WARNING in __check_heap_object
31 views
Skip to first unread message
syzbot
Nov 7, 2017, 1:36:02āÆPM11/7/17
to ak...@linux-foundation.org, c...@linux.com, iamjoon...@lge.com, linux-...@vger.kernel.org, linu...@kvack.org, pen...@kernel.org, rien...@google.com, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
5a3517e009e979f21977d362212b7729c5165d92
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2994 at mm/slab.c:4434 __check_heap_object+0xbc/0xd0
mm/slab.c:4433
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2994 Comm: syzkaller408738 Not tainted
4.14.0-rc7-next-20171103+ #38
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1c4/0x1e0 kernel/panic.c:546
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:906
RIP: 0010:__check_heap_object+0xbc/0xd0 mm/slab.c:4433
RSP: 0018:ffff8801ce0670d8 EFLAGS: 00010282
RAX: 000000000000004a RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000004a RSI: 1ffff10039c0cddb RDI: ffffed0039c0ce0f
RBP: ffff8801ce0670e0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801ceb0a500 R11: 0000000000000000 R12: ffffea00074a6c80
R13: ffff8801d29b26b0 R14: 000000000000000b R15: ffffea00074a6c80
check_heap_object mm/usercopy.c:222 [inline]
__check_object_size+0x22c/0x4f0 mm/usercopy.c:248
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_to_user include/linux/uaccess.h:154 [inline]
sctp_getsockopt_events net/sctp/socket.c:4972 [inline]
sctp_getsockopt+0x2b90/0x70b0 net/sctp/socket.c:7012
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2924
SYSC_getsockopt net/socket.c:1882 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1864
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x43fca9
RSP: 002b:00007fff12a2dfa8 EFLAGS: 00000203 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fca9
RDX: 000000000000000b RSI: 0000000000000084 RDI: 0000000000000003
RBP: 0000000000000086 R08: 0000000020290000 R09: 0000000000000000
R10: 000000002099aff5 R11: 0000000000000203 R12: 0000000000401610
R13: 00000000004016a0 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzkaller hit the following crash on
5a3517e009e979f21977d362212b7729c5165d92
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2994 at mm/slab.c:4434 __check_heap_object+0xbc/0xd0
mm/slab.c:4433
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2994 Comm: syzkaller408738 Not tainted
4.14.0-rc7-next-20171103+ #38
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1c4/0x1e0 kernel/panic.c:546
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:906
RIP: 0010:__check_heap_object+0xbc/0xd0 mm/slab.c:4433
RSP: 0018:ffff8801ce0670d8 EFLAGS: 00010282
RAX: 000000000000004a RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000004a RSI: 1ffff10039c0cddb RDI: ffffed0039c0ce0f
RBP: ffff8801ce0670e0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801ceb0a500 R11: 0000000000000000 R12: ffffea00074a6c80
R13: ffff8801d29b26b0 R14: 000000000000000b R15: ffffea00074a6c80
check_heap_object mm/usercopy.c:222 [inline]
__check_object_size+0x22c/0x4f0 mm/usercopy.c:248
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_to_user include/linux/uaccess.h:154 [inline]
sctp_getsockopt_events net/sctp/socket.c:4972 [inline]
sctp_getsockopt+0x2b90/0x70b0 net/sctp/socket.c:7012
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2924
SYSC_getsockopt net/socket.c:1882 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1864
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x43fca9
RSP: 002b:00007fff12a2dfa8 EFLAGS: 00000203 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fca9
RDX: 000000000000000b RSI: 0000000000000084 RDI: 0000000000000003
RBP: 0000000000000086 R08: 0000000020290000 R09: 0000000000000000
R10: 000000002099aff5 R11: 0000000000000203 R12: 0000000000401610
R13: 00000000004016a0 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
Christopher Lameter
Nov 7, 2017, 2:34:33āÆPM11/7/17
to syzbot, ak...@linux-foundation.org, Kees Cook, Joonsoo Kim, linux-...@vger.kernel.org, linu...@kvack.org, Pekka Enberg, David Rientjes, syzkall...@googlegroups.com
Well that is a security thingamy related to CONFIG_HARDDENED_USERCOPY.
