Test patch for KASAN: global-out-of-bounds Read in detach_capi_ctr

[Soumya Negi]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Fixes Syzbot bug:
https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e

This patch checks whether any ISDN devices are registered before unregistering
a CAPI controller(device). Without the check, the controller struct capi_str
results in out-of-bounds access bugs to other CAPI data strucures in
detach_capri_ctr() as seen in the bug report.

Reported-by: syzbot+9d567e...@syzkaller.appspotmail.com

Signed-off-by: Soumya Negi <soumya...@gmail.com>
---
drivers/isdn/capi/kcapi.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
index 18de41a266eb..6175ff7ec749 100644
--- a/drivers/isdn/capi/kcapi.c
+++ b/drivers/isdn/capi/kcapi.c
@@ -563,6 +563,9 @@ int detach_capi_ctr(struct capi_ctr *ctr)

mutex_lock(&capi_controller_lock);

+ if (ncontrollers == 0)
+ goto unlock_out;
+
ctr_down(ctr, CAPI_CTR_DETACHED);

if (capi_controller[ctr->cnr - 1] != ctr) {
--
2.17.1

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

er sanitization
[ 1.679106] Spectre V2 : Kernel not compiled with retpoline; no mitigation available!
[ 1.679113] Spectre V2 : Vulnerable
[ 1.681212] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 1.682442] Spectre V2 : Enabling Restricted Speculation for firmware calls
[ 1.683519] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 1.684999] Spectre V2 : User space: Mitigation: STIBP via prctl
[ 1.685952] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 1.687628] MDS: Mitigation: Clear CPU buffers
[ 1.688311] TAA: Mitigation: Clear CPU buffers
[ 1.688931] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 1.692716] Freeing SMP alternatives memory: 104K
[ 1.814777] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 1.818459] cblist_init_generic: Setting adjustable number of callback queues.
[ 1.820326] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.822016] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.822417] Running RCU-tasks wait API self tests
[ 1.952637] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 1.954811] rcu: Hierarchical SRCU implementation.
[ 1.959848] NMI watchdog: Perf NMI watchdog permanently disabled
[ 1.961957] smp: Bringing up secondary CPUs ...
[ 1.966951] x86: Booting SMP configuration:
[ 1.968003] .... node #0, CPUs: #1
[ 1.969968] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
[ 1.972603] TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.
[ 1.975022] MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.
[ 1.977943] smp: Brought up 2 nodes, 2 CPUs
[ 1.978662] smpboot: Max logical packages: 1
[ 1.979527] smpboot: Total of 2 processors activated (8800.57 BogoMIPS)
[ 1.984745] devtmpfs: initialized
[ 1.984841] x86/mm: Memory block size: 128MB
[ 1.992511] Callback from call_rcu_tasks_trace() invoked.
[ 2.014707] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 2.022442] futex hash table entries: 512 (order: 4, 65536 bytes, vmalloc)
[ 2.022442] PM: RTC time: 12:33:34, date: 2022-07-01
[ 2.029315] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 2.035413] audit: initializing netlink subsys (disabled)
[ 2.044342] thermal_sys: Registered thermal governor 'step_wise'
[ 2.044355] thermal_sys: Registered thermal governor 'user_space'
