[Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table

661 views
Skip to first unread message

Yang, Chenyuan

unread,
Jan 8, 2024, 10:26:36 AMJan 8
to linux-...@vger.kernel.org, linu...@lists.infradead.org, ric...@nod.at, miquel...@bootlin.com, vign...@ti.com, syzk...@googlegroups.com, Zhao, Zijie, Zhang, Lingming

Hello,

 

We detected one crash, “WARNING: zero-size vmalloc in ubi_read_volume_table” for the volume management system UBI (under linux/drivers/mtd/ubi) by using our generated syscall specification for it.

 

This crash is triggered by create_empty_lvol (https://elixir.bootlin.com/linux/v6.7/source/drivers/mtd/ubi/vtbl.c#L484), which allocates a zero-size memory by using `vzalloc`. Additionally, this issue is associated with the /dev/ubi_ctrl driver, particularly when using IOCTL with the command value UBI_IOCATT. The size allocated can be manipulated through the ubi_attach_req argument by altering the vid_hdr_offset and max_beb_per1024 fields.

 

To fix this issue, it would be better to implement a check step in the create_empty_lvol function.

 

The crash is reproducible by a C program, which is attached in the file.

If you have any questions or require more information, please feel free to contact us.

 

Best,

Chenyuan

 

 

 

 

repro.cprog
repro.log
repro.prog
repro.report

Yang, Chenyuan

unread,
Jan 23, 2024, 10:31:15 AMJan 23
to linu...@lists.infradead.org, ric...@nod.at, miquel...@bootlin.com, vign...@ti.com, syzk...@googlegroups.com, Zhao, Zijie, Zhang, Lingming
Dear Linux Kernel Developers for UBI,

I am writing to inquire if there have been any updates regarding the crash issue previously discussed. I would like to suggest a potential solution: adding a check for the malloc size could possibly prevent crashes caused by zero-size vmalloc.

Your insights on this matter would be greatly appreciated. Thank you for your time and dedication

Best,
Chenyuan

---
From: "Yang, Chenyuan" <cy...@illinois.edu>
Date: Monday, January 8, 2024 at 9:26 AM
To: "linux-...@vger.kernel.org" <linux-...@vger.kernel.org>, "linu...@lists.infradead.org" <linu...@lists.infradead.org>
Cc: "ric...@nod.at" <ric...@nod.at>, "miquel...@bootlin.com" <miquel...@bootlin.com>, "vign...@ti.com" <vign...@ti.com>, "syzk...@googlegroups.com" <syzk...@googlegroups.com>, "Zhao, Zijie" <zij...@illinois.edu>, Lingming Zhang <ling...@illinois.edu>
Subject: [Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table

Richard Weinberger

unread,
Jan 23, 2024, 11:15:46 AMJan 23
to Yang, Chenyuan, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zhao, Zijie, Zhang, Lingming
Chenyuan,

----- Ursprüngliche Mail -----
> Von: "Yang, Chenyuan" <cy...@illinois.edu>
> An: "linux-mtd" <linu...@lists.infradead.org>, "richard" <ric...@nod.at>, "Miquel Raynal"
> <miquel...@bootlin.com>, "Vignesh Raghavendra" <vign...@ti.com>
> CC: "syzkaller" <syzk...@googlegroups.com>, "Zhao, Zijie" <zij...@illinois.edu>, "Zhang, Lingming"
> <ling...@illinois.edu>
> Gesendet: Dienstag, 23. Januar 2024 16:30:59
> Betreff: Re: [Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table

> Dear Linux Kernel Developers for UBI,
>
> I am writing to inquire if there have been any updates regarding the crash issue
> previously discussed. I would like to suggest a potential solution: adding a
> check for the malloc size could possibly prevent crashes caused by zero-size
> vmalloc.
>
> Your insights on this matter would be greatly appreciated. Thank you for your
> time and dedication

Before we add a check, what MTD are you using?
Can you share the parameters? Erase size, etc...

