn
Subject: [Bug] missing bounds check for k->u64s=0 in validate_bset_keys:999

Hi Kent,

When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (82th)
was triggered.

HEAD commit: d082ecbc71e9e0bf49883ee4afd435a77a5101b6
git tree: upstream
Output: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/82-KASAN_%20slab-out-of-bounds%20Read%20in%20mapping_try_invalidate/output_on_6.14rc4
Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/config_6.14rc4.txt
C reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/82-KASAN_%20slab-out-of-bounds%20Read%20in%20mapping_try_invalidate/repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0225_6.14rc2/82-KASAN_%20slab-out-of-bounds%20Read%20in%20mapping_try_invalidate/repro.syz

The file images in the repro are randomly constructed by syzkaller. According to the report, this issue points to line 999 in the validate_bset_keys function. Based on multiple reproductions of the issue, the problem appears to occur when parsing corrupted btree nodes (where k->u64s might be 0). The memmove_u64s_down operation attempts to shift subsequent data forward, but the calculation of vstruct_end(i) might be out of bounds when handling such invalid nodes. This could lead to heap memory corruption, potentially causing subsequently allocated memory to contain invalid pointers.

Our knowledge of the kernel is somewhat limited, and we'd appreciate it if you could determine if there is such an issue. If this issue doesn't have an impact, please ignore it ☺.

If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>

==================================================================
kernel BUG at arch/x86/mm/physaddr.c:28!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 57 Comm: kworker/3:1H Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: bcachefs_btree_read_complete btree_node_read_work
RIP: 0010:__phys_addr+0xdc/0x150
Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2
RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002
RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f
R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e
R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140
FS:  0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 qlist_free_all+0x68/0x130
 kasan_quarantine_reduce+0x168/0x1c0
 __kasan_slab_alloc+0x67/0x90
 __kmalloc_node_track_caller_noprof+0x1c5/0x5f0
 krealloc_noprof+0x2a7/0x390
 bch2_printbuf_make_room+0x1be/0x2e0
 bch2_prt_printf+0x18b/0x4d0
 __btree_err+0x16c/0x950
 validate_bset_keys+0xd79/0x18d0
 bch2_btree_node_read_done+0x2223/0x5340
 btree_node_read_work+0xa7e/0x1cc0
 process_scheduled_works+0x5c0/0x1aa0
 worker_thread+0x59f/0xcf0
 kthread+0x42a/0x880
 ret_from_fork+0x48/0x80
 ret_from_fork_asm+0x1a/0x30
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__phys_addr+0xdc/0x150
Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2
RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002
RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f
R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e
R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140
FS:  0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0
PKRU: 55555554
2025/02/26 11:21:55 reproducing crash 'KASAN: slab-out-of-bounds Read in mapping_try_invalidate': final repro crashed as (corrupted=false):
  u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq c6c25c03258c59c5 written 1032 min_key POS_MIN durability: 1 ptr: 0:27:0 gen 0  
  node offset 0/1032 bset u64s 33578 bset byte offset 160: bad k->u64s 0 (min 3 max 253), fixing
------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:28!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 57 Comm: kworker/3:1H Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: bcachefs_btree_read_complete btree_node_read_work
RIP: 0010:__phys_addr+0xdc/0x150
Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2
RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002
RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f
R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e
R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140
FS:  0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 qlist_free_all+0x68/0x130
 kasan_quarantine_reduce+0x168/0x1c0
 __kasan_slab_alloc+0x67/0x90
 __kmalloc_node_track_caller_noprof+0x1c5/0x5f0
 krealloc_noprof+0x2a7/0x390
 bch2_printbuf_make_room+0x1be/0x2e0
 bch2_prt_printf+0x18b/0x4d0
 __btree_err+0x16c/0x950
 validate_bset_keys+0xd79/0x18d0
 bch2_btree_node_read_done+0x2223/0x5340
 btree_node_read_work+0xa7e/0x1cc0
 process_scheduled_works+0x5c0/0x1aa0
 worker_thread+0x59f/0xcf0
 kthread+0x42a/0x880
 ret_from_fork+0x48/0x80
 ret_from_fork_asm+0x1a/0x30
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__phys_addr+0xdc/0x150
Code: ff 48 d3 eb 48 89 de e8 22 76 4f 00 48 85 db 75 13 e8 d8 73 4f 00 4c 89 e0 5b 5d 41 5c 41 5d e9 e5 c0 a5 ff e8 c5 73 4f 00 90 <0f> 0b e8 bd 73 4f 00 48 c7 c0 10 a0 fa 8d 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc9000071efe8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000000e RCX: ffffffff816a7fa2
RDX: 000077800000000e RSI: ffff8880412ac900 RDI: 0000000000000002
RBP: 000000008000000e R08: 0000000000000000 R09: fffffbfff2de6d9f
R10: fffffbfff2de6d9e R11: 0000000000000001 R12: 000077800000000e
R13: 0000000000000000 R14: ffffc9000071f048 R15: ffff888075c2a140
FS:  0000000000000000(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f955b82c15d CR3: 000000006f1e0000 CR4: 0000000000750ef0
PKRU: 55555554
(base) qjj@...kaller109:~/go1.22.1_projects/go_projects/syzkaller$ exit
exit

Script done on 2025-02-26 18:17:09+08:00 [COMMAND_EXIT_CODE="0"]

---------------
thanks,
Kun Hu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