[BUG REPORT] KASAN: out-of-bounds Read in proc_pid_stack on RISC-V
6 views
Skip to first unread message
许佳凯
Oct 11, 2025, 2:59:03 AM (9 days ago) Oct 11
to secu...@kernel.org, paul.w...@sifive.com, pal...@dabbelt.com, a...@eecs.berkeley.edu, syzk...@googlegroups.com, linux...@lists.infradead.org
Dear Linux Kernel Security Team and Maintainers,
We would like to report a security vulnerability in the Linux kernel, identified as a KASAN out-of-bounds read, which we discovered through fuzz testing.
1. Affected Version
The bug was successfully reproduced on the upstream Linux kernel version 6.16, specifically at commit 038d61fd642278bab63ee8ef722c50d10ab01e8f.
2. Build Configuration
The kernel was built with the accompanying configuration file (see attachment: .config), which includes the necessary KASAN options to detect this issue.
3. Proof of Concept and Reproduction
We have provided a reliable C reproducer program (repro.cprog attached) to trigger this bug. Additional diagnostic information, including full kernel logs and system context, can be found in the attached files log0, report0, and machineInfo0.
The vulnerability is triggered by the following sequence of system calls:
r0 = syz_open_procfs(0x0, &(0x7f0000000000)='stack\x00');
read(r0, &(0x7f0000000040)=""/5, 0x5); // (async)
setsockopt$MRT_INIT(r0, 0x0, 0xc8, 0x0, 0x0);
4. Root Cause Analysis
The core issue is a race condition that corrupts kernel state. The bug occurs when one thread initiates a kernel stack walk by reading the /proc/self/stackfile, while a second thread concurrently issues a setsockopt() system call with the MRT_INIT command on the same file descriptor. This setsockopt operation is invalid for a proc filesystem file descriptor and inadvertently corrupts internal kernel data structures associated with it. This corruption causes the first thread's subsequent stack frame traversal (walk_stackframe) to compute an invalid memory address, resulting in an out-of-bounds read that is caught by KASAN.
Thank you for your attention to this matter.
We would like to report a security vulnerability in the Linux kernel, identified as a KASAN out-of-bounds read, which we discovered through fuzz testing.
1. Affected Version
The bug was successfully reproduced on the upstream Linux kernel version 6.16, specifically at commit 038d61fd642278bab63ee8ef722c50d10ab01e8f.
2. Build Configuration
The kernel was built with the accompanying configuration file (see attachment: .config), which includes the necessary KASAN options to detect this issue.
3. Proof of Concept and Reproduction
We have provided a reliable C reproducer program (repro.cprog attached) to trigger this bug. Additional diagnostic information, including full kernel logs and system context, can be found in the attached files log0, report0, and machineInfo0.
The vulnerability is triggered by the following sequence of system calls:
r0 = syz_open_procfs(0x0, &(0x7f0000000000)='stack\x00');
read(r0, &(0x7f0000000040)=""/5, 0x5); // (async)
setsockopt$MRT_INIT(r0, 0x0, 0xc8, 0x0, 0x0);
4. Root Cause Analysis
The core issue is a race condition that corrupts kernel state. The bug occurs when one thread initiates a kernel stack walk by reading the /proc/self/stackfile, while a second thread concurrently issues a setsockopt() system call with the MRT_INIT command on the same file descriptor. This setsockopt operation is invalid for a proc filesystem file descriptor and inadvertently corrupts internal kernel data structures associated with it. This corruption causes the first thread's subsequent stack frame traversal (walk_stackframe) to compute an invalid memory address, resulting in an out-of-bounds read that is caught by KASAN.
Thank you for your attention to this matter.
0 new messages