BUG: bad usercopy in snd_rawmidi_kernel_write1
4 показвания
Преминаване към първото непрочетено съобщение
syzbot
14.05.2020 г., 1:21:1714.05.20 г.
до syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ab9dfda2 Linux 4.14.180
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=121d44ac100000
kernel config: https://syzkaller.appspot.com/x/.config?x=221566a7407ce2de
dashboard link: https://syzkaller.appspot.com/bug?extid=4f4cb24a5ea198464e0a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4f4cb2...@syzkaller.appspotmail.com
usercopy: kernel memory overwrite attempt detected to ffff88808ced8000 (kmalloc-1024) (4096 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:73!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 9236 Comm: syz-executor.2 Not tainted 4.14.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88804369c240 task.stack: ffff888056890000
RIP: 0010:report_usercopy mm/usercopy.c:73 [inline]
RIP: 0010:__check_object_size mm/usercopy.c:270 [inline]
RIP: 0010:__check_object_size+0x1c6/0x28a mm/usercopy.c:228
RSP: 0018:ffff888056897628 EFLAGS: 00010282
RAX: 0000000000000062 RBX: 0000000000001000 RCX: 0000000000000000
RDX: 0000000000020d41 RSI: ffffffff81491530 RDI: ffffed100ad12ebb
RBP: ffffffff86b2e8c0 R08: 0000000000000062 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ced8000
R13: ffffffff86b2e880 R14: ffff88808ced9000 R15: ffffea000233b600
FS: 00007f2ab3097700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 0000000090914000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:108 [inline]
check_copy_size include/linux/thread_info.h:139 [inline]
copy_from_user include/linux/uaccess.h:146 [inline]
snd_rawmidi_kernel_write1+0x2d5/0x680 sound/core/rawmidi.c:1283
snd_rawmidi_write+0x275/0x970 sound/core/rawmidi.c:1348
__vfs_write+0xe4/0x630 fs/read_write.c:480
__kernel_write+0xf5/0x330 fs/read_write.c:501
write_pipe_buf+0x143/0x1b0 fs/splice.c:797
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x332/0x740 fs/splice.c:626
splice_from_pipe+0xc6/0x120 fs/splice.c:661
default_file_splice_write+0x37/0x80 fs/splice.c:809
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x115/0x160 fs/splice.c:1018
splice_direct_to_actor+0x27e/0x730 fs/splice.c:973
do_splice_direct+0x164/0x210 fs/splice.c:1061
do_sendfile+0x469/0xaf0 fs/read_write.c:1441
SYSC_sendfile64 fs/read_write.c:1502 [inline]
SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c829
RSP: 002b:00007f2ab3096c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004fc2e0 RCX: 000000000045c829
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007
RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008dc R14: 00000000004cb816 R15: 00007f2ab30976d4
Code: e9 b2 86 48 0f 45 ea e8 09 0e d0 ff 48 8b 04 24 49 89 d9 4c 89 e1 4c 89 ea 48 89 ee 48 c7 c7 80 e9 b2 86 49 89 c0 e8 c5 cd be ff <0f> 0b e8 e3 0d d0 ff 48 c7 c7 00 00 00 81 49 bf 00 00 00 00 80
RIP: report_usercopy mm/usercopy.c:73 [inline] RSP: ffff888056897628
RIP: __check_object_size mm/usercopy.c:270 [inline] RSP: ffff888056897628
RIP: __check_object_size+0x1c6/0x28a mm/usercopy.c:228 RSP: ffff888056897628
---[ end trace 0facba9d562291b9 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: ab9dfda2 Linux 4.14.180
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=121d44ac100000
kernel config: https://syzkaller.appspot.com/x/.config?x=221566a7407ce2de
dashboard link: https://syzkaller.appspot.com/bug?extid=4f4cb24a5ea198464e0a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4f4cb2...@syzkaller.appspotmail.com
usercopy: kernel memory overwrite attempt detected to ffff88808ced8000 (kmalloc-1024) (4096 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:73!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 9236 Comm: syz-executor.2 Not tainted 4.14.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88804369c240 task.stack: ffff888056890000
RIP: 0010:report_usercopy mm/usercopy.c:73 [inline]
RIP: 0010:__check_object_size mm/usercopy.c:270 [inline]
RIP: 0010:__check_object_size+0x1c6/0x28a mm/usercopy.c:228
RSP: 0018:ffff888056897628 EFLAGS: 00010282
RAX: 0000000000000062 RBX: 0000000000001000 RCX: 0000000000000000
RDX: 0000000000020d41 RSI: ffffffff81491530 RDI: ffffed100ad12ebb
RBP: ffffffff86b2e8c0 R08: 0000000000000062 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ced8000
R13: ffffffff86b2e880 R14: ffff88808ced9000 R15: ffffea000233b600
FS: 00007f2ab3097700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 0000000090914000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:108 [inline]
check_copy_size include/linux/thread_info.h:139 [inline]
copy_from_user include/linux/uaccess.h:146 [inline]
snd_rawmidi_kernel_write1+0x2d5/0x680 sound/core/rawmidi.c:1283
snd_rawmidi_write+0x275/0x970 sound/core/rawmidi.c:1348
__vfs_write+0xe4/0x630 fs/read_write.c:480
__kernel_write+0xf5/0x330 fs/read_write.c:501
write_pipe_buf+0x143/0x1b0 fs/splice.c:797
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x332/0x740 fs/splice.c:626
splice_from_pipe+0xc6/0x120 fs/splice.c:661
default_file_splice_write+0x37/0x80 fs/splice.c:809
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x115/0x160 fs/splice.c:1018
splice_direct_to_actor+0x27e/0x730 fs/splice.c:973
do_splice_direct+0x164/0x210 fs/splice.c:1061
do_sendfile+0x469/0xaf0 fs/read_write.c:1441
SYSC_sendfile64 fs/read_write.c:1502 [inline]
SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c829
RSP: 002b:00007f2ab3096c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004fc2e0 RCX: 000000000045c829
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007
RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008dc R14: 00000000004cb816 R15: 00007f2ab30976d4
Code: e9 b2 86 48 0f 45 ea e8 09 0e d0 ff 48 8b 04 24 49 89 d9 4c 89 e1 4c 89 ea 48 89 ee 48 c7 c7 80 e9 b2 86 49 89 c0 e8 c5 cd be ff <0f> 0b e8 e3 0d d0 ff 48 c7 c7 00 00 00 81 49 bf 00 00 00 00 80
RIP: report_usercopy mm/usercopy.c:73 [inline] RSP: ffff888056897628
RIP: __check_object_size mm/usercopy.c:270 [inline] RSP: ffff888056897628
RIP: __check_object_size+0x1c6/0x28a mm/usercopy.c:228 RSP: ffff888056897628
---[ end trace 0facba9d562291b9 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
11.09.2020 г., 1:21:1211.09.20 г.
до syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Отговор до всички
Отговор до автора
Препращане
0 нови съобщения