[ 2.045723] cpuidle: using governor menu
[ 2.052517] audit: type=2000 audit(1656678814.217:1): state=initialized audit_enabled=0 res=1
[ 2.052435] HugeTLB: can optimize 4095 vmemmap pages for hugepages-1048576kB
[ 2.052435] PCI: Using configuration type 1 for base access
[ 2.242553] WARNING: workqueue cpumask: online intersect > possible intersect
[ 2.252455] HugeTLB: can optimize 7 vmemmap pages for hugepages-2048kB
[ 2.252455] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[ 2.252455] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[ 2.254153] cryptd: max_cpu_qlen set to 1000
[ 2.332513] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 1-... } 4 jiffies s: 61 root: 0x2/.
[ 2.334980] rcu: blocking rcu_node structures (internal RCU debug):
[ 2.336410] Task dump for CPU 1:
[ 2.336945] task:swapper/0 state:R running task stack:27456 pid: 1 ppid: 0 flags:0x00004008
[ 2.338968] Call Trace:
[ 2.339428] <TASK>
[ 2.339820] ? __lock_acquire+0x162f/0x54e0
[ 2.340652] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 2.341766] ? lock_is_held_type+0xd7/0x130
[ 2.352446] ? find_held_lock+0x2d/0x110
[ 2.353438] ? lock_release+0x3bb/0x770
[ 2.354275] ? get_page_from_freelist+0x15de/0x3890
[ 2.355231] ? lock_downgrade+0x6d0/0x6d0
[ 2.356083] ? lock_is_held_type+0xd7/0x130
[ 2.356846] ? bad_range+0x22d/0x2e0
[ 2.357583] ? bad_range+0x22d/0x2e0
[ 2.358170] ? lockdep_hardirqs_on+0x79/0x100
[ 2.359360] ? bad_range+0x22d/0x2e0
[ 2.360195] ? get_page_from_freelist+0x15de/0x3890
[ 2.361665] ? kasan_unpoison+0x23/0x50
[ 2.372433] ? post_alloc_hook+0x1d0/0x2a0
[ 2.373289] ? get_page_from_freelist+0x15ff/0x3890
[ 2.374511] ? lock_release+0x3bb/0x770
[ 2.375375] ? prepare_alloc_pages+0x164/0x570
[ 2.376359] ? __zone_watermark_ok+0x3f0/0x3f0
[ 2.377420] ? lock_is_held_type+0xd7/0x130
[ 2.378311] ? irqentry_enter+0x26/0x50
[ 2.378976] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 2.380248] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 2.381354] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 2.382354] ? lockdep_hardirqs_on+0x79/0x100
[ 2.392451] ? kernel_fpu_begin_mask+0x165/0x260
[ 2.393476] ? save_fpregs_to_fpstate+0x270/0x270
[ 2.394513] ? raid6_avx24_gen_syndrome+0x125/0x2c0
[ 2.395355] ? raid6_avx24_gen_syndrome+0x125/0x2c0
[ 2.401015] ? raid6_select_algo+0x31a/0x882
[ 2.401718] ? sw842_init+0x1bd/0x1bd
[ 2.402339] ? lock_is_held_type+0xd7/0x130
[ 2.412436] ? sw842_init+0x1bd/0x1bd
[ 2.413334] ? do_one_initcall+0x103/0x650
[ 2.415195] ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[ 2.416434] ? parameq+0x100/0x170
[ 2.417124] ? lock_is_held_type+0xd7/0x130
[ 2.417823] ? kernel_init_freeable+0x604/0x68d
[ 2.418589] ? rest_init+0x250/0x250
[ 2.419247] ? kernel_init+0x1a/0x1d0
[ 2.420089] ? rest_init+0x250/0x250
[ 2.420797] ? ret_from_fork+0x1f/0x30
[ 2.421563] </TASK>
[ 2.432421] raid6: avx2x4 gen() 4677 MB/s
[ 2.432536] Callback from call_rcu_tasks() invoked.
[ 2.594368] raid6: avx2x2 gen() 3276 MB/s
[ 2.764526] raid6: avx2x1 gen() 1938 MB/s
[ 2.766296] raid6: using algorithm avx2x4 gen() 4677 MB/s
[ 2.934458] raid6: .... xor() 2466 MB/s, rmw enabled
[ 2.935820] raid6: using avx2x2 recovery algorithm
[ 2.938257] ACPI: Added _OSI(Module Device)
[ 2.938973] ACPI: Added _OSI(Processor Device)
[ 2.939828] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 2.941597] ACPI: Added _OSI(Processor Aggregator Device)
