BUG: bad usercopy in alg_setsockopt
7 views
Skip to first unread message
syzbot
Jan 5, 2018, 8:58:04 AM1/5/18
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
72bca2084a21edda74b802bc076083d5951f67b4
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [james...@arm.com kees...@chromium.org keun-...@darkmatter.ae
lab...@redhat.com linux-...@vger.kernel.org linu...@kvack.org
mark.r...@arm.com mi...@kernel.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+144bf0...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
usercopy: kernel memory overwrite attempt detected to 0000000012e47039
(kmalloc-1024) (952 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 8076 Comm: syz-executor7 Not tainted 4.15.0-rc5+ #173
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
RSP: 0018:ffff8801ce817d10 EFLAGS: 00010282
RAX: 0000000000000061 RBX: ffffffff8592bb60 RCX: 0000000000000000
RDX: 0000000000000061 RSI: ffffc90002d9c000 RDI: ffffed0039d02f96
RBP: ffff8801ce817e00 R08: 1ffff10039d02f24 R09: 0000000000000000
R10: 0000000056b703f8 R11: 0000000000000000 R12: ffffffff8592bb20
R13: ffff8801bf9b2950 R14: 00000000000003b8 R15: ffffea0006fe6c80
FS: 00007f4ad64a2700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000071c000 CR3: 00000001c6703003 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_from_user include/linux/uaccess.h:146 [inline]
alg_setkey crypto/af_alg.c:218 [inline]
alg_setsockopt+0x234/0x350 crypto/af_alg.c:254
SYSC_setsockopt net/socket.c:1821 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1800
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007f4ad64a1c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000000000001 RSI: 0000000000000117 RDI: 0000000000000013
RBP: 0000000000000568 R08: 00000000000003b8 R09: 0000000000000000
R10: 0000000020b3aff0 R11: 0000000000000212 R12: 00000000006f6260
R13: 00000000ffffffff R14: 00007f4ad64a26d4 R15: 0000000000000000
Code: 48 0f 44 da e8 70 5b c0 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c
89 e2 48 89 de 48 c7 c7 20 bc 92 85 49 89 c0 e8 e6 10 aa ff <0f> 0b 48 c7
c0 e0 b9 92 85 eb 96 48 c7 c0 20 ba 92 85 eb 8d 48
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801ce817d10
RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801ce817d10
---[ end trace 26ea5793f0ff2338 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
72bca2084a21edda74b802bc076083d5951f67b4
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [james...@arm.com kees...@chromium.org keun-...@darkmatter.ae
lab...@redhat.com linux-...@vger.kernel.org linu...@kvack.org
mark.r...@arm.com mi...@kernel.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+144bf0...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
usercopy: kernel memory overwrite attempt detected to 0000000012e47039
(kmalloc-1024) (952 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 8076 Comm: syz-executor7 Not tainted 4.15.0-rc5+ #173
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
RSP: 0018:ffff8801ce817d10 EFLAGS: 00010282
RAX: 0000000000000061 RBX: ffffffff8592bb60 RCX: 0000000000000000
RDX: 0000000000000061 RSI: ffffc90002d9c000 RDI: ffffed0039d02f96
RBP: ffff8801ce817e00 R08: 1ffff10039d02f24 R09: 0000000000000000
R10: 0000000056b703f8 R11: 0000000000000000 R12: ffffffff8592bb20
R13: ffff8801bf9b2950 R14: 00000000000003b8 R15: ffffea0006fe6c80
FS: 00007f4ad64a2700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000071c000 CR3: 00000001c6703003 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_from_user include/linux/uaccess.h:146 [inline]
alg_setkey crypto/af_alg.c:218 [inline]
alg_setsockopt+0x234/0x350 crypto/af_alg.c:254
SYSC_setsockopt net/socket.c:1821 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1800
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007f4ad64a1c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000000000001 RSI: 0000000000000117 RDI: 0000000000000013
RBP: 0000000000000568 R08: 00000000000003b8 R09: 0000000000000000
R10: 0000000020b3aff0 R11: 0000000000000212 R12: 00000000006f6260
R13: 00000000ffffffff R14: 00007f4ad64a26d4 R15: 0000000000000000
Code: 48 0f 44 da e8 70 5b c0 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c
89 e2 48 89 de 48 c7 c7 20 bc 92 85 49 89 c0 e8 e6 10 aa ff <0f> 0b 48 c7
c0 e0 b9 92 85 eb 96 48 c7 c0 20 ba 92 85 eb 8d 48
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801ce817d10
RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801ce817d10
---[ end trace 26ea5793f0ff2338 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Jan 5, 2018, 4:58:49 PM1/5/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
#syz fix: crypto: pcrypt - fix freeing pcrypt instances
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/089e082638bc34b2ad056207d612%40google.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/089e082638bc34b2ad056207d612%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages