lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 14 Nov 2023 04:36:13 +0000
From: "Bai, Shuangpeng" <sjb7183@....edu>
To: "davem@...emloft.net" <davem@...emloft.net>, "edumazet@...gle.com"
	<edumazet@...gle.com>, "kuba@...nel.org" <kuba@...nel.org>,
	"pabeni@...hat.com" <pabeni@...hat.com>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>
Subject: Re: KASAN: slab-out-of-bounds in sock_sendmsg

reproducer and config: 
Download attachment "repro.c" of type "application/octet-stream" (2203 bytes)

Download attachment ".config" of type "application/octet-stream" (238712 bytes)



> On Nov 13, 2023, at 23:27, sjb7183 <sjb7183@....edu> wrote:
> 
> Hi Kernel Maintainers,
> 
> Our tool found a new kernel bug KASAN: slab-out-of-bounds in sock_sendmsg. Please see the details below.
> 
> 
> Kenrel commit: v6.1.62 (recent longterm)
> Kernel config: attachment
> C/Syz reproducer: attachment
> 

> 
> [  112.531454][ T6474] ==================================================================
> [ 112.532297][ T6474] BUG: KASAN: slab-out-of-bounds in sock_sendmsg (net/socket.c:747) 
> [  112.532942][ T6474] Read of size 74 at addr ffff88807dacba88 by task a.out/6474
> [  112.533574][ T6474]
> [  112.533783][ T6474] CPU: 0 PID: 6474 Comm: a.out Not tainted 6.1.62 #7
> [  112.534356][ T6474] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> [  112.535127][ T6474] Call Trace:
> [  112.535431][ T6474]  <TASK>
> [ 112.535699][ T6474] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
> [ 112.536109][ T6474] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395) 
> [ 112.536515][ T6474] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) 
> [ 112.536927][ T6474] ? sock_sendmsg (net/socket.c:747) 
> [ 112.537342][ T6474] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) 
> [ 112.537751][ T6474] ? sock_sendmsg (net/socket.c:747) 
> [ 112.538165][ T6474] kasan_check_range (mm/kasan/generic.c:190) 
> [ 112.538615][ T6474] memcpy (mm/kasan/shadow.c:65) 
> [ 112.538977][ T6474] sock_sendmsg (net/socket.c:747) 
> [ 112.539383][ T6474] ? unwind_get_return_address (arch/x86/kernel/unwind_orc.c:323 arch/x86/kernel/unwind_orc.c:318) 
> [ 112.539883][ T6474] ? sock_write_iter (net/socket.c:740) 
> [ 112.540324][ T6474] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:543 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:186 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
> [ 112.540820][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161) 
> [ 112.541254][ T6474] ? iov_iter_kvec (lib/iov_iter.c:1001 (discriminator 3)) 
> [ 112.541683][ T6474] ? kernel_sendmsg (net/socket.c:773) 
> [ 112.542105][ T6474] rxrpc_send_abort_packet (net/rxrpc/output.c:336) 
> [ 112.542583][ T6474] ? rxrpc_send_ack_packet (net/rxrpc/output.c:287) 
> [ 112.543071][ T6474] ? kasan_save_stack (mm/kasan/common.c:46) 
> [ 112.543502][ T6474] ? do_exit (kernel/exit.c:866) 
> [ 112.543899][ T6474] ? do_group_exit (kernel/exit.c:1000) 
> [ 112.544326][ T6474] ? __rxrpc_set_call_completion.part.0 (net/rxrpc/recvmsg.c:80) 
> [ 112.544904][ T6474] ? __rxrpc_abort_call (net/rxrpc/recvmsg.c:127) 
> [ 112.545365][ T6474] ? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:403) 
> [ 112.545833][ T6474] rxrpc_release_calls_on_socket (net/rxrpc/call_object.c:611) 
> [ 112.546362][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161) 
> [ 112.546796][ T6474] rxrpc_release (net/rxrpc/af_rxrpc.c:887 net/rxrpc/af_rxrpc.c:917) 
> [ 112.547208][ T6474] __sock_release (net/socket.c:653) 
> [ 112.547632][ T6474] sock_close (net/socket.c:1389) 
> [ 112.548076][ T6474] __fput (fs/file_table.c:321) 
> [ 112.548439][ T6474] ? __sock_release (net/socket.c:1386) 
> [ 112.548871][ T6474] task_work_run (kernel/task_work.c:180 (discriminator 1)) 
> [ 112.549286][ T6474] ? task_work_cancel (kernel/task_work.c:147) 
> [ 112.549720][ T6474] do_exit (kernel/exit.c:870) 
> [ 112.550098][ T6474] ? mm_update_next_owner (kernel/exit.c:806) 
> [ 112.550579][ T6474] ? _raw_spin_lock (kernel/locking/spinlock.c:169) 
> [ 112.551010][ T6474] ? zap_other_threads (kernel/signal.c:1386) 
> [ 112.551474][ T6474] do_group_exit (kernel/exit.c:1000) 
> [ 112.551896][ T6474] __x64_sys_exit_group (kernel/exit.c:1028) 
> [ 112.552355][ T6474] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
> [ 112.552755][ T6474] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
> [  112.553274][ T6474] RIP: 0033:0x7f4595393146
> [ 112.553669][ T6474] Code: Unable to access opcode bytes at 0x7f459539311c.