Kees?
----- Offending function
#ifdef CONFIG_HARDENED_USERCOPY
/*
* Rejects objects that are incorrectly sized.
*
* Returns NULL if check passes, otherwise const char * to name of cache
* to indicate an error.
*/
const char *__check_heap_object(const void *ptr, unsigned long n,
struct page *page)
{
struct kmem_cache *cachep;
unsigned int objnr;
unsigned long offset;
/* Find and validate object. */
cachep = page->slab_cache;
objnr = obj_to_index(cachep, page, (void *)ptr);
BUG_ON(objnr >= cachep->num);
/* Find offset within object. */
offset = ptr - index_to_obj(cachep, page, objnr) -
obj_offset(cachep);
/* Allow address range falling entirely within object size. */
if (offset <= cachep->object_size && n <= cachep->object_size -
offset)
return NULL;
return cachep->name;
}
#endif /* CONFIG_HARDENED_USERCOPY */
Kees?
----- Offending function
#ifdef CONFIG_HARDENED_USERCOPY
/*
* Rejects objects that are incorrectly sized.
*
* Returns NULL if check passes, otherwise const char * to name of cache
* to indicate an error.
*/
const char *__check_heap_object(const void *ptr, unsigned long n,
struct page *page)
{
struct kmem_cache *cachep;
unsigned int objnr;
unsigned long offset;
/* Find and validate object. */
cachep = page->slab_cache;
objnr = obj_to_index(cachep, page, (void *)ptr);
BUG_ON(objnr >= cachep->num);
/* Find offset within object. */
offset = ptr - index_to_obj(cachep, page, objnr) -
obj_offset(cachep);
/* Allow address range falling entirely within object size. */
if (offset <= cachep->object_size && n <= cachep->object_size -
offset)
return NULL;
return cachep->name;
}
#endif /* CONFIG_HARDENED_USERCOPY */
Kees Cook
Nov 7, 2017, 3:35:22āÆPM11/7/17
to syzbot, Andrew Morton, Christoph Lameter, Joonsoo Kim, LKML, Linux-MM, Pekka Enberg, David Rientjes, syzkall...@googlegroups.com, David Windsor
On Tue, Nov 7, 2017 at 10:36 AM, syzbot
<bot+2357afb48acb76780f...@syzkaller.appspotmail.com>
wrote:
that's where warnings show up...)
Found in the raw.log:
[ 44.227177] unexpected usercopy without slab whitelist from SCTPv6
offset 1648 size 11
This means some part of the SCTPv6 slab was being poked into userspace
without a usercopy whitelist.
> check_heap_object mm/usercopy.c:222 [inline]
> __check_object_size+0x22c/0x4f0 mm/usercopy.c:248
> check_object_size include/linux/thread_info.h:112 [inline]
> check_copy_size include/linux/thread_info.h:143 [inline]
> copy_to_user include/linux/uaccess.h:154 [inline]
> sctp_getsockopt_events net/sctp/socket.c:4972 [inline]
> sctp_getsockopt+0x2b90/0x70b0 net/sctp/socket.c:7012
> sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2924
> SYSC_getsockopt net/socket.c:1882 [inline]
> SyS_getsockopt+0x178/0x340 net/socket.c:1864
> entry_SYSCALL_64_fastpath+0x1f/0xbe
Looking at the SCTPv6 slab declaration, it seems David and I missed
the usercopy whitelist for the sctpv6_sock struct. I'll update the
usercopy whitelist patch with:
#syz fix: sctp: Define usercopy region in SCTP proto slab cache
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 5fd83974c5cc..8ac85877c0e4 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8492,6 +8492,10 @@ struct proto sctpv6_prot = {
.unhash = sctp_unhash,
.get_port = sctp_get_port,
.obj_size = sizeof(struct sctp6_sock),
+ .useroffset = offsetof(struct sctp_sock, subscribe),
+ .usersize = offsetof(struct sctp_sock, initmsg) -
+ offsetof(struct sctp_sock, subscribe) +
+ sizeof_field(struct sctp_sock, initmsg),
.sysctl_mem = sysctl_sctp_mem,
.sysctl_rmem = sysctl_sctp_rmem,
.sysctl_wmem = sysctl_sctp_wmem,
Thanks!
