lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <E610CF02-C917-4D82-9C1C-E7B94414D6BD@psu.edu>
Date: Mon, 1 Apr 2024 17:02:57 +0000
From: "Bai, Shuangpeng" <sjb7183@....edu>
To: "Bai, Shuangpeng" <sjb7183@....edu>, "davem@...emloft.net"
	<davem@...emloft.net>, "edumazet@...gle.com" <edumazet@...gle.com>,
	"kuba@...nel.org" <kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>
Subject: Re: KASAN: slab-out-of-bounds in sock_sendmsg

Dear Maintainers,

I hope you're well. I'm reaching out to inquire about any progress made regarding the kernel vulnerability report we submitted several months ago. Any updates you can provide would be greatly appreciated.

Thank you for your attention to this matter.

Best regards,
Shuangpeng Bai

> On Nov 13, 2023, at 23:36, Bai, Shuangpeng <sjb7183@....edu> wrote:
>
> reproducer and config:
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/E2642A4E-6E00-47AA-AFF7-8A1B1C36481A%40psu.edu.
> <repro.c><.config>
>
>> On Nov 13, 2023, at 23:27, sjb7183 <sjb7183@....edu> wrote:
>>
>> Hi Kernel Maintainers,
>>
>> Our tool found a new kernel bug KASAN: slab-out-of-bounds in sock_sendmsg. Please see the details below.
>>
>>
>> Kenrel commit: v6.1.62 (recent longterm)
>> Kernel config: attachment
>> C/Syz reproducer: attachment
>>
>
>>
>> [  112.531454][ T6474] ==================================================================
>> [ 112.532297][ T6474] BUG: KASAN: slab-out-of-bounds in sock_sendmsg (net/socket.c:747)
>> [  112.532942][ T6474] Read of size 74 at addr ffff88807dacba88 by task a.out/6474
>> [  112.533574][ T6474]
>> [  112.533783][ T6474] CPU: 0 PID: 6474 Comm: a.out Not tainted 6.1.62 #7
>> [  112.534356][ T6474] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>> [  112.535127][ T6474] Call Trace:
>> [  112.535431][ T6474]  <TASK>
>> [ 112.535699][ T6474] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
>> [ 112.536109][ T6474] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
>> [ 112.536515][ T6474] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4))
>> [ 112.536927][ T6474] ? sock_sendmsg (net/socket.c:747)
>> [ 112.537342][ T6474] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
>> [ 112.537751][ T6474] ? sock_sendmsg (net/socket.c:747)
>> [ 112.538165][ T6474] kasan_check_range (mm/kasan/generic.c:190)
>> [ 112.538615][ T6474] memcpy (mm/kasan/shadow.c:65)
>> [ 112.538977][ T6474] sock_sendmsg (net/socket.c:747)
>> [ 112.539383][ T6474] ? unwind_get_return_address (arch/x86/kernel/unwind_orc.c:323 arch/x86/kernel/unwind_orc.c:318)
>> [ 112.539883][ T6474] ? sock_write_iter (net/socket.c:740)
>> [ 112.540324][ T6474] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:543 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:186 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
>> [ 112.540820][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161)
>> [ 112.541254][ T6474] ? iov_iter_kvec (lib/iov_iter.c:1001 (discriminator 3))
>> [ 112.541683][ T6474] ? kernel_sendmsg (net/socket.c:773)
>> [ 112.542105][ T6474] rxrpc_send_abort_packet (net/rxrpc/output.c:336)
>> [ 112.542583][ T6474] ? rxrpc_send_ack_packet (net/rxrpc/output.c:287)
>> [ 112.543071][ T6474] ? kasan_save_stack (mm/kasan/common.c:46)
>> [ 112.543502][ T6474] ? do_exit (kernel/exit.c:866)
>> [ 112.543899][ T6474] ? do_group_exit (kernel/exit.c:1000)
>> [ 112.544326][ T6474] ? __rxrpc_set_call_completion.part.0 (net/rxrpc/recvmsg.c:80)
>> [ 112.544904][ T6474] ? __rxrpc_abort_call (net/rxrpc/recvmsg.c:127)
>> [ 112.545365][ T6474] ? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:403)
>> [ 112.545833][ T6474] rxrpc_release_calls_on_socket (net/rxrpc/call_object.c:611)
>> [ 112.546362][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161)
>> [ 112.546796][ T6474] rxrpc_release (net/rxrpc/af_rxrpc.c:887 net/rxrpc/af_rxrpc.c:917)
>> [ 112.547208][ T6474] __sock_release (net/socket.c:653)
