lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0a5b15d6a4a0115648e955ea642978e467520bfe.camel@gmail.com>
Date: Tue, 07 Oct 2025 11:35:53 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: syzbot <syzbot+997752115a851cb0cf36@...kaller.appspotmail.com>, 
	andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
 daniel@...earbox.net, 	haoluo@...gle.com, john.fastabend@...il.com,
 jolsa@...nel.org, kpsingh@...nel.org, 	linux-kernel@...r.kernel.org,
 martin.lau@...ux.dev, sdf@...ichev.me, 	song@...nel.org,
 syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] KASAN: invalid-access Write in do_bad_area

On Tue, 2025-10-07 at 07:58 -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    c746c3b51698 Merge tag 'for-6.18-tag' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=149b5a7c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f49b7d923ce867a
> dashboard link: https://syzkaller.appspot.com/bug?extid=997752115a851cb0cf36
> compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17ee792f980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=163955cd980000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-c746c3b5.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/85796940f78d/vmlinux-c746c3b5.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/1d82d6550867/Image-c746c3b5.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+997752115a851cb0cf36@...kaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: invalid-access in __memcpy+0xc/0x54 arch/arm64/lib/memcpy.S:250
> Write at addr f0ff800083d6d268 by task syz.2.17/3596
> Pointer tag: [f0], memory tag: [fe]
> 
> CPU: 1 UID: 0 PID: 3596 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT 
> Hardware name: linux,dummy-virt (DT)
> Call trace:
>  show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x78/0x90 lib/dump_stack.c:120
>  print_address_description mm/kasan/report.c:378 [inline]
>  print_report+0x108/0x61c mm/kasan/report.c:482
>  kasan_report+0x88/0xac mm/kasan/report.c:595
>  report_tag_fault arch/arm64/mm/fault.c:326 [inline]
>  do_tag_recovery arch/arm64/mm/fault.c:338 [inline]
>  __do_kernel_fault+0x170/0x1c8 arch/arm64/mm/fault.c:380
>  do_bad_area+0x68/0x78 arch/arm64/mm/fault.c:480
>  do_tag_check_fault+0x34/0x44 arch/arm64/mm/fault.c:853
>  do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:929
>  el1_abort+0x44/0x68 arch/arm64/kernel/entry-common.c:325
>  el1h_64_sync_handler+0x50/0xac arch/arm64/kernel/entry-common.c:459
>  el1h_64_sync+0x6c/0x70 arch/arm64/kernel/entry.S:591
>  __memcpy+0xc/0x54 arch/arm64/lib/memcpy.S:250 (P)
>  do_misc_fixups+0x174/0x1aac kernel/bpf/verifier.c:22553
>  bpf_check+0x1348/0x2a24 kernel/bpf/verifier.c:24686
>  bpf_prog_load+0x63c/0xcd4 kernel/bpf/syscall.c:3062
>  __sys_bpf+0x2e0/0x1a88 kernel/bpf/syscall.c:6134
>  __do_sys_bpf kernel/bpf/syscall.c:6244 [inline]
>  __se_sys_bpf kernel/bpf/syscall.c:6242 [inline]
>  __arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:6242
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
>  el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x34/0x10c arch/arm64/kernel/entry-common.c:744
>  el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:763
>  el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
> 
> The buggy address belongs to a 1-page vmalloc region starting at 0xf0ff800083d6d000 allocated at bpf_check+0x8c/0x2a24 kernel/bpf/verifier.c:24529
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x544b2
> flags: 0x1fffc0000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xf)
> raw: 01fffc0000000000 0000000000000000 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> 
> Memory state around the buggy address:
>  ffff800083d6d000: f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0
>  ffff800083d6d100: f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 fe fe fe fe
> > ffff800083d6d200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>                                      ^
>  ffff800083d6d300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>  ffff800083d6d400: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> ==================================================================

fwiw, can't reproduce this on x86.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