| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7da48a7f.1563c.1981ce80f5b.Coremail.baishuoran@hrbeu.edu.cn>
Date: Fri, 18 Jul 2025 17:40:27 +0800 (GMT+08:00)
From: 白烁冉 <baishuoran@...eu.edu.cn>
To: "Thomas Gleixner" <tglx@...utronix.de>, "Ingo Molnar" <mingo@...hat.com>,
"Borislav Petkov" <bp@...en8.de>,
"Dave Hansen" <dave.hansen@...ux.intel.com>
Cc: "Kun Hu" <huk23@...udan.edu.cn>, "Jiaji Qin" <jjtan24@...udan.edu.cn>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
linux-kernel@...r.kernel.org
Subject: KASAN: vmalloc-out-of-bounds Read in copy_from_buffer
Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash was triggered.
HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output: https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/KASAN%3A%20vmalloc-out-of-bounds%20Read%20in%20copy_from_buffer/14_report.txt
Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/KASAN%3A%20vmalloc-out-of-bounds%20Read%20in%20copy_from_buffer/14_repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/KASAN%3A%20vmalloc-out-of-bounds%20Read%20in%20copy_from_buffer/14_repro.txt
The error occurs in the copy_from_buffer function of the xstate.c file around line 1214. In copy_from_buffer: if (kbuf) { memcpy(dst, kbuf + offset, size); kbuf + offset + size exceeds the buffer boundary. It is also possible that the destination address void *dst is invalid.
We have reproduced this issue several times on 6.14 again.
If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>
[ 487.090468][T15098] ==================================================================
[ 487.108911][T15098] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 487.111242][T15098] CPU: 0 UID: 0 PID: 15098 Comm: syz.0.16 Not tainted 6.14.0 #1
[ 487.113698][T15098] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 487.116526][T15098] Call Trace:
[ 487.116526][T15098] <TASK>
[ 487.116526][T15098] dump_stack_lvl+0x3d/0x1b0
[ 487.116526][T15098] panic+0x70b/0x7c0
[ 487.116526][T15098] ? __pfx_panic+0x10/0x10
[ 487.116526][T15098] ? irqentry_exit+0x3b/0x90
[ 487.116526][T15098] ? lockdep_hardirqs_on+0x7c/0x110
[ 487.116526][T15098] ? preempt_schedule_thunk+0x1a/0x30
[ 487.116526][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.116526][T15098] ? preempt_schedule_common+0x49/0xc0
[ 487.116526][T15098] ? check_panic_on_warn+0x1f/0xc0
[ 487.116526][T15098] ? copy_from_buffer+0x3b/0xd0
[ 487.116526][T15098] check_panic_on_warn+0xb1/0xc0
[ 487.137102][T15098] end_report+0x117/0x180
[ 487.137102][T15098] kasan_report+0xa1/0xc0
[ 487.137102][T15098] ? copy_from_buffer+0x3b/0xd0
[ 487.137102][T15098] kasan_check_range+0xed/0x1a0
[ 487.137102][T15098] __asan_memcpy+0x24/0x60
[ 487.137102][T15098] copy_from_buffer+0x3b/0xd0
[ 487.137102][T15098] copy_uabi_to_xstate+0x26e/0x660
[ 487.137102][T15098] ? __pfx_lock_release+0x10/0x10
[ 487.137102][T15098] ? __pfx_copy_uabi_to_xstate+0x10/0x10
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] ? write_comp_data+0x29/0x80
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] ? __sanitizer_cov_trace_pc+0x20/0x50
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] xstateregs_set+0xe3/0x1f0
[ 487.137102][T15098] ? __pfx_xstateregs_set+0x10/0x10
[ 487.137102][T15098] ptrace_regset.isra.0+0x2ec/0x3f0
[ 487.137102][T15098] ptrace_request+0x284/0x1050
[ 487.137102][T15098] ? __pfx_ptrace_request+0x10/0x10
[ 487.137102][T15098] ? _raw_spin_unlock_irqrestore+0x58/0x70
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] ? lockdep_hardirqs_on+0x7c/0x110
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] ? wait_task_inactive+0x37e/0x670
[ 487.137102][T15098] ? __pfx_wait_task_inactive+0x10/0x10
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 487.137102][T15098] ? srso_alias_return_thunk+0x5/0xfbef5
[ 487.137102][T15098] ? write_comp_data+0x29/0x80
[ 487.137102][T15098] arch_ptrace+0x205/0x420
[ 487.137102][T15098] __x64_sys_ptrace+0x17c/0x2d0
[ 487.137102][T15098] do_syscall_64+0xcf/0x250
[ 487.137102][T15098] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 487.137102][T15098] RIP: 0033:0x7f56eadacadd
[ 487.137102][T15098] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 487.137102][T15098] RSP: 002b:00007f56ebc21ba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000065
[ 487.137102][T15098] RAX: ffffffffffffffda RBX: 00007f56eafa5fa0 RCX: 00007f56eadacadd
[ 487.137102][T15098] RDX: 0000000000000202 RSI: 0000000000000005 RDI: 0000000000004205
[ 487.137102][T15098] RBP: 00007f56eae2ab8f R08: 0000000000000000 R09: 0000000000000000
[ 487.137102][T15098] R10: 0000000020000240 R11: 0000000000000246 R12: 0000000000000000
[ 487.137102][T15098] R13: 00007f56eafa5fac R14: 00007f56eafa6038 R15: 00007f56ebc21d40
[ 487.137102][T15098] </TASK>
------------------------------
thanks,
Kun Hu
Powered by blists - more mailing lists