>> [ 112.547632][ T6474] sock_close (net/socket.c:1389)
>> [ 112.548076][ T6474] __fput (fs/file_table.c:321)
>> [ 112.548439][ T6474] ? __sock_release (net/socket.c:1386)
>> [ 112.548871][ T6474] task_work_run (kernel/task_work.c:180 (discriminator 1))
>> [ 112.549286][ T6474] ? task_work_cancel (kernel/task_work.c:147)
>> [ 112.549720][ T6474] do_exit (kernel/exit.c:870)
>> [ 112.550098][ T6474] ? mm_update_next_owner (kernel/exit.c:806)
>> [ 112.550579][ T6474] ? _raw_spin_lock (kernel/locking/spinlock.c:169)
>> [ 112.551010][ T6474] ? zap_other_threads (kernel/signal.c:1386)
>> [ 112.551474][ T6474] do_group_exit (kernel/exit.c:1000)
>> [ 112.551896][ T6474] __x64_sys_exit_group (kernel/exit.c:1028)
>> [ 112.552355][ T6474] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
>> [ 112.552755][ T6474] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
>> [  112.553274][ T6474] RIP: 0033:0x7f4595393146
>> [ 112.553669][ T6474] Code: Unable to access opcode bytes at 0x7f459539311c.
>>
>> Code starting with the faulting instruction
>> ===========================================
>> [  112.554264][ T6474] RSP: 002b:00007fff14cbd758 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> [  112.554977][ T6474] RAX: ffffffffffffffda RBX: 00007f45954988a0 RCX: 00007f4595393146
>> [  112.555663][ T6474] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
>> [  112.556336][ T6474] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffff80
>> [  112.557015][ T6474] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f45954988a0
>> [  112.557679][ T6474] R13: 0000000000000001 R14: 00007f45954a12e8 R15: 0000000000000000
>> [  112.558365][ T6474]  </TASK>
>> [  112.558642][ T6474]
>> [  112.558856][ T6474] Allocated by task 6474:
>> [ 112.559228][ T6474] kasan_save_stack (mm/kasan/common.c:46)
>> [ 112.559657][ T6474] kasan_set_track (mm/kasan/common.c:52)
>> [ 112.560063][ T6474] __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:333 mm/kasan/common.c:383)
>> [ 112.560477][ T6474] rxrpc_alloc_peer (net/rxrpc/peer_object.c:218)
>> [ 112.560897][ T6474] rxrpc_lookup_peer (net/rxrpc/peer_object.c:293 net/rxrpc/peer_object.c:352)
>> [ 112.561314][ T6474] rxrpc_connect_call (net/rxrpc/conn_client.c:366 net/rxrpc/conn_client.c:716)
>> [ 112.561742][ T6474] rxrpc_new_client_call (net/rxrpc/call_object.c:353)
>> [ 112.562200][ T6474] rxrpc_do_sendmsg (net/rxrpc/sendmsg.c:636 net/rxrpc/sendmsg.c:686)
>> [ 112.562628][ T6474] rxrpc_sendmsg (net/rxrpc/af_rxrpc.c:561)
>> [ 112.563034][ T6474] __sock_sendmsg (net/socket.c:719 net/socket.c:728)
>> [ 112.563442][ T6474] ____sys_sendmsg (net/socket.c:2499)
>> [ 112.563877][ T6474] ___sys_sendmsg (net/socket.c:2555)
>> [ 112.564304][ T6474] __sys_sendmsg (net/socket.c:2584)
>> [ 112.564718][ T6474] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
>> [ 112.565125][ T6474] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
>> [  112.565646][ T6474]
>> [  112.565860][ T6474] The buggy address belongs to the object at ffff88807dacba00
>> [  112.565860][ T6474]  which belongs to the cache kmalloc-256 of size 256
>> [  112.567034][ T6474] The buggy address is located 136 bytes inside of
>> [  112.567034][ T6474]  256-byte region [ffff88807dacba00, ffff88807dacbb00)
>> [  112.568174][ T6474]
>> [  112.568381][ T6474] The buggy address belongs to the physical page:
>> [  112.568919][ T6474] page:ffffea0001f6b280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7daca
>> [  112.569777][ T6474] head:ffffea0001f6b280 order:1 compound_mapcount:0 compound_pincount:0
>> [  112.570472][ T6474] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
>> [  112.571160][ T6474] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800fc41b40
>> [  112.571863][ T6474] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
>> [  112.572588][ T6474] page dumped because: kasan: bad access detected
>> [  112.573105][ T6474] page_owner tracks the page as allocated
>> [  112.573584][ T6474] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEM1
>> [ 112.575352][ T6474] post_alloc_hook (./include/linux/page_owner.h:31 mm/page_alloc.c:2513)
>> [ 112.575797][ T6474] get_page_from_freelist (mm/page_alloc.c:2531 mm/page_alloc.c:4279)
>> [ 112.576286][ T6474] __alloc_pages (mm/page_alloc.c:5546)
>> [ 112.576710][ T6474] alloc_pages (mm/mempolicy.c:2282)
>> [ 112.577103][ T6474] allocate_slab (mm/slub.c:1798 mm/slub.c:1939)
>> [ 112.577503][ T6474] ___slab_alloc (mm/slub.c:3181)
>> [ 112.577906][ T6474] __slab_alloc.constprop.0 (mm/slub.c:3279)
>> [ 112.578369][ T6474] __kmem_cache_alloc_node (mm/slub.c:3364 mm/slub.c:3437)
>> [ 112.578840][ T6474] kmalloc_trace (mm/slab_common.c:1048)
>> [ 112.579228][ T6474] inode_doinit_use_xattr (security/selinux/hooks.c:1317)
>> [ 112.580483][ T6474] inode_doinit_with_dentry (security/selinux/hooks.c:1509)
>> [ 112.580964][ T6474] selinux_d_instantiate (security/selinux/hooks.c:6357)
>> [ 112.581412][ T6474] security_d_instantiate (security/security.c:2078 (discriminator 11))
>> [ 112.581861][ T6474] d_splice_alias (./include/linux/spinlock.h:350 fs/dcache.c:3147)
>> [ 112.582267][ T6474] kernfs_iop_lookup (fs/kernfs/dir.c:1181)
>> [ 112.582701][ T6474] __lookup_slow (./include/linux/dcache.h:359 ./include/linux/dcache.h:364 fs/namei.c:1687)
>> [  112.583115][ T6474] page last free stack trace:
>> [ 112.583528][ T6474] free_pcp_prepare (./include/linux/page_owner.h:24 mm/page_alloc.c:1440 mm/page_alloc.c:1490)
>> [ 112.583967][ T6474] free_unref_page (mm/page_alloc.c:3358 mm/page_alloc.c:3453)
>> [ 112.584385][ T6474] free_contig_range (mm/page_alloc.c:9501)
>> [ 112.584823][ T6474] destroy_args (mm/debug_vm_pgtable.c:1031)
>> [ 112.585225][ T6474] debug_vm_pgtable (mm/debug_vm_pgtable.c:1355)
>> [ 112.585658][ T6474] do_one_initcall (init/main.c:1292)
>> [ 112.586059][ T6474] kernel_init_freeable (init/main.c:1364 init/main.c:1381 init/main.c:1400 init/main.c:1620)
>> [ 112.586507][ T6474] kernel_init (init/main.c:1510)
>> [ 112.586891][ T6474] ret_from_fork (arch/x86/entry/entry_64.S:312)
>> [  112.587283][ T6474]
>> [  112.587491][ T6474] Memory state around the buggy address:
>> [  112.587971][ T6474]  ffff88807dacb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [  112.588653][ T6474]  ffff88807dacba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  112.589346][ T6474] >ffff88807dacba80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>> [  112.590031][ T6474]                                                  ^
>> [  112.590603][ T6474]  ffff88807dacbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [  112.591289][ T6474]  ffff88807dacbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [  112.591954][ T6474] ==================================================================
>> [  112.595224][ T6474] Kernel panic - not syncing: KASAN: panic_on_warn set ...
>> [  112.595872][ T6474] CPU: 1 PID: 6474 Comm: a.out Not tainted 6.1.62 #7
>> [  112.596457][ T6474] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>> [  112.597243][ T6474] Call Trace:
>> [  112.597529][ T6474]  <TASK>
>> [ 112.597779][ T6474] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
>> [ 112.598169][ T6474] panic (kernel/panic.c:357)
>> [ 112.598511][ T6474] ? panic_print_sys_info.part.0 (kernel/panic.c:276)
>> [ 112.598997][ T6474] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:34)
>> [ 112.599482][ T6474] ? preempt_schedule_common (./arch/x86/include/asm/bitops.h:207 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/thread_info.h:118 ./include/linux/sched.h:2231 kernel/sched/core.c:6731)
>> [ 112.599957][ T6474] check_panic_on_warn.cold (kernel/panic.c:239)
>> [ 112.600425][ T6474] end_report.part.0 (mm/kasan/report.c:169)
>> [ 112.600850][ T6474] ? sock_sendmsg (net/socket.c:747)
>> [ 112.601264][ T6474] kasan_report.cold (./include/linux/cpumask.h:110 mm/kasan/report.c:497)