[ 2.942459] ACPI: Added _OSI(Linux-Dell-Video)
[ 2.943324] ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
[ 2.944282] ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)
[ 3.046806] ACPI: 2 ACPI AML tables successfully acquired and loaded
[ 3.183025] ACPI: Interpreter enabled
[ 3.184164] ACPI: PM: (supports S0 S3 S4 S5)
[ 3.185312] ACPI: Using IOAPIC for interrupt routing
[ 3.186635] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 3.188479] PCI: Using E820 reservations for host bridge windows
[ 3.193470] ACPI: Enabled 16 GPEs in block 00 to 0F
[ 3.335395] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 3.336800] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3]
[ 3.338408] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI]
[ 3.340662] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
[ 3.353025] PCI host bridge to bus 0000:00
[ 3.353867] pci_bus 0000:00: Unknown NUMA node; performance will be reduced
[ 3.356199] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]
[ 3.358023] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]
[ 3.359759] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[ 3.361259] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfefff window]
[ 3.362465] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 3.364349] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000
[ 3.370651] pci 0000:00:01.0: [8086:7110] type 00 class 0x060100
[ 3.394213] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000
[ 3.413925] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI
[ 3.418810] pci 0000:00:03.0: [1af4:1004] type 00 class 0x000000
[ 3.429206] pci 0000:00:03.0: reg 0x10: [io 0xc000-0xc03f]
[ 3.435620] pci 0000:00:03.0: reg 0x14: [mem 0xfe800000-0xfe80007f]
[ 3.455738] pci 0000:00:04.0: [1af4:1000] type 00 class 0x020000
[ 3.465039] pci 0000:00:04.0: reg 0x10: [io 0xc040-0xc07f]
[ 3.471672] pci 0000:00:04.0: reg 0x14: [mem 0xfe801000-0xfe80107f]
[ 3.492827] pci 0000:00:05.0: [1ae0:a002] type 00 class 0x030000
[ 3.503937] pci 0000:00:05.0: reg 0x10: [mem 0xfe000000-0xfe7fffff]
[ 3.530482] pci 0000:00:05.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 3.536069] pci 0000:00:06.0: [1af4:1002] type 00 class 0x00ff00
[ 3.545791] pci 0000:00:06.0: reg 0x10: [io 0xc080-0xc09f]
[ 3.552444] pci 0000:00:06.0: reg 0x14: [mem 0xfe802000-0xfe80207f]
[ 3.570686] pci 0000:00:07.0: [1af4:1005] type 00 class 0x00ff00
[ 3.579798] pci 0000:00:07.0: reg 0x10: [io 0xc0a0-0xc0bf]
[ 3.587877] pci 0000:00:07.0: reg 0x14: [mem 0xfe803000-0xfe80303f]
[ 3.652688] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[ 3.659930] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[ 3.665435] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[ 3.672856] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[ 3.676762] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[ 3.690551] iommu: Default domain type: Translated
[ 3.690551] iommu: DMA domain TLB invalidation policy: lazy mode
[ 3.692435] SCSI subsystem initialized
[ 3.693025] ACPI: bus type USB registered
[ 3.695044] usbcore: registered new interface driver usbfs
[ 3.696897] usbcore: registered new interface driver hub
[ 3.698349] usbcore: registered new device driver usb
[ 3.701433] mc: Linux media interface: v0.10
