KASAN: use-after-free Read in do_general_protection

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e030d7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16b624d7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1364e0d7800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a12641...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in do_general_protection+0x2ac/0x2f0
arch/x86/kernel/traps.c:538
Read of size 8 at addr ffff8801d7187398 by task syz-executor171/4544

CPU: 0 PID: 4544 Comm: syz-executor171 Not tainted 4.17.0-rc6+ #67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:

The buggy address belongs to the page:
page:ffffea00075c61c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea00075c0101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8801d7187280: 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d7187300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801d7187380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801d7187400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d7187480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4544 Comm: syz-executor171 Tainted: G B
4.17.0-rc6+ #67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Dmitry Vyukov]

Dups of this bug:

KASAN: stack-out-of-bounds Read in do_general_protection
KASAN: slab-out-of-bounds Read in vmx_vcpu_run
KASAN: use-after-scope Read in vmx_vcpu_run
KASAN: stack-out-of-bounds Write in notify_die

See full info at:
https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f


There seems to be 2 problems:

1. msr_write_intercepted doing something notoriously bad.

2. general_protection fault handler somehow allocates pt_regs
overlapping with vmx_run frame. This can be an issue with interrupts
too.

> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzk...@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/0000000000006370c3056d1855e7%40google.com.
> For more options, visit https://groups.google.com/d/optout.

[Paolo Bonzini]

On 26/05/2018 11:29, Dmitry Vyukov wrote:
> KASAN: stack-out-of-bounds Read in do_general_protection
> KASAN: slab-out-of-bounds Read in vmx_vcpu_run
> KASAN: use-after-scope Read in vmx_vcpu_run
> KASAN: stack-out-of-bounds Write in notify_die
>
> See full info at:
> https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
>
>
> There seems to be 2 problems:
>
> 1. msr_write_intercepted doing something notoriously bad.

The faulting line is

msr_bitmap = to_vmx(vcpu)->loaded_vmcs->msr_bitmap;

so I suppose to_vmx(vcpu)->loaded_vmcs is bogus? That seems like "just"
a corruption of the struct kvm_vcpu, because the loaded_vmcs field is
pointing elsewhere inside the same struct.

Paolo

[Dmitry Vyukov]

This is reproducible and the reproducer only uses KVM syscalls. So it
seems that KVM corrupts itself. Perhaps it's KVM_SET_MSRS that messes
things?

[Dmitry Vyukov]

This one looks like the same root cause as here:

KASAN: stack-out-of-bounds Read in unwind_next_frame
https://groups.google.com/d/msg/syzkaller-bugs/MGQ_W8DPYXA/k-xK7sBrBgAJ

[Eric Biggers]

On Sat, May 26, 2018 at 02:16:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13e030d7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
> dashboard link: https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16b624d7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1364e0d7800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a12641...@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> ==================================================================
> BUG: KASAN: use-after-free in do_general_protection+0x2ac/0x2f0
> arch/x86/kernel/traps.c:538
> Read of size 8 at addr ffff8801d7187398 by task syz-executor171/4544

Hi Dmitry, there is an anomaly with this bug report. The main page of the
syzbot dashboard (https://syzkaller.appspot.com/upstream) shows that it occurred
38 times, and last occurred 14 days ago. However, the details page
(https://syzkaller.appspot.com/bug?id=d5d780ebdea00d45e7dcca8b25d9d7d2aff7da6c)
shows only 2 crashes, with the last being over a year ago.

- Eric

[Andrey Konovalov]

I think the reason is that the "KASAN: stack-out-of-bounds Read in
unwind_next_frame" bug is marked as a duplicate of this one (as the
table shows), and it indeed happened 14 days ago.

>
> - Eric

>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20190709193117.GF641%40sol.localdomain.

[Eric Biggers]

Okay, I missed that. It would be helpful if the crashes list would include
crashes from duplicate bugs by default. If bugs are really duplicate, then
people will ordinarily want to see all the crashes together.

- Eric

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.