>> [ 112.601678][ T6474] ? sock_sendmsg (net/socket.c:747)
>> [ 112.602100][ T6474] kasan_check_range (mm/kasan/generic.c:190)
>> [ 112.602539][ T6474] memcpy (mm/kasan/shadow.c:65)
>> [ 112.602889][ T6474] sock_sendmsg (net/socket.c:747)
>> [ 112.603286][ T6474] ? unwind_get_return_address (arch/x86/kernel/unwind_orc.c:323 arch/x86/kernel/unwind_orc.c:318)
>> [ 112.603778][ T6474] ? sock_write_iter (net/socket.c:740)
>> [ 112.604214][ T6474] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:202 ./include/linux/atomic/atomic-instrumented.h:543 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:186 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
>> [ 112.604659][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161)
>> [ 112.605089][ T6474] ? iov_iter_kvec (lib/iov_iter.c:1001 (discriminator 3))
>> [ 112.605507][ T6474] ? kernel_sendmsg (net/socket.c:773)
>> [ 112.605934][ T6474] rxrpc_send_abort_packet (net/rxrpc/output.c:336)
>> [ 112.606423][ T6474] ? rxrpc_send_ack_packet (net/rxrpc/output.c:287)
>> [ 112.606908][ T6474] ? kasan_save_stack (mm/kasan/common.c:46)
>> [ 112.607324][ T6474] ? do_exit (kernel/exit.c:866)
>> [ 112.607715][ T6474] ? do_group_exit (kernel/exit.c:1000)
>> [ 112.608135][ T6474] ? __rxrpc_set_call_completion.part.0 (net/rxrpc/recvmsg.c:80)
>> [ 112.608702][ T6474] ? __rxrpc_abort_call (net/rxrpc/recvmsg.c:127)
>> [ 112.609160][ T6474] ? __local_bh_enable_ip (./arch/x86/include/asm/preempt.h:103 kernel/softirq.c:403)
>> [ 112.609636][ T6474] rxrpc_release_calls_on_socket (net/rxrpc/call_object.c:611)
>> [ 112.610157][ T6474] ? __lock_text_start (kernel/locking/spinlock.c:161)
>> [ 112.610590][ T6474] rxrpc_release (net/rxrpc/af_rxrpc.c:887 net/rxrpc/af_rxrpc.c:917)
>> [ 112.610985][ T6474] __sock_release (net/socket.c:653)
>> [ 112.611384][ T6474] sock_close (net/socket.c:1389)
>> [ 112.611745][ T6474] __fput (fs/file_table.c:321)
>> [ 112.612091][ T6474] ? __sock_release (net/socket.c:1386)
>> [ 112.612528][ T6474] task_work_run (kernel/task_work.c:180 (discriminator 1))
>> [ 112.612948][ T6474] ? task_work_cancel (kernel/task_work.c:147)
>> [ 112.613386][ T6474] do_exit (kernel/exit.c:870)
>> [ 112.613761][ T6474] ? mm_update_next_owner (kernel/exit.c:806)
>> [ 112.614229][ T6474] ? _raw_spin_lock (kernel/locking/spinlock.c:169)
>> [ 112.614661][ T6474] ? zap_other_threads (kernel/signal.c:1386)
>> [ 112.615120][ T6474] do_group_exit (kernel/exit.c:1000)
>> [ 112.615535][ T6474] __x64_sys_exit_group (kernel/exit.c:1028)
>> [ 112.616003][ T6474] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
>> [ 112.616408][ T6474] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
>> [  112.616936][ T6474] RIP: 0033:0x7f4595393146
>> [ 112.617334][ T6474] Code: Unable to access opcode bytes at 0x7f459539311c.
>>
>> Code starting with the faulting instruction
>> ===========================================
>> [  112.617905][ T6474] RSP: 002b:00007fff14cbd758 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> [  112.618619][ T6474] RAX: ffffffffffffffda RBX: 00007f45954988a0 RCX: 00007f4595393146
>> [  112.619315][ T6474] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
>> [  112.619980][ T6474] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffff80
>> [  112.620655][ T6474] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f45954988a0
>> [  112.621295][ T6474] R13: 0000000000000001 R14: 00007f45954a12e8 R15: 0000000000000000
>> [  112.621951][ T6474]  </TASK>
>> [  112.622323][ T6474] Kernel Offset: disabled
>> [  112.622694][ T6474] Rebooting in 86400 seconds..
>>
>>
>>
>> Best,
>> Shuangpeng
>>
>>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/E2642A4E-6E00-47AA-AFF7-8A1B1C36481A%40psu.edu.


Content of type "text/html" skipped

Download attachment "repro.c" of type "application/octet-stream" (2263 bytes)

Download attachment "k.config" of type "application/octet-stream" (247848 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