kernel BUG at drivers/android/binder_alloc.c:LINE! (4)

31 views
Skip to first unread message

syzbot

unread,
Jun 18, 2019, 6:47:11 AM6/18/19
to ar...@android.com, chri...@brauner.io, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, jo...@joelfernandes.org, linux-...@vger.kernel.org, ma...@android.com, syzkall...@googlegroups.com, tk...@android.com, tk...@google.com
Hello,

syzbot found the following crash on:

HEAD commit: 9e0babf2 Linux 5.2-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=159e6121a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d16883d6c7f0d717
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae18325f96190606754
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1119e431a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f028c9a00000

The bug was bisected to:

commit bde4a19fc04f5f46298c86b1acb7a4af1d5f138d
Author: Todd Kjos <tk...@android.com>
Date: Fri Feb 8 18:35:20 2019 +0000

binder: use userspace pointer as base of buffer space

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=177250c9a00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=14f250c9a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=10f250c9a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3ae183...@syzkaller.appspotmail.com
Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer
space")

------------[ cut here ]------------
kernel BUG at drivers/android/binder_alloc.c:1130!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8920 Comm: syz-executor933 Not tainted 5.2.0-rc5 #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
drivers/android/binder_alloc.c:1130
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf 9d 1c fc 4c 89
e6 4c 89 ef e8 d4 9e 1c fc 4d 39 e5 76 07 e8 aa 9d 1c fc <0f> 0b e8 a3 9d
1c fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1
RSP: 0018:ffff88808b91f4e0 EFLAGS: 00010293
RAX: ffff88809296c200 RBX: 0000000020001000 RCX: ffffffff855423cf
RDX: 0000000000000000 RSI: ffffffff855423b6 RDI: 0000000000000006
RBP: ffff88808b91f560 R08: ffff88809296c200 R09: 0000000000000008
R10: ffffed1011723f15 R11: ffff88808b91f8af R12: 0000000000000078
R13: 0000000000000008 R14: 00000000000000e8 R15: 0000000000000000
FS: 00005555556e5940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008bd57000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
binder_alloc_copy_from_buffer+0x37/0x42 drivers/android/binder_alloc.c:1176
binder_validate_ptr+0xcc/0x1d0 drivers/android/binder.c:2124
binder_transaction+0x2c9c/0x6620 drivers/android/binder.c:3308
binder_thread_write+0x64a/0x2820 drivers/android/binder.c:3794
binder_ioctl_write_read drivers/android/binder.c:4827 [inline]
binder_ioctl+0x102f/0x1833 drivers/android/binder.c:5004
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x444a29
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcbcd0fc28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcbcd0fc30 RCX: 0000000000444a29
RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000401310
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402730
R13: 00000000004027c0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 3626e6aef2ad2274 ]---
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
drivers/android/binder_alloc.c:1130
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf 9d 1c fc 4c 89
e6 4c 89 ef e8 d4 9e 1c fc 4d 39 e5 76 07 e8 aa 9d 1c fc <0f> 0b e8 a3 9d
1c fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1
RSP: 0018:ffff88808b91f4e0 EFLAGS: 00010293
RAX: ffff88809296c200 RBX: 0000000020001000 RCX: ffffffff855423cf
RDX: 0000000000000000 RSI: ffffffff855423b6 RDI: 0000000000000006
RBP: ffff88808b91f560 R08: ffff88809296c200 R09: 0000000000000008
R10: ffffed1011723f15 R11: ffff88808b91f8af R12: 0000000000000078
R13: 0000000000000008 R14: 00000000000000e8 R15: 0000000000000000
FS: 00005555556e5940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008bd57000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Dan Carpenter

unread,
Jun 18, 2019, 8:18:19 AM6/18/19
to syzbot, ar...@android.com, chri...@brauner.io, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, jo...@joelfernandes.org, linux-...@vger.kernel.org, ma...@android.com, syzkall...@googlegroups.com, tk...@android.com, tk...@google.com
It's weird that that binder_alloc_copy_from_buffer() is a void function.
It would be easier to do the error handling at that point, instead of in
the callers. It feels like we keep hitting similar bugs to this.

regards,
dan carpenter

Todd Kjos

unread,
Jun 18, 2019, 1:37:24 PM6/18/19
to Dan Carpenter, syzbot, Arve Hjønnevåg, Christian Brauner, open list:ANDROID DRIVERS, Greg Kroah-Hartman, Joel Fernandes (Google), LKML, Martijn Coenen, syzkaller-bugs, Todd Kjos
On Tue, Jun 18, 2019 at 5:18 AM Dan Carpenter <dan.ca...@oracle.com> wrote:
>
> It's weird that that binder_alloc_copy_from_buffer() is a void function.
> It would be easier to do the error handling at that point, instead of in
> the callers. It feels like we keep hitting similar bugs to this.

The idea is that if it is an error that the user can cause, it is
checked by the caller of binder_alloc_copy_from_buffer(). Most uses
are kernel cases where the expected alignments should be fine and it's
a BUG if they are not.

Admittedly, a few cases (like this one) have slipped through since
they cannot happen in Android (syzkaller has been very useful to find
our bad assumptions).

-Todd

>
> regards,
> dan carpenter
>

Todd Kjos

unread,
Jun 28, 2019, 12:55:55 PM6/28/19
to Dan Carpenter, syzbot, Arve Hjønnevåg, Christian Brauner, open list:ANDROID DRIVERS, Greg Kroah-Hartman, Joel Fernandes (Google), LKML, Martijn Coenen, syzkaller-bugs, Todd Kjos
On Tue, Jun 18, 2019 at 10:37 AM Todd Kjos <tk...@google.com> wrote:
>
> On Tue, Jun 18, 2019 at 5:18 AM Dan Carpenter <dan.ca...@oracle.com> wrote:
> >
> > It's weird that that binder_alloc_copy_from_buffer() is a void function.
> > It would be easier to do the error handling at that point, instead of in
> > the callers. It feels like we keep hitting similar bugs to this.

I took your advice. Fix posted: https://lkml.org/lkml/2019/6/28/857

-Todd
Reply all
Reply to author
Forward
0 new messages