-Kees
--
Kees Cook
Pixel Security
<bot+2357afb48acb76780f...@syzkaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 5a3517e009e979f21977d362212b7729c5165d92
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
Please include the line _before_ the "cut here" (dumb, I know, but
>
> syzkaller hit the following crash on
> 5a3517e009e979f21977d362212b7729c5165d92
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
that's where warnings show up...)
Found in the raw.log:
[ 44.227177] unexpected usercopy without slab whitelist from SCTPv6
offset 1648 size 11
This means some part of the SCTPv6 slab was being poked into userspace
without a usercopy whitelist.
> check_heap_object mm/usercopy.c:222 [inline]
> __check_object_size+0x22c/0x4f0 mm/usercopy.c:248
> check_object_size include/linux/thread_info.h:112 [inline]
> check_copy_size include/linux/thread_info.h:143 [inline]
> copy_to_user include/linux/uaccess.h:154 [inline]
> sctp_getsockopt_events net/sctp/socket.c:4972 [inline]
> sctp_getsockopt+0x2b90/0x70b0 net/sctp/socket.c:7012
> sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2924
> SYSC_getsockopt net/socket.c:1882 [inline]
> SyS_getsockopt+0x178/0x340 net/socket.c:1864
> entry_SYSCALL_64_fastpath+0x1f/0xbe
the usercopy whitelist for the sctpv6_sock struct. I'll update the
usercopy whitelist patch with:
#syz fix: sctp: Define usercopy region in SCTP proto slab cache
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 5fd83974c5cc..8ac85877c0e4 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8492,6 +8492,10 @@ struct proto sctpv6_prot = {
.unhash = sctp_unhash,
.get_port = sctp_get_port,
.obj_size = sizeof(struct sctp6_sock),
+ .useroffset = offsetof(struct sctp_sock, subscribe),
+ .usersize = offsetof(struct sctp_sock, initmsg) -
+ offsetof(struct sctp_sock, subscribe) +
+ sizeof_field(struct sctp_sock, initmsg),
.sysctl_mem = sysctl_sctp_mem,
.sysctl_rmem = sysctl_sctp_rmem,
.sysctl_wmem = sysctl_sctp_wmem,
Thanks!
-Kees
--
Kees Cook
Pixel Security
Dmitry Vyukov
Nov 8, 2017, 3:24:15āÆAM11/8/17
to Kees Cook, syzbot, Andrew Morton, Christoph Lameter, Joonsoo Kim, LKML, Linux-MM, Pekka Enberg, David Rientjes, syzkall...@googlegroups.com, David Windsor
trees (title is settled):
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> Note: all commands must start from beginning of the line.
This will greatly help to keep the whole process running and report
new bugs in future.
Thanks
Kees Cook
Nov 8, 2017, 2:02:26āÆPM11/8/17
to Dmitry Vyukov, syzbot, Andrew Morton, Christoph Lameter, Joonsoo Kim, LKML, Linux-MM, Pekka Enberg, David Rientjes, syzkall...@googlegroups.com, David Windsor
-next shortly. (Do you prefer something else?)
Dmitry Vyukov
Nov 8, 2017, 2:08:50āÆPM11/8/17
to Kees Cook, syzbot, Andrew Morton, Christoph Lameter, Joonsoo Kim, LKML, Linux-MM, Pekka Enberg, David Rientjes, syzkall...@googlegroups.com, David Windsor
Reply all
Reply to author
Forward
0 new messages