UBSAN: array-index-out-of-bounds in arch_uprobe_analyze_insn
33 views
Skip to first unread message
syzbot
Sep 20, 2020, 7:02:15āÆPM9/20/20
to b...@alien8.de, gusta...@kernel.org, h...@zytor.com, linux-...@vger.kernel.org, mi...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, wang...@zte.com.cn, x...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1195f481900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b12e84189082991c
dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in arch/x86/kernel/uprobes.c:263:56
index 4 is out of range for type 'insn_byte_t [4]'
CPU: 1 PID: 22315 Comm: syz-executor.4 Not tainted 5.9.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
is_prefix_bad arch/x86/kernel/uprobes.c:263 [inline]
uprobe_init_insn arch/x86/kernel/uprobes.c:286 [inline]
arch_uprobe_analyze_insn+0x8f4/0xa40 arch/x86/kernel/uprobes.c:856
prepare_uprobe kernel/events/uprobes.c:860 [inline]
install_breakpoint.isra.0+0x6c4/0x7c0 kernel/events/uprobes.c:903
uprobe_mmap+0x5ec/0x1080 kernel/events/uprobes.c:1394
mmap_region+0x5cf/0x1780 mm/mmap.c:1839
do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
vm_mmap_pgoff+0x195/0x200 mm/util.c:506
ksys_mmap_pgoff+0x444/0x580 mm/mmap.c:1596
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d5f9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8e919bcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000020f80 RCX: 000000000045d5f9
RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020007000
RBP: 000000000118cf98 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000412 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffe8fbd4c5f R14: 00007f8e919bd9c0 R15: 000000000118cf4c
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1195f481900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b12e84189082991c
dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in arch/x86/kernel/uprobes.c:263:56
index 4 is out of range for type 'insn_byte_t [4]'
CPU: 1 PID: 22315 Comm: syz-executor.4 Not tainted 5.9.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
is_prefix_bad arch/x86/kernel/uprobes.c:263 [inline]
uprobe_init_insn arch/x86/kernel/uprobes.c:286 [inline]
arch_uprobe_analyze_insn+0x8f4/0xa40 arch/x86/kernel/uprobes.c:856
prepare_uprobe kernel/events/uprobes.c:860 [inline]
install_breakpoint.isra.0+0x6c4/0x7c0 kernel/events/uprobes.c:903
uprobe_mmap+0x5ec/0x1080 kernel/events/uprobes.c:1394
mmap_region+0x5cf/0x1780 mm/mmap.c:1839
do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
vm_mmap_pgoff+0x195/0x200 mm/util.c:506
ksys_mmap_pgoff+0x444/0x580 mm/mmap.c:1596
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d5f9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8e919bcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000020f80 RCX: 000000000045d5f9
RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020007000
RBP: 000000000118cf98 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000412 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffe8fbd4c5f R14: 00007f8e919bd9c0 R15: 000000000118cf4c
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 20, 2020, 8:13:27āÆPM9/20/20
to b...@alien8.de, gusta...@kernel.org, h...@zytor.com, linux-...@vger.kernel.org, mi...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, wang...@zte.com.cn, x...@kernel.org
syzbot has found a reproducer for the following issue on:
HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14e69c03900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ee6c5900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in arch/x86/kernel/uprobes.c:263:56
index 4 is out of range for type 'insn_byte_t [4]'
CPU: 0 PID: 6870 Comm: syz-executor876 Not tainted 5.9.0-rc5-syzkaller #0
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc6ed13058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379
R10: 0000000000000412 R11: 0000000000000246 R12: 0000000000401b80
R13: 0000000000401c10 R14: 0000000000000000 R15: 0000000000000000
================================================================================
HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=b12e84189082991c
dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1573a8ad900000
dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ee6c5900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in arch/x86/kernel/uprobes.c:263:56
index 4 is out of range for type 'insn_byte_t [4]'
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
is_prefix_bad arch/x86/kernel/uprobes.c:263 [inline]
uprobe_init_insn arch/x86/kernel/uprobes.c:286 [inline]
arch_uprobe_analyze_insn+0x8f4/0xa40 arch/x86/kernel/uprobes.c:856
prepare_uprobe kernel/events/uprobes.c:860 [inline]
install_breakpoint.isra.0+0x6c4/0x7c0 kernel/events/uprobes.c:903
uprobe_mmap+0x5ec/0x1080 kernel/events/uprobes.c:1394
mmap_region+0x5cf/0x1780 mm/mmap.c:1839
do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
vm_mmap_pgoff+0x195/0x200 mm/util.c:506
ksys_mmap_pgoff+0x444/0x580 mm/mmap.c:1596
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440379
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
is_prefix_bad arch/x86/kernel/uprobes.c:263 [inline]
uprobe_init_insn arch/x86/kernel/uprobes.c:286 [inline]
arch_uprobe_analyze_insn+0x8f4/0xa40 arch/x86/kernel/uprobes.c:856
prepare_uprobe kernel/events/uprobes.c:860 [inline]
install_breakpoint.isra.0+0x6c4/0x7c0 kernel/events/uprobes.c:903
uprobe_mmap+0x5ec/0x1080 kernel/events/uprobes.c:1394
mmap_region+0x5cf/0x1780 mm/mmap.c:1839
do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
vm_mmap_pgoff+0x195/0x200 mm/util.c:506
ksys_mmap_pgoff+0x444/0x580 mm/mmap.c:1596
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc6ed13058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379
RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020007000
RBP: 00000000006ca018 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000412 R11: 0000000000000246 R12: 0000000000401b80
R13: 0000000000401c10 R14: 0000000000000000 R15: 0000000000000000
================================================================================
syzbot
Sep 22, 2020, 12:20:08āÆAM9/22/20
to ak...@linux-foundation.org, b...@alien8.de, core...@netfilter.org, da...@davemloft.net, gusta...@kernel.org, h...@zytor.com, john....@linaro.org, ka...@trash.net, kad...@blackhole.kfki.hu, kees...@chromium.org, linux-...@vger.kernel.org, mi...@redhat.com, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, syzkall...@googlegroups.com, tg...@linutronix.de, torv...@linux-foundation.org, wang...@zte.com.cn, x...@kernel.org
syzbot has bisected this issue to:
commit 4b2bd5fec007a4fd3fc82474b9199af25013de4c
Author: John Stultz <john....@linaro.org>
Date: Sat Oct 8 00:02:33 2016 +0000
proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1697348d900000
start commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1597348d900000
console output: https://syzkaller.appspot.com/x/log.txt?x=1197348d900000
Fixes: 4b2bd5fec007 ("proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 4b2bd5fec007a4fd3fc82474b9199af25013de4c
Author: John Stultz <john....@linaro.org>
Date: Sat Oct 8 00:02:33 2016 +0000
proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1697348d900000
start commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1597348d900000
console output: https://syzkaller.appspot.com/x/log.txt?x=1197348d900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b12e84189082991c
dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1573a8ad900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ee6c5900000
Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ee6c5900000
Fixes: 4b2bd5fec007 ("proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Kees Cook
Dec 1, 2020, 7:48:58āÆPM12/1/20
to Masami Hiramatsu, Srikar Dronamraju, Ricardo Neri, ak...@linux-foundation.org, b...@alien8.de, core...@netfilter.org, syzbot, da...@davemloft.net, gusta...@kernel.org, h...@zytor.com, john....@linaro.org, ka...@trash.net, kad...@blackhole.kfki.hu, linux-...@vger.kernel.org, mi...@redhat.com, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, syzkall...@googlegroups.com, tg...@linutronix.de, torv...@linux-foundation.org, wang...@zte.com.cn, x...@kernel.org
Hi,
There appears to be a problem with prefix counting for the instruction
decoder. It looks like insn_get_prefixes() isn't keeping "nb" and "nbytes"
in sync correctly:
while (inat_is_legacy_prefix(attr)) {
/* Skip if same prefix */
for (i = 0; i < nb; i++)
if (prefixes->bytes[i] == b)
goto found;
if (nb == 4)
/* Invalid instruction */
break;
prefixes->bytes[nb++] = b;
...
