lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <517b729.1386e.197ef12608f.Coremail.baishuoran@hrbeu.edu.cn>
Date: Wed, 9 Jul 2025 20:04:08 +0800 (GMT+08:00)
From: 白烁冉 <baishuoran@...eu.edu.cn>
To: "Alexei Starovoitov" <ast@...nel.org>,
	"Daniel Borkmann" <daniel@...earbox.net>,
	"Andrii Nakryiko" <andrii@...nel.org>
Cc: "Kun Hu" <huk23@...udan.edu.cn>, "Jiaji Qin" <jjtan24@...udan.edu.cn>,
	"Martin KaFai Lau" <martin.lau@...ux.dev>,
	"Yonghong Song" <yonghong.song@...ux.dev>,
	"KP Singh" <kpsingh@...nel.org>,
	"Stanislav Fomichev" <sdf@...ichev.me>, bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: general protection fault in alloc_bulk

Dear Maintainers,


When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (113th)was triggered.




HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/general%20protection%20fault%20in%20alloc_bulk/113report.txt
Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/general%20protection%20fault%20in%20alloc_bulk/113repro.c

Our reproducer uses mounts a constructed filesystem image.
The error occurred around line 215 of the alloc_block function, in the call to add_obj_to-free_ist (c, obj). Obj=llist_del_first (&c ->free-by_rcu_ttrace) obtained a damaged pointer, add_obj_to-free_ist (c, obj) attempted to manipulate the damaged pointer, and then accessed the obj ->next field. KASAN detected accessing an invalid memory address
We have reproduced this issue several times on 6.14 again.




If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>







Oops: general protection fault, probably for non-canonical address 0xfc1ffbf110024d86: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xe0ffff8880126c30-0xe0ffff8880126c37]
CPU: 0 UID: 0 PID: 17693 Comm: syz.7.371 Not tainted 6.14.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:alloc_bulk+0x72f/0xf40
Code: 85 9a 00 00 00 e8 71 cd d9 ff 48 8b 44 24 20 42 80 3c 38 00 0f 85 5f 07 00 00 49 8b 5c 24 10 48 8d 7b 54 48 89 f8 48 c1 e8 03 <42> 0f b6 14 38 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc90000007e98 EFLAGS: 00010013
RAX: 1c1ffff110024d86 RBX: e0ffff8880126be0 RCX: ffffffff81e05449
RDX: 0000000000000001 RSI: ffff888073c00000 RDI: e0ffff8880126c34
RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff2de7999
R10: fffffbfff2de7998 R11: ffffffff96f3ccc7 R12: ffff888076366901
R13: 0000000000000001 R14: 0000000000000000 R15: dffffc0000000000
FS:  00007f6e90896700(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555560269b0 CR3: 000000002b20a000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
 <IRQ>
 bpf_mem_refill+0x5dd/0x970
 irq_work_single+0x128/0x260
 irq_work_run_list+0x91/0xc0
 irq_work_run+0x58/0xd0
 __sysvec_irq_work+0x8c/0x410
 sysvec_irq_work+0xd9/0x100
 </IRQ>
 <TASK>
 asm_sysvec_irq_work+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50
Code: 48 8b 05 53 b8 49 7e 48 8b 80 20 16 00 00 e9 12 20 56 ff 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 55 bf 02 00 00 00 53 48 8b 6c 24 10 65 48 8b 1d 18 b8
RSP: 0018:ffffc900089cfa08 EFLAGS: 00000212
RAX: 000000000005190f RBX: 0000000000000000 RCX: 0000000000080000
RDX: ffffc90003052000 RSI: ffff888073c00000 RDI: 0000000000000002
RBP: 0000000000000200 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff20c2fa2 R11: ffffffff90617d17 R12: 0000000000000006
R13: 0000000000000000 R14: ffff8880137415f8 R15: ffff88807d3b5000
 __htab_percpu_map_update_elem+0x506/0x1180
 bpf_percpu_hash_update+0xc4/0x240
 bpf_map_update_value+0x8ad/0xcd0
 generic_map_update_batch+0x473/0x630
 bpf_map_do_batch+0x49c/0x600
 __sys_bpf+0x2656/0x5150
 __x64_sys_bpf+0x79/0xc0
 do_syscall_64+0xcf/0x250
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6e8f9acadd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6e90895ba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f6e8fba5fa0 RCX: 00007f6e8f9acadd
RDX: 0000000000000038 RSI: 00000000200005c0 RDI: 000000000000001a
RBP: 00007f6e8fa2ab8f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6e8fba5fac R14: 00007f6e8fba6038 R15: 00007f6e90895d40
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:alloc_bulk+0x72f/0xf40
Code: 85 9a 00 00 00 e8 71 cd d9 ff 48 8b 44 24 20 42 80 3c 38 00 0f 85 5f 07 00 00 49 8b 5c 24 10 48 8d 7b 54 48 89 f8 48 c1 e8 03 <42> 0f b6 14 38 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc90000007e98 EFLAGS: 00010013
RAX: 1c1ffff110024d86 RBX: e0ffff8880126be0 RCX: ffffffff81e05449
RDX: 0000000000000001 RSI: ffff888073c00000 RDI: e0ffff8880126c34
RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff2de7999
R10: fffffbfff2de7998 R11: ffffffff96f3ccc7 R12: ffff888076366901
R13: 0000000000000001 R14: 0000000000000000 R15: dffffc0000000000
FS:  00007f6e90896700(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555560269b0 CR3: 000000002b20a000 CR4: 0000000000750ef0
PKRU: 80000000
----------------
Code disassembly (best guess):
   0: 85 9a 00 00 00 e8    test   %ebx,-0x18000000(%rdx)
   6: 71 cd                jno    0xffffffd5
   8: d9 ff                fcos
   a: 48 8b 44 24 20        mov    0x20(%rsp),%rax
   f: 42 80 3c 38 00        cmpb   $0x0,(%rax,%r15,1)
  14: 0f 85 5f 07 00 00    jne    0x779
  1a: 49 8b 5c 24 10        mov    0x10(%r12),%rbx
  1f: 48 8d 7b 54          lea    0x54(%rbx),%rdi
  23: 48 89 f8              mov    %rdi,%rax
  26: 48 c1 e8 03          shr    $0x3,%rax
* 2a: 42 0f b6 14 38        movzbl (%rax,%r15,1),%edx <-- trapping instruction
  2f: 48 89 f8              mov    %rdi,%rax
  32: 83 e0 07              and    $0x7,%eax
  35: 83 c0 03              add    $0x3,%eax
  38: 38 d0                cmp    %dl,%al
  3a: 7c 08                jl     0x44
  3c: 84 d2                test   %dl,%dl
  3e: 0f                    .byte 0xf
  3f: 85                    .byte 0x85








thanks,
Kun Hu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