BUG: bad usercopy in bpf_test_finish
6 views
Skip to first unread message
syzbot
Apr 10, 2019, 8:00:21 PM4/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 47350a9f ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=16b0a4e1400000
kernel config: https://syzkaller.appspot.com/x/.config?x=10d236078f3378a3
dashboard link: https://syzkaller.appspot.com/bug?extid=e66c653e09028663e541
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12b1f4b6400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15db9dfe400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e66c65...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
usercopy: kernel memory exposure attempt detected from ffff8801cbe5fff2
(kmalloc-4096) (57692 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 1835 Comm: syz-executor557 Not tainted 4.14.67+ #1
task: ffff8801d5c7de00 task.stack: ffff8801cbf58000
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x311/0x3a2 mm/usercopy.c:264
RSP: 0018:ffff8801cbf5fb58 EFLAGS: 00010282
RAX: 0000000000000064 RBX: 000000000000e15c RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83069c00 RDI: ffffffff84bce3a0
RBP: ffff8801cbe5fff2 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff830bfbe0
R13: 0000000000000001 R14: ffffffff830bfba0 R15: ffffea00072f9600
FS: 000000000120b940(0000) GS:ffff8801dbb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562e60ae10e0 CR3: 00000001d10c6003 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:108 [inline]
check_copy_size include/linux/thread_info.h:139 [inline]
copy_to_user include/linux/uaccess.h:154 [inline]
bpf_test_finish.isra.0+0xba/0x190 net/bpf/test_run.c:59
bpf_prog_test_run_skb+0x4d0/0x8c0 net/bpf/test_run.c:144
bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline]
SYSC_bpf kernel/bpf/syscall.c:1602 [inline]
SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440bc9
RSP: 002b:00007ffe5b11d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffe5b11d030 RCX: 0000000000440bc9
RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a
RBP: 0000000000000000 R08: 00000000004009ae R09: 00000000004009ae
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402450
R13: 00000000004024e0 R14: 0000000000000000 R15: 0000000000000000
Code: fb 0b 83 4c 0f 45 e2 e8 be d6 db ff 48 8b 04 24 49 89 d9 48 89 e9 4c
89 f2 4c 89 e6 48 c7 c7 20 fc 0b 83 49 89 c0 e8 5a 1b cd ff <0f> 0b 4c 89
ff e8 55 cf fd ff e9 09 fe ff ff 4c 89 ff e8 48 cf
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801cbf5fb58
RIP: __check_object_size+0x311/0x3a2 mm/usercopy.c:264 RSP: ffff8801cbf5fb58
---[ end trace e012b703a07e15e3 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 47350a9f ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=16b0a4e1400000
kernel config: https://syzkaller.appspot.com/x/.config?x=10d236078f3378a3
dashboard link: https://syzkaller.appspot.com/bug?extid=e66c653e09028663e541
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12b1f4b6400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15db9dfe400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e66c65...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
usercopy: kernel memory exposure attempt detected from ffff8801cbe5fff2
(kmalloc-4096) (57692 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 1835 Comm: syz-executor557 Not tainted 4.14.67+ #1
task: ffff8801d5c7de00 task.stack: ffff8801cbf58000
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x311/0x3a2 mm/usercopy.c:264
RSP: 0018:ffff8801cbf5fb58 EFLAGS: 00010282
RAX: 0000000000000064 RBX: 000000000000e15c RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83069c00 RDI: ffffffff84bce3a0
RBP: ffff8801cbe5fff2 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff830bfbe0
R13: 0000000000000001 R14: ffffffff830bfba0 R15: ffffea00072f9600
FS: 000000000120b940(0000) GS:ffff8801dbb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562e60ae10e0 CR3: 00000001d10c6003 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:108 [inline]
check_copy_size include/linux/thread_info.h:139 [inline]
copy_to_user include/linux/uaccess.h:154 [inline]
bpf_test_finish.isra.0+0xba/0x190 net/bpf/test_run.c:59
bpf_prog_test_run_skb+0x4d0/0x8c0 net/bpf/test_run.c:144
bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline]
SYSC_bpf kernel/bpf/syscall.c:1602 [inline]
SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440bc9
RSP: 002b:00007ffe5b11d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffe5b11d030 RCX: 0000000000440bc9
RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a
RBP: 0000000000000000 R08: 00000000004009ae R09: 00000000004009ae
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402450
R13: 00000000004024e0 R14: 0000000000000000 R15: 0000000000000000
Code: fb 0b 83 4c 0f 45 e2 e8 be d6 db ff 48 8b 04 24 49 89 d9 48 89 e9 4c
89 f2 4c 89 e6 48 c7 c7 20 fc 0b 83 49 89 c0 e8 5a 1b cd ff <0f> 0b 4c 89
ff e8 55 cf fd ff e9 09 fe ff ff 4c 89 ff e8 48 cf
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801cbf5fb58
RIP: __check_object_size+0x311/0x3a2 mm/usercopy.c:264 RSP: ffff8801cbf5fb58
---[ end trace e012b703a07e15e3 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages