lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Mar 2021 12:03:43 +0100 From: Dmitry Vyukov <dvyukov@...gle.com> To: syzbot <syzbot+c23c5421600e9b454849@...kaller.appspotmail.com>, Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>, linux-riscv <linux-riscv@...ts.infradead.org> Cc: andrii@...nel.org, Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>, Daniel Borkmann <daniel@...earbox.net>, David Miller <davem@...emloft.net>, John Fastabend <john.fastabend@...il.com>, Martin KaFai Lau <kafai@...com>, kpsingh@...nel.org, Jakub Kicinski <kuba@...nel.org>, LKML <linux-kernel@...r.kernel.org>, netdev <netdev@...r.kernel.org>, Song Liu <songliubraving@...com>, syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Yonghong Song <yhs@...com> Subject: Re: [syzbot] BUG: unable to handle kernel access to user memory in sock_ioctl On Sun, Mar 14, 2021 at 11:01 AM Dmitry Vyukov <dvyukov@...gle.com> wrote: > > On Wed, Mar 10, 2021 at 7:28 PM syzbot > > <syzbot+c23c5421600e9b454849@...kaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas.. > > > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes > > > console output: https://syzkaller.appspot.com/x/log.txt?x=122c343ad00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=e3c595255fb2d136 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=c23c5421600e9b454849 > > > userspace arch: riscv64 > > > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+c23c5421600e9b454849@...kaller.appspotmail.com > > > > +riscv maintainers > > > > Another case of put_user crashing. > > There are 58 crashes in sock_ioctl already. Somehow there is a very > significant skew towards crashing with this "user memory without > uaccess routines" in schedule_tail and sock_ioctl of all places in the > kernel that use put_user... This looks very strange... Any ideas > what's special about these 2 locations? I could imagine if such a crash happens after a previous stack overflow and now task data structures are corrupted. But f_getown does not look like a function that consumes way more than other kernel syscalls... > > > Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000020000300 > > > Oops [#1] > > > Modules linked in: > > > CPU: 1 PID: 4488 Comm: syz-executor.0 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 > > > Hardware name: riscv-virtio,qemu (DT) > > > epc : sock_ioctl+0x424/0x6ac net/socket.c:1124 > > > ra : sock_ioctl+0x424/0x6ac net/socket.c:1124 > > > epc : ffffffe002aeeb3e ra : ffffffe002aeeb3e sp : ffffffe023867da0 > > > gp : ffffffe005d25378 tp : ffffffe007e116c0 t0 : 0000000000000000 > > > t1 : 0000000000000001 t2 : 0000003fb8035e44 s0 : ffffffe023867e30 > > > s1 : 0000000000040000 a0 : 0000000000000000 a1 : 0000000000000007 > > > a2 : 1ffffffc00fc22d8 a3 : ffffffe003bc1d02 a4 : 0000000000000000 > > > a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba > > > s2 : 0000000000000000 s3 : 0000000000008902 s4 : 0000000020000300 > > > s5 : ffffffe005d2b0d0 s6 : ffffffe010facfc0 s7 : ffffffe008e00000 > > > s8 : 0000000000008903 s9 : ffffffe010fad080 s10: 0000000000000000 > > > s11: 0000000000020000 t3 : 982de389919f6300 t4 : ffffffc401175688 > > > t5 : ffffffc401175691 t6 : 0000000000000007 > > > status: 0000000000000120 badaddr: 0000000020000300 cause: 000000000000000f > > > Call Trace: > > > [<ffffffe002aeeb3e>] sock_ioctl+0x424/0x6ac net/socket.c:1124 > > > [<ffffffe0003fdb6a>] vfs_ioctl fs/ioctl.c:48 [inline] > > > [<ffffffe0003fdb6a>] __do_sys_ioctl fs/ioctl.c:753 [inline] > > > [<ffffffe0003fdb6a>] sys_ioctl+0x5c2/0xd56 fs/ioctl.c:739 > > > [<ffffffe000005562>] ret_from_syscall+0x0/0x2 > > > Dumping ftrace buffer: > > > (ftrace buffer empty) > > > ---[ end trace a5f91e70f37b907b ]--- > > > > > > > > > --- > > > This report is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@...glegroups.com. > > > > > > syzbot will keep track of this issue. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Powered by blists - more mailing lists