> 
> Code starting with the faulting instruction
> ===========================================
> [  112.554264][ T6474] RSP: 002b:00007fff14cbd758 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> [  112.554977][ T6474] RAX: ffffffffffffffda RBX: 00007f45954988a0 RCX: 00007f4595393146
> [  112.555663][ T6474] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> [  112.556336][ T6474] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffff80
> [  112.557015][ T6474] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f45954988a0
> [  112.557679][ T6474] R13: 0000000000000001 R14: 00007f45954a12e8 R15: 0000000000000000
> [  112.558365][ T6474]  </TASK>
> [  112.558642][ T6474]
> [  112.558856][ T6474] Allocated by task 6474:
> [ 112.559228][ T6474] kasan_save_stack (mm/kasan/common.c:46) 
> [ 112.559657][ T6474] kasan_set_track (mm/kasan/common.c:52) 
> [ 112.560063][ T6474] __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:333 mm/kasan/common.c:383) 
> [ 112.560477][ T6474] rxrpc_alloc_peer (net/rxrpc/peer_object.c:218) 
> [ 112.560897][ T6474] rxrpc_lookup_peer (net/rxrpc/peer_object.c:293 net/rxrpc/peer_object.c:352) 
> [ 112.561314][ T6474] rxrpc_connect_call (net/rxrpc/conn_client.c:366 net/rxrpc/conn_client.c:716) 
> [ 112.561742][ T6474] rxrpc_new_client_call (net/rxrpc/call_object.c:353) 
> [ 112.562200][ T6474] rxrpc_do_sendmsg (net/rxrpc/sendmsg.c:636 net/rxrpc/sendmsg.c:686) 
> [ 112.562628][ T6474] rxrpc_sendmsg (net/rxrpc/af_rxrpc.c:561) 
> [ 112.563034][ T6474] __sock_sendmsg (net/socket.c:719 net/socket.c:728) 
> [ 112.563442][ T6474] ____sys_sendmsg (net/socket.c:2499) 
> [ 112.563877][ T6474] ___sys_sendmsg (net/socket.c:2555) 
> [ 112.564304][ T6474] __sys_sendmsg (net/socket.c:2584) 
> [ 112.564718][ T6474] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
> [ 112.565125][ T6474] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
> [  112.565646][ T6474]
> [  112.565860][ T6474] The buggy address belongs to the object at ffff88807dacba00
> [  112.565860][ T6474]  which belongs to the cache kmalloc-256 of size 256
> [  112.567034][ T6474] The buggy address is located 136 bytes inside of
> [  112.567034][ T6474]  256-byte region [ffff88807dacba00, ffff88807dacbb00)
> [  112.568174][ T6474]
> [  112.568381][ T6474] The buggy address belongs to the physical page:
> [  112.568919][ T6474] page:ffffea0001f6b280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7daca
> [  112.569777][ T6474] head:ffffea0001f6b280 order:1 compound_mapcount:0 compound_pincount:0
> [  112.570472][ T6474] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
> [  112.571160][ T6474] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800fc41b40
> [  112.571863][ T6474] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
> [  112.572588][ T6474] page dumped because: kasan: bad access detected
> [  112.573105][ T6474] page_owner tracks the page as allocated
> [  112.573584][ T6474] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEM1
> [ 112.575352][ T6474] post_alloc_hook (./include/linux/page_owner.h:31 mm/page_alloc.c:2513) 
> [ 112.575797][ T6474] get_page_from_freelist (mm/page_alloc.c:2531 mm/page_alloc.c:4279) 
> [ 112.576286][ T6474] __alloc_pages (mm/page_alloc.c:5546) 
> [ 112.576710][ T6474] alloc_pages (mm/mempolicy.c:2282) 
> [ 112.577103][ T6474] allocate_slab (mm/slub.c:1798 mm/slub.c:1939) 
> [ 112.577503][ T6474] ___slab_alloc (mm/slub.c:3181) 
> [ 112.577906][ T6474] __slab_alloc.constprop.0 (mm/slub.c:3279) 
> [ 112.578369][ T6474] __kmem_cache_alloc_node (mm/slub.c:3364 mm/slub.c:3437) 
> [ 112.578840][ T6474] kmalloc_trace (mm/slab_common.c:1048) 
> [ 112.579228][ T6474] inode_doinit_use_xattr (security/selinux/hooks.c:1317) 
> [ 112.580483][ T6474] inode_doinit_with_dentry (security/selinux/hooks.c:1509) 
> [ 112.580964][ T6474] selinux_d_instantiate (security/selinux/hooks.c:6357) 
> [ 112.581412][ T6474] security_d_instantiate (security/security.c:2078 (discriminator 11)) 
> [ 112.581861][ T6474] d_splice_alias (./include/linux/spinlock.h:350 fs/dcache.c:3147) 
> [ 112.582267][ T6474] kernfs_iop_lookup (fs/kernfs/dir.c:1181) 
> [ 112.582701][ T6474] __lookup_slow (./include/linux/dcache.h:359 ./include/linux/dcache.h:364 fs/namei.c:1687) 
> [  112.583115][ T6474] page last free stack trace:
> [ 112.583528][ T6474] free_pcp_prepare (./include/linux/page_owner.h:24 mm/page_alloc.c:1440 mm/page_alloc.c:1490) 
> [ 112.583967][ T6474] free_unref_page (mm/page_alloc.c:3358 mm/page_alloc.c:3453) 
> [ 112.584385][ T6474] free_contig_range (mm/page_alloc.c:9501) 
> [ 112.584823][ T6474] destroy_args (mm/debug_vm_pgtable.c:1031) 
> [ 112.585225][ T6474] debug_vm_pgtable (mm/debug_vm_pgtable.c:1355) 
> [ 112.585658][ T6474] do_one_initcall (init/main.c:1292) 
> [ 112.586059][ T6474] kernel_init_freeable (init/main.c:1364 init/main.c:1381 init/main.c:1400 init/main.c:1620) 
> [ 112.586507][ T6474] kernel_init (init/main.c:1510) 
> [ 112.586891][ T6474] ret_from_fork (arch/x86/entry/entry_64.S:312) 
> [  112.587283][ T6474]
> [  112.587491][ T6474] Memory state around the buggy address:
> [  112.587971][ T6474]  ffff88807dacb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  112.588653][ T6474]  ffff88807dacba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  112.589346][ T6474] >ffff88807dacba80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
> [  112.590031][ T6474]                                                  ^
> [  112.590603][ T6474]  ffff88807dacbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  112.591289][ T6474]  ffff88807dacbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  112.591954][ T6474] ==================================================================
> [  112.595224][ T6474] Kernel panic - not syncing: KASAN: panic_on_warn set ...