found:
prefixes->nbytes++;
insn->next_byte++;
lb = b;
b = peek_next(insn_byte_t, insn);
attr = inat_get_opcode_attribute(b);
}
(nbytes is incremented on repeated prefixes, but "nb" isn't)
However, it looks like nbytes is used as an offset:
static inline int insn_offset_rex_prefix(struct insn *insn)
{
return insn->prefixes.nbytes;
}
static inline int insn_offset_vex_prefix(struct insn *insn)
{
return insn_offset_rex_prefix(insn) + insn->rex_prefix.nbytes;
}
Which means everything that iterates over prefixes.bytes[] is buggy,
since they may be trying to read past the end of the array:
$ git grep -A3 -E '< .*prefixes(\.|->)nbytes'
boot/compressed/sev-es.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
boot/compressed/sev-es.c- insn_byte_t p =
insn->prefixes.bytes[i];
boot/compressed/sev-es.c-
boot/compressed/sev-es.c- if (p == 0xf2 || p == 0xf3)
--
kernel/uprobes.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
kernel/uprobes.c- insn_attr_t attr;
kernel/uprobes.c-
kernel/uprobes.c- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
--
kernel/uprobes.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
kernel/uprobes.c- if (insn->prefixes.bytes[i] == 0x66)
kernel/uprobes.c- return -ENOTSUPP;
kernel/uprobes.c- }
--
lib/insn-eval.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
lib/insn-eval.c- insn_byte_t p = insn->prefixes.bytes[i];
lib/insn-eval.c-
lib/insn-eval.c- if (p == 0xf2 || p == 0xf3)
--
lib/insn-eval.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
lib/insn-eval.c- insn_attr_t attr;
lib/insn-eval.c-
lib/insn-eval.c- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
I don't see a clear way to fix this.
-Kees
--
Kees Cook
There appears to be a problem with prefix counting for the instruction
decoder. It looks like insn_get_prefixes() isn't keeping "nb" and "nbytes"
in sync correctly:
while (inat_is_legacy_prefix(attr)) {
/* Skip if same prefix */
for (i = 0; i < nb; i++)
if (prefixes->bytes[i] == b)
goto found;
if (nb == 4)
/* Invalid instruction */
break;
prefixes->bytes[nb++] = b;
...
found:
prefixes->nbytes++;
insn->next_byte++;
lb = b;
b = peek_next(insn_byte_t, insn);
attr = inat_get_opcode_attribute(b);
}
(nbytes is incremented on repeated prefixes, but "nb" isn't)
However, it looks like nbytes is used as an offset:
static inline int insn_offset_rex_prefix(struct insn *insn)
{
return insn->prefixes.nbytes;
}
static inline int insn_offset_vex_prefix(struct insn *insn)
{
return insn_offset_rex_prefix(insn) + insn->rex_prefix.nbytes;
}
Which means everything that iterates over prefixes.bytes[] is buggy,
since they may be trying to read past the end of the array:
$ git grep -A3 -E '< .*prefixes(\.|->)nbytes'
boot/compressed/sev-es.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
boot/compressed/sev-es.c- insn_byte_t p =
insn->prefixes.bytes[i];
boot/compressed/sev-es.c-
boot/compressed/sev-es.c- if (p == 0xf2 || p == 0xf3)
--
kernel/uprobes.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
kernel/uprobes.c- insn_attr_t attr;
kernel/uprobes.c-
kernel/uprobes.c- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
--
kernel/uprobes.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
kernel/uprobes.c- if (insn->prefixes.bytes[i] == 0x66)
kernel/uprobes.c- return -ENOTSUPP;
kernel/uprobes.c- }
--
lib/insn-eval.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
lib/insn-eval.c- insn_byte_t p = insn->prefixes.bytes[i];
lib/insn-eval.c-
lib/insn-eval.c- if (p == 0xf2 || p == 0xf3)
--
lib/insn-eval.c: for (i = 0; i < insn->prefixes.nbytes; i++) {
lib/insn-eval.c- insn_attr_t attr;
lib/insn-eval.c-
lib/insn-eval.c- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
I don't see a clear way to fix this.
