KASAN: null-ptr-deref Write in kvm_write_guest_virt_system
17 views
Skip to first unread message
syzbot
Sep 23, 2019, 4:04:07 AM9/23/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15621ee9600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=2bd67b417d81d09ef9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2bd67b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:332 [inline]
BUG: KASAN: null-ptr-deref in kvm_write_guest_virt_system+0x64/0x90
arch/x86/kvm/x86.c:4730
Write of size 24 at addr (null) by task syz-executor.1/12116
CPU: 0 PID: 12116 Comm: syz-executor.1 Not tainted 4.14.146 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x127/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:332 [inline]
kvm_write_guest_virt_system+0x64/0x90 arch/x86/kvm/x86.c:4730
handle_vmread+0x548/0x730 arch/x86/kvm/vmx.c:8027
vmx_handle_exit+0x20d/0x1330 arch/x86/kvm/vmx.c:9203
vcpu_enter_guest+0xf28/0x5210 arch/x86/kvm/x86.c:7247
vcpu_run arch/x86/kvm/x86.c:7310 [inline]
kvm_arch_vcpu_ioctl_run+0x318/0x1000 arch/x86/kvm/x86.c:7477
kvm_vcpu_ioctl+0x401/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2611
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459a09
RSP: 002b:00007f163b64fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a09
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f163b6506d4
R13: 00000000004c2da0 R14: 00000000004d65c0 R15: 00000000ffffffff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15621ee9600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=2bd67b417d81d09ef9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2bd67b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:332 [inline]
BUG: KASAN: null-ptr-deref in kvm_write_guest_virt_system+0x64/0x90
arch/x86/kvm/x86.c:4730
Write of size 24 at addr (null) by task syz-executor.1/12116
CPU: 0 PID: 12116 Comm: syz-executor.1 Not tainted 4.14.146 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x127/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:332 [inline]
kvm_write_guest_virt_system+0x64/0x90 arch/x86/kvm/x86.c:4730
handle_vmread+0x548/0x730 arch/x86/kvm/vmx.c:8027
vmx_handle_exit+0x20d/0x1330 arch/x86/kvm/vmx.c:9203
vcpu_enter_guest+0xf28/0x5210 arch/x86/kvm/x86.c:7247
vcpu_run arch/x86/kvm/x86.c:7310 [inline]
kvm_arch_vcpu_ioctl_run+0x318/0x1000 arch/x86/kvm/x86.c:7477
kvm_vcpu_ioctl+0x401/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2611
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459a09
RSP: 002b:00007f163b64fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a09
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f163b6506d4
R13: 00000000004c2da0 R14: 00000000004d65c0 R15: 00000000ffffffff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 23, 2019, 4:05:08 AM9/23/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d573e8a7 Linux 4.19.75
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13539d03600000
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=88ca9093220c4af4d216
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d4bee9600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148e6b45600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
audit: type=1400 audit(1569223609.146:36): avc: denied { map } for
pid=7447 comm="syz-executor465" path="/root/syz-executor465046457"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for
details.
==================================================================
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:333 [inline]
BUG: KASAN: null-ptr-deref in kvm_write_guest_virt_system+0x64/0x90
arch/x86/kvm/x86.c:5025
Write of size 24 at addr 0000000000000000 by task syz-executor465/7447
CPU: 1 PID: 7447 Comm: syz-executor465 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x199/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:333 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
kvm_write_guest_virt_system+0x64/0x90 arch/x86/kvm/x86.c:5025
handle_vmread+0x7fe/0xa10 arch/x86/kvm/vmx.c:8802
vmx_handle_exit+0x276/0x16b0 arch/x86/kvm/vmx.c:10183
vcpu_enter_guest+0x10ca/0x5ed0 arch/x86/kvm/x86.c:7743
vcpu_run arch/x86/kvm/x86.c:7806 [inline]
kvm_arch_vcpu_ioctl_run+0x457/0x16b0 arch/x86/kvm/x86.c:8006
kvm_vcpu_ioctl+0x4dc/0xf90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2617
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443679
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 1b 0c fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe01fbb3e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe01fbb3f0 RCX: 0000000000443679
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000400f60 R09: 0000000000400f60
R10: 0000000020003800 R11: 0000000000000246 R12: 0000000000404720
R13: 00000000004047b0 R14: 0000000000000000 R15: 0000000000000000
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
https://goo.gl/tpsmEJ#testing-patches
syzbot
Sep 23, 2019, 5:56:06 AM9/23/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=126c43ad600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=119e4c23600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2bd67b...@syzkaller.appspotmail.com
audit: type=1400 audit(1569232338.993:36): avc: denied { map } for
pid=6849 comm="syz-executor112" path="/root/syz-executor112931495"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
CPU: 0 PID: 6849 Comm: syz-executor112 Not tainted 4.14.146 #0
RIP: 0033:0x443679
RSP: 002b:00007ffd4246e438 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd4246e440 RCX: 0000000000443679
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=2bd67b417d81d09ef9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152899a1600000
dashboard link: https://syzkaller.appspot.com/bug?extid=2bd67b417d81d09ef9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=119e4c23600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2bd67b...@syzkaller.appspotmail.com
pid=6849 comm="syz-executor112" path="/root/syz-executor112931495"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for
details.
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for
details.
==================================================================
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:332 [inline]
BUG: KASAN: null-ptr-deref in kvm_write_guest_virt_system+0x64/0x90
arch/x86/kvm/x86.c:4730
Write of size 24 at addr (null) by task syz-executor112/6849
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:332 [inline]
BUG: KASAN: null-ptr-deref in kvm_write_guest_virt_system+0x64/0x90
arch/x86/kvm/x86.c:4730
CPU: 0 PID: 6849 Comm: syz-executor112 Not tainted 4.14.146 #0
RSP: 002b:00007ffd4246e438 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd4246e440 RCX: 0000000000443679
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
syzbot
Dec 11, 2019, 7:02:02 PM12/11/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 2890b718f4a8bab2b4e4ef773cecab2b99ddd5d6
Author: Rasmus Villemoes <li...@rasmusvillemoes.dk>
Date: Mon Aug 12 13:13:56 2019 +0000
watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14d5b596e00000
start commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
#syz fix: watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 2890b718f4a8bab2b4e4ef773cecab2b99ddd5d6
Author: Rasmus Villemoes <li...@rasmusvillemoes.dk>
Date: Mon Aug 12 13:13:56 2019 +0000
watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14d5b596e00000
start commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=2bd67b417d81d09ef9d9
dashboard link: https://syzkaller.appspot.com/bug?extid=2bd67b417d81d09ef9d9
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152899a1600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=119e4c23600000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=119e4c23600000
#syz fix: watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Dec 12, 2019, 12:08:02 AM12/12/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 3683dd7074dcda394cc4f976c5ef26fbb9dfb11c
Author: Wei Yongjun <weiyo...@huawei.com>
Date: Wed Sep 4 14:18:09 2019 +0000
crypto: cavium/zip - Add missing single_release()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17c3892ee00000
start commit: 58fce206 Linux 4.19.78
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=385b97bfadb400be
dashboard link: https://syzkaller.appspot.com/bug?extid=88ca9093220c4af4d216
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156e60e7600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104f6593600000
If the result looks correct, please mark the bug fixed by replying with:
Reply all
Reply to author
Forward
0 new messages