> [  112.595872][ T6474] CPU: 1 PID: 6474 Comm: a.out Not tainted 6.1.62 #7
> [  112.596457][ T6474] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> [  112.597243][ T6474] Call Trace:
> [  112.597529][ T6474]  <TASK>
> [ 112.597779][ T6474] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
> [ 112.598169][ T6474] panic (kernel/panic.c:357) 
> [ 112.598511][ T6474] ? panic_print_sys_info.part.0 (kernel/panic.c:276) 
> [ 112.598997][ T6474] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:34) 
> [ 112.599482][ T6474] ? preempt_schedule_common (./arch/x86/include/asm/bitops.h:207 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/thread_info.h:118 ./include/linux/sched.h:2231 kernel/sched/core.c:6731) 
> [ 112.599957][ T6474] check_panic_on_warn.cold (kernel/panic.c:239) 
> [ 112.600425][ T6474] end_report.part.0 (mm/kasan/report.c:169) 
> [ 112.600850][ T6474] ? sock_sendmsg (net/socket.c:747) 
> [ 112.601264][ T6474] kasan_report.cold (./include/linux/cpumask.h:110 mm/kasan/report.c:497) 
> [ 112.601678][ T6474] ? sock_sendmsg (net/socket.c:747) 
> [ 112.602100][ T6474] kasan_check_range (mm/kasan/generic.c:190) 
> [ 112.602539][ T6474] memcpy (mm/kasan/shadow.c:65) 
> [ 112.602889][ T6474] sock_sendmsg (net/socket.c:747) 
> [ 112.603286][ T6474] ? unwind_get_return_address (arch/x86/kernel/unwind_orc.c:323 arch/x86/kernel/unwind_orc.c:318) 
> [ 112.603778][ T6474] ? sock_write_iter (net/socket.c:740) 
> [ 112.604214][ T6474] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:543 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:186 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
> [ 112.604659][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161) 
> [ 112.605089][ T6474] ? iov_iter_kvec (lib/iov_iter.c:1001 (discriminator 3)) 
> [ 112.605507][ T6474] ? kernel_sendmsg (net/socket.c:773) 
> [ 112.605934][ T6474] rxrpc_send_abort_packet (net/rxrpc/output.c:336) 
> [ 112.606423][ T6474] ? rxrpc_send_ack_packet (net/rxrpc/output.c:287) 
> [ 112.606908][ T6474] ? kasan_save_stack (mm/kasan/common.c:46) 
> [ 112.607324][ T6474] ? do_exit (kernel/exit.c:866) 
> [ 112.607715][ T6474] ? do_group_exit (kernel/exit.c:1000) 
> [ 112.608135][ T6474] ? __rxrpc_set_call_completion.part.0 (net/rxrpc/recvmsg.c:80) 
> [ 112.608702][ T6474] ? __rxrpc_abort_call (net/rxrpc/recvmsg.c:127) 
> [ 112.609160][ T6474] ? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:403) 
> [ 112.609636][ T6474] rxrpc_release_calls_on_socket (net/rxrpc/call_object.c:611) 
> [ 112.610157][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161) 
> [ 112.610590][ T6474] rxrpc_release (net/rxrpc/af_rxrpc.c:887 net/rxrpc/af_rxrpc.c:917) 
> [ 112.610985][ T6474] __sock_release (net/socket.c:653) 
> [ 112.611384][ T6474] sock_close (net/socket.c:1389) 
> [ 112.611745][ T6474] __fput (fs/file_table.c:321) 
> [ 112.612091][ T6474] ? __sock_release (net/socket.c:1386) 
> [ 112.612528][ T6474] task_work_run (kernel/task_work.c:180 (discriminator 1)) 
> [ 112.612948][ T6474] ? task_work_cancel (kernel/task_work.c:147) 
> [ 112.613386][ T6474] do_exit (kernel/exit.c:870) 
> [ 112.613761][ T6474] ? mm_update_next_owner (kernel/exit.c:806) 
> [ 112.614229][ T6474] ? _raw_spin_lock (kernel/locking/spinlock.c:169) 
> [ 112.614661][ T6474] ? zap_other_threads (kernel/signal.c:1386) 
> [ 112.615120][ T6474] do_group_exit (kernel/exit.c:1000) 
> [ 112.615535][ T6474] __x64_sys_exit_group (kernel/exit.c:1028) 
> [ 112.616003][ T6474] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
> [ 112.616408][ T6474] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
> [  112.616936][ T6474] RIP: 0033:0x7f4595393146
> [ 112.617334][ T6474] Code: Unable to access opcode bytes at 0x7f459539311c.
> 
> Code starting with the faulting instruction
> ===========================================
> [  112.617905][ T6474] RSP: 002b:00007fff14cbd758 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> [  112.618619][ T6474] RAX: ffffffffffffffda RBX: 00007f45954988a0 RCX: 00007f4595393146
> [  112.619315][ T6474] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> [  112.619980][ T6474] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffff80
> [  112.620655][ T6474] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f45954988a0
> [  112.621295][ T6474] R13: 0000000000000001 R14: 00007f45954a12e8 R15: 0000000000000000
> [  112.621951][ T6474]  </TASK>
> [  112.622323][ T6474] Kernel Offset: disabled
> [  112.622694][ T6474] Rebooting in 86400 seconds..
> 
> 
> 
> Best,
> Shuangpeng
> 
> 



Download attachment "smime.p7s" of type "application/pkcs7-signature" (1376 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