BUG: bad usercopy in rw_copy_check_uvector
6 views
Skip to first unread message
syzbot
Dec 22, 2017, 6:54:04 PM12/22/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
8f36e00065436412a02d1f50ad77375bdb506300
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [kees...@chromium.org keun-...@darkmatter.ae lab...@redhat.com
linux-...@vger.kernel.org linu...@kvack.org mark.r...@arm.com
mi...@kernel.org will....@arm.com]
usercopy: kernel memory overwrite attempt detected to 000000007a66b73d
(kmalloc-1024) (1008 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 7588 Comm: syz-executor1 Not tainted 4.15.0-rc3+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
RSP: 0018:ffff8801b4947838 EFLAGS: 00010282
RAX: 0000000000000062 RBX: ffffffff85328f00 RCX: 0000000000000000
RDX: 0000000000000062 RSI: ffffc900038b6000 RDI: ffffed0036928efb
RBP: ffff8801b4947928 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000e460f5f1 R11: 0000000000000000 R12: ffffffff85328ec0
R13: ffff8801d8408e10 R14: 00000000000003f0 R15: ffffea0007610200
FS: 00007f5aba9c9700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc43d1ebc50 CR3: 00000001d25f6003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_from_user include/linux/uaccess.h:146 [inline]
rw_copy_check_uvector+0x73/0x280 fs/read_write.c:760
import_iovec+0xc8/0x430 lib/iov_iter.c:1398
copy_msghdr_from_user+0x39b/0x590 net/socket.c:1937
___sys_recvmsg+0x15a/0x640 net/socket.c:2165
__sys_recvmsg+0xe2/0x210 net/socket.c:2222
SYSC_recvmsg net/socket.c:2234 [inline]
SyS_recvmsg+0x2d/0x50 net/socket.c:2229
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a09
RSP: 002b:00007f5aba9c8c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09
RDX: 0000000040002002 RSI: 000000002000b000 RDI: 0000000000000014
RBP: 000000000000039b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2728
R13: 00000000ffffffff R14: 00007f5aba9c96d4 R15: 0000000000000000
Code: 48 0f 44 da e8 30 bb c1 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c
89 e2 48 89 de 48 c7 c7 c0 8f 32 85 49 89 c0 e8 b6 76 ab ff <0f> 0b 48 c7
c0 80 8d 32 85 eb 96 48 c7 c0 c0 8d 32 85 eb 8d 48
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801b4947838
RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801b4947838
---[ end trace df244fc30c725c0f ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
8f36e00065436412a02d1f50ad77375bdb506300
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [kees...@chromium.org keun-...@darkmatter.ae lab...@redhat.com
linux-...@vger.kernel.org linu...@kvack.org mark.r...@arm.com
mi...@kernel.org will....@arm.com]
usercopy: kernel memory overwrite attempt detected to 000000007a66b73d
(kmalloc-1024) (1008 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 7588 Comm: syz-executor1 Not tainted 4.15.0-rc3+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
RSP: 0018:ffff8801b4947838 EFLAGS: 00010282
RAX: 0000000000000062 RBX: ffffffff85328f00 RCX: 0000000000000000
RDX: 0000000000000062 RSI: ffffc900038b6000 RDI: ffffed0036928efb
RBP: ffff8801b4947928 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000e460f5f1 R11: 0000000000000000 R12: ffffffff85328ec0
R13: ffff8801d8408e10 R14: 00000000000003f0 R15: ffffea0007610200
FS: 00007f5aba9c9700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc43d1ebc50 CR3: 00000001d25f6003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_from_user include/linux/uaccess.h:146 [inline]
rw_copy_check_uvector+0x73/0x280 fs/read_write.c:760
import_iovec+0xc8/0x430 lib/iov_iter.c:1398
copy_msghdr_from_user+0x39b/0x590 net/socket.c:1937
___sys_recvmsg+0x15a/0x640 net/socket.c:2165
__sys_recvmsg+0xe2/0x210 net/socket.c:2222
SYSC_recvmsg net/socket.c:2234 [inline]
SyS_recvmsg+0x2d/0x50 net/socket.c:2229
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a09
RSP: 002b:00007f5aba9c8c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452a09
RDX: 0000000040002002 RSI: 000000002000b000 RDI: 0000000000000014
RBP: 000000000000039b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2728
R13: 00000000ffffffff R14: 00007f5aba9c96d4 R15: 0000000000000000
Code: 48 0f 44 da e8 30 bb c1 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c
89 e2 48 89 de 48 c7 c7 c0 8f 32 85 49 89 c0 e8 b6 76 ab ff <0f> 0b 48 c7
c0 80 8d 32 85 eb 96 48 c7 c0 c0 8d 32 85 eb 8d 48
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801b4947838
RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801b4947838
---[ end trace df244fc30c725c0f ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot
Dec 31, 2017, 3:09:32 AM12/31/17
to Dmitry Vyukov, dvy...@google.com, syzkaller-upst...@googlegroups.com
> On Sat, Dec 23, 2017 at 12:54 AM, syzbot
> <bot+d0e002e9fe9d630ea1...@syzkaller.appspotmail.com>
> Bad things on kmalloc-1024 are most likely caused by an invalid free
> in pcrypt, it freed a pointer into a middle of a 1024 byte heap object
> which was undetected by KASAN (now there is a patch for this in mm
> tree) and later caused all kinds of bad things:
> https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
> https://patchwork.kernel.org/patch/10126761/
> #syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
Dup bug is already upstreamed.