[ 3.702684] videodev: Linux video capture interface: v2.00
[ 3.704581] pps_core: LinuxPPS API ver. 1 registered
[ 3.705918] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giom...@linux.it>
[ 3.708045] PTP clock support registered
[ 3.712424] EDAC MC: Ver: 3.0.0
[ 3.714114] Advanced Linux Sound Architecture Driver Initialized.
[ 3.722892] Bluetooth: Core ver 2.22
[ 3.722892] NET: Registered PF_BLUETOOTH protocol family
[ 3.722892] Bluetooth: HCI device and connection manager initialized
[ 3.722892] Bluetooth: HCI socket layer initialized
[ 3.723783] Bluetooth: L2CAP socket layer initialized
[ 3.724932] Bluetooth: SCO socket layer initialized
[ 3.726258] NET: Registered PF_ATMPVC protocol family
[ 3.727226] NET: Registered PF_ATMSVC protocol family
[ 3.728871] NetLabel: Initializing
[ 3.729474] NetLabel: domain hash size = 128
[ 3.730476] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 3.733189] NetLabel: unlabeled traffic allowed by default
[ 3.736711] nfc: nfc_init: NFC Core ver 0.1
[ 3.738035] NET: Registered PF_NFC protocol family
[ 3.739223] PCI: Using ACPI for IRQ routing
[ 3.741395] pci 0000:00:05.0: vgaarb: setting as boot VGA device
[ 3.742417] pci 0000:00:05.0: vgaarb: bridge control possible
[ 3.742417] pci 0000:00:05.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 3.752437] vgaarb: loaded
[ 3.757925] clocksource: Switched to clocksource kvm-clock
[ 3.775573] VFS: Disk quotas dquot_6.6.0
[ 3.776897] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 3.780161] FS-Cache: Loaded
[ 3.782268] CacheFiles: Loaded
[ 3.783739] TOMOYO: 2.6.0
[ 3.784718] Profile 0 (used by '<kernel>') is not defined.
[ 3.786249] Userland tools for TOMOYO 2.6 must be installed and policy must be initialized.
[ 3.788505] Please see https://tomoyo.osdn.jp/2.6/ for more information.
[ 3.790935] Kernel panic - not syncing: STOP!
[ 3.792101] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc4-syzkaller #0
[ 3.793218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/18/2022
[ 3.793218] Call Trace:
[ 3.793218] <TASK>
[ 3.793218] dump_stack_lvl+0x8b/0xb3
[ 3.793218] panic+0x29c/0x5fb
[ 3.793218] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 3.793218] ? lock_release+0x3bb/0x770
[ 3.793218] ? tomoyo_load_builtin_policy+0x24d/0x2c4
[ 3.793218] ? lock_downgrade+0x6d0/0x6d0
[ 3.793218] ? vprintk+0x88/0x90
[ 3.793218] tomoyo_check_profile.cold+0xbb/0xc8
[ 3.793218] tomoyo_load_builtin_policy+0x279/0x2c4
[ 3.793218] ? smack_nf_ip_init+0x7c/0x7c
[ 3.793218] ? mark_lock.part.0+0xee/0x17c0
[ 3.793218] ? tomoyo_write_domain2+0x1a0/0x1a0
[ 3.793218] ? up_write+0x148/0x470
[ 3.793218] ? securityfs_create_dentry+0x178/0x5a0
[ 3.793218] ? tomoyo_mm_init+0x26e/0x26e
[ 3.793218] tomoyo_initerface_init+0x1c0/0x1ca
[ 3.793218] do_one_initcall+0x103/0x650
[ 3.793218] ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[ 3.793218] ? parameq+0x100/0x170
[ 3.793218] ? lock_is_held_type+0xd7/0x130
[ 3.793218] kernel_init_freeable+0x604/0x68d
[ 3.793218] ? rest_init+0x250/0x250
[ 3.793218] kernel_init+0x1a/0x1d0
[ 3.793218] ? rest_init+0x250/0x250
[ 3.793218] ret_from_fork+0x1f/0x30
[ 3.793218] </TASK>
[ 3.793218] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build514774188=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at a4a2a5015
nothing to commit, working tree clean


go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a4a2a50158b25d4af0fd07528f38e6656b903d68\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1771e6f0080000


Tested on:

commit: a175eca0 Merge tag 'drm-fixes-2022-07-01' of git://ano..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=3a740a20e25754b1
dashboard link: https://syzkaller.appspot.com/bug?extid=9d567e08d3970bfd8271
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=121f476c080000

[Soumya Negi]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
3f8a27f9e27bd78604c0709224cec0ec85a8b106

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "ro...@10.128.10.24:./syz-fuzzer"]: exit status 1
Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts.
scp: ./syz-fuzzer: Read-only file system

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1938811065=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at a4a2a5015
nothing to commit, working tree clean


go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a4a2a50158b25d4af0fd07528f38e6656b903d68\"

Tested on:

commit: 3f8a27f9 Linux 4.19.211
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=9d567e08d3970bfd8271
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f1e6f0080000

[Soumya Negi]

HI,

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "ro...@10.128.1.8:./syz-fuzzer"]: exit status 1
Warning: Permanently added '10.128.1.8' (ECDSA) to the list of known hosts.

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build867515214=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at a4a2a5015
nothing to commit, working tree clean


go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a4a2a50158b25d4af0fd07528f38e6656b903d68 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20211208-095440'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a4a2a50158b25d4af0fd07528f38e6656b903d68\"



Tested on:

commit: 3f8a27f9 Linux 4.19.211
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=9d567e08d3970bfd8271
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)

patch: https://syzkaller.appspot.com/x/patch.diff?x=16864058080000

[Dan Carpenter]

On Fri, Jul 01, 2022 at 06:08:29AM -0700, Soumya Negi wrote:
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> 3f8a27f9e27bd78604c0709224cec0ec85a8b106
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdqp0ZGKyJWE76zdyKwhv104JRA8ujUY5NoYO47HC9XWQ%40mail.gmail.com.

> From 3aa5aaffef64a5574cbdb3f5c985bc25b612140c Mon Sep 17 00:00:00 2001
> From: Soumya Negi <soumya...@gmail.com>
> Date: Fri, 1 Jul 2022 04:52:17 -0700
> Subject: [PATCH] isdn: capi: Add check for controller count in
> detach_capi_ctr()

>
> Fixes Syzbot bug:
> https://syzkaller.appspot.com/bug?id=14f4820fbd379105a71fdee357b0759b90587a4e
>
> This patch checks whether any ISDN devices are registered before unregistering
> a CAPI controller(device). Without the check, the controller struct capi_str
> results in out-of-bounds access bugs to other CAPI data strucures in
> detach_capri_ctr() as seen in the bug report.
>

This bug was already fixed by commit 1f3e2e97c003 ("isdn: cpai: check
ctr->cnr to avoid array index out of bound").

It just needs to be backported. Unfortunately there was no Fixes tag so
it wasn't picked up. Also I'm not sure how backports work in netdev.

regards,
dan carpenter

[Greg KH]

That commit has already been backported quite a while ago and is in the
following releases:
4.4.290 4.9.288 4.14.253 4.19.214 5.4.156 5.10.76 5.14.15 5.15


thanks,

greg k-h

[Soumya Negi]

Thanks for letting me know. Is there a way I can check whether an open
syzbot bug already has a fix as in this case? Right now I am thinking
of running the reproducer on linux-next as well before starting on a
bug.

Regards
Soumya

[Greg KH]

I have no context at all as to what you are referring to here, sorry.

[Soumya Negi]

Thanks for letting me know. Is there a way I can check whether an open
syzbot bug already has a fix as in this case? Right now I am thinking
of running the reproducer on linux-next as well before starting on a
bug.

-Soumya

[butt3rflyh4ck]

The patch for this issue had be available upstream last year.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f3e2e97c003f80c4b087092b225c8787ff91e4d


Regards,
butt3rflyh4ck.

--
Active Defense Lab of Venustech

[Greg KH]

Always run the reproducer first if for no other reason than to be able
to test if you do fix a problem or not. You can also always have syzbot
run it too, use the email interface to it for that.

good luck!

greg k-h