-Kees
Kees Cook
Masami Hiramatsu
Dec 2, 2020, 1:13:00āÆAM12/2/20
to Kees Cook, Srikar Dronamraju, Ricardo Neri, ak...@linux-foundation.org, b...@alien8.de, core...@netfilter.org, syzbot, da...@davemloft.net, gusta...@kernel.org, h...@zytor.com, john....@linaro.org, ka...@trash.net, kad...@blackhole.kfki.hu, linux-...@vger.kernel.org, mi...@redhat.com, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, syzkall...@googlegroups.com, tg...@linutronix.de, torv...@linux-foundation.org, wang...@zte.com.cn, x...@kernel.org
Hi Kees,
Yes, it is designed to do that. nbytes counts how many bytes the prefix is,
and nb is how many bytes of the prefix->bytes consumed.
Since the legacy prefix can be repeated and more than 4 (bytes), we can not
store all of those.
>
> Which means everything that iterates over prefixes.bytes[] is buggy,
> since they may be trying to read past the end of the array:
Good catch! All following usage are wrong...
For the loop, we can check the insn.prefixes.bytes[i] == 0 since
it is initialized by 0 and 0x0 is not a prefix like this.
for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
...
}
Thank you,
>
> -Kees
>
> On Mon, Sep 21, 2020 at 09:20:07PM -0700, syzbot wrote:
> > syzbot has bisected this issue to:
> >
> > commit 4b2bd5fec007a4fd3fc82474b9199af25013de4c
> > Author: John Stultz <john....@linaro.org>
> > Date: Sat Oct 8 00:02:33 2016 +0000
> >
> > proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1697348d900000
> > start commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
> > git tree: upstream
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=1597348d900000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1197348d900000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b12e84189082991c
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1573a8ad900000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ee6c5900000
> >
> > Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
> > Fixes: 4b2bd5fec007 ("proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> --
> Kees Cook
--
Masami Hiramatsu <mhir...@kernel.org>
and nb is how many bytes of the prefix->bytes consumed.
Since the legacy prefix can be repeated and more than 4 (bytes), we can not
store all of those.
>
> Which means everything that iterates over prefixes.bytes[] is buggy,
> since they may be trying to read past the end of the array:
it is initialized by 0 and 0x0 is not a prefix like this.
for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
...
}
Thank you,
>
> -Kees
>
> On Mon, Sep 21, 2020 at 09:20:07PM -0700, syzbot wrote:
> > syzbot has bisected this issue to:
> >
> > commit 4b2bd5fec007a4fd3fc82474b9199af25013de4c
> > Author: John Stultz <john....@linaro.org>
> > Date: Sat Oct 8 00:02:33 2016 +0000
> >
> > proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1697348d900000
> > start commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
> > git tree: upstream
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=1597348d900000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1197348d900000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b12e84189082991c
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9b64b619f10f19d19a7c
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1573a8ad900000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ee6c5900000
> >
> > Reported-by: syzbot+9b64b6...@syzkaller.appspotmail.com
> > Fixes: 4b2bd5fec007 ("proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> --
> Kees Cook
Masami Hiramatsu <mhir...@kernel.org>
Reply all
Reply to author
Forward
0 new messages