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzk...@googlegroups.com.
>> Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is merged into any tree, reply to this email
>> with:
>> #syz fix: exact-commit-title
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email
>> body.
>> To upstream this report, please reply with:
>> #syz upstream
>> --
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-upstream-moderation" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to syzkaller-upstream-m...@googlegroups.com.
>> To post to this group, send email to
>> syzkaller-upst...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/089e08231920e0ff670560f68715%40google.com.
>> For more options, visit https://groups.google.com/d/optout.
> <bot+d0e002e9fe9d630ea1...@syzkaller.appspotmail.com>
> in pcrypt, it freed a pointer into a middle of a 1024 byte heap object
> which was undetected by KASAN (now there is a patch for this in mm
> tree) and later caused all kinds of bad things:
> https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
> https://patchwork.kernel.org/patch/10126761/
> #syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
Dup bug is already upstreamed.
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzk...@googlegroups.com.
>> Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is merged into any tree, reply to this email
>> with:
>> #syz fix: exact-commit-title
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email
>> body.
>> To upstream this report, please reply with:
>> #syz upstream
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-upstream-moderation" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to syzkaller-upstream-m...@googlegroups.com.
>> To post to this group, send email to
>> syzkaller-upst...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/089e08231920e0ff670560f68715%40google.com.
>> For more options, visit https://groups.google.com/d/optout.
Dmitry Vyukov
Dec 31, 2017, 3:09:32 AM12/31/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
On Sat, Dec 23, 2017 at 12:54 AM, syzbot
<bot+d0e002e9fe9d630ea1...@syzkaller.appspotmail.com>
wrote:
<bot+d0e002e9fe9d630ea1...@syzkaller.appspotmail.com>
wrote:
Bad things on kmalloc-1024 are most likely caused by an invalid free
in pcrypt, it freed a pointer into a middle of a 1024 byte heap object
which was undetected by KASAN (now there is a patch for this in mm
tree) and later caused all kinds of bad things:
https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
https://patchwork.kernel.org/patch/10126761/
#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
in pcrypt, it freed a pointer into a middle of a 1024 byte heap object
which was undetected by KASAN (now there is a patch for this in mm
tree) and later caused all kinds of bad things:
https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
https://patchwork.kernel.org/patch/10126761/
#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzk...@googlegroups.com.
> Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
> To upstream this report, please reply with:
> #syz upstream
>
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzk...@googlegroups.com.
> Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
> To upstream this report, please reply with:
> #syz upstream
>
Dmitry Vyukov
Dec 31, 2017, 3:16:30 AM12/31/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
#syz fix: crypto: pcrypt - fix freeing pcrypt instances
On Sun, Dec 31, 2017 at 9:09 AM, syzbot
<syzbot+d0e002e9fe9d630e...@syzkaller.appspotmail.com>
wrote:
On Sun, Dec 31, 2017 at 9:09 AM, syzbot
<syzbot+d0e002e9fe9d630e...@syzkaller.appspotmail.com>
wrote:
Reply all
Reply to author
Forward
0 new messages