Thanks,
//richard

Yang, Chenyuan

unread,
Jan 23, 2024, 11:39:40 AMJan 23
to Richard Weinberger, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zhao, Zijie, Zhang, Lingming
Hi Richard,

Thanks for your prompt reply! Here are the configs related to MTD, and I attach the whole CONFIG in this email.

```
# CONFIG_GNSS is not set
CONFIG_MTD=y
# CONFIG_MTD_TESTS is not set

#
# Partition parsers
#
# CONFIG_MTD_AR7_PARTS is not set
# CONFIG_MTD_CMDLINE_PARTS is not set
# CONFIG_MTD_OF_PARTS is not set
# CONFIG_MTD_REDBOOT_PARTS is not set
# end of Partition parsers

#
# User Modules And Translation Layers
#
CONFIG_MTD_BLKDEVS=y
CONFIG_MTD_BLOCK=y

#
# Note that in some cases UBI block is preferred. See MTD_UBI_BLOCK.
#
CONFIG_FTL=y
# CONFIG_NFTL is not set
# CONFIG_INFTL is not set
# CONFIG_RFD_FTL is not set
# CONFIG_SSFDC is not set
# CONFIG_SM_FTL is not set
# CONFIG_MTD_OOPS is not set
# CONFIG_MTD_SWAP is not set
# CONFIG_MTD_PARTITIONED_MASTER is not set

#
# RAM/ROM/Flash chip drivers
#
# CONFIG_MTD_CFI is not set
# CONFIG_MTD_JEDECPROBE is not set
CONFIG_MTD_MAP_BANK_WIDTH_1=y
CONFIG_MTD_MAP_BANK_WIDTH_2=y
CONFIG_MTD_MAP_BANK_WIDTH_4=y
CONFIG_MTD_CFI_I1=y
CONFIG_MTD_CFI_I2=y
# CONFIG_MTD_RAM is not set
# CONFIG_MTD_ROM is not set
# CONFIG_MTD_ABSENT is not set
# end of RAM/ROM/Flash chip drivers

#
# Mapping drivers for chip access
#
# CONFIG_MTD_COMPLEX_MAPPINGS is not set
# CONFIG_MTD_INTEL_VR_NOR is not set
# CONFIG_MTD_PLATRAM is not set
# end of Mapping drivers for chip access

#
# Self-contained MTD device drivers
#
# CONFIG_MTD_PMC551 is not set
# CONFIG_MTD_DATAFLASH is not set
# CONFIG_MTD_MCHP23K256 is not set
# CONFIG_MTD_MCHP48L640 is not set
# CONFIG_MTD_SST25L is not set
CONFIG_MTD_SLRAM=y
CONFIG_MTD_PHRAM=y
CONFIG_MTD_MTDRAM=y
CONFIG_MTDRAM_TOTAL_SIZE=128
CONFIG_MTDRAM_ERASE_SIZE=4
CONFIG_MTD_BLOCK2MTD=y

#
# Disk-On-Chip Device Drivers
#
# CONFIG_MTD_DOCG3 is not set
# end of Self-contained MTD device drivers

#
# NAND
#
# CONFIG_MTD_ONENAND is not set
# CONFIG_MTD_RAW_NAND is not set
# CONFIG_MTD_SPI_NAND is not set

#
# ECC engine support
#
# CONFIG_MTD_NAND_ECC_SW_HAMMING is not set
# CONFIG_MTD_NAND_ECC_SW_BCH is not set
# CONFIG_MTD_NAND_ECC_MXIC is not set
# end of ECC engine support
# end of NAND

#
# LPDDR & LPDDR2 PCM memory drivers
#
# CONFIG_MTD_LPDDR is not set
# end of LPDDR & LPDDR2 PCM memory drivers

# CONFIG_MTD_SPI_NOR is not set
CONFIG_MTD_UBI=y
CONFIG_MTD_UBI_WL_THRESHOLD=4096
CONFIG_MTD_UBI_BEB_LIMIT=20
# CONFIG_MTD_UBI_FASTMAP is not set
# CONFIG_MTD_UBI_GLUEBI is not set
# CONFIG_MTD_UBI_BLOCK is not set
# CONFIG_MTD_HYPERBUS is not set
CONFIG_OF=y
# CONFIG_OF_UNITTEST is not set
CONFIG_OF_KOBJ=y
CONFIG_OF_ADDRESS=y
CONFIG_OF_IRQ=y
# CONFIG_OF_OVERLAY is not set
CONFIG_OF_NUMA=y
CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
CONFIG_PARPORT=y
# CONFIG_PARPORT_PC is not set
# CONFIG_PARPORT_1284 is not set
CONFIG_PARPORT_NOT_PC=y
CONFIG_PNP=y
CONFIG_PNP_DEBUG_MESSAGES=y
```

If you need more information, feel free to contact me.

Best,
Chenyuan
config
machineInfo0

Richard Weinberger

unread,
Jan 23, 2024, 3:24:07 PMJan 23
to Chenyuan Yang, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zijie Zhao, Lingming Zhang
----- Ursprüngliche Mail -----
> Von: "Chenyuan Yang" <cy...@illinois.edu>
> If you need more information, feel free to contact me.

What is mtd0 in your case?

Please show me the contents of /proc/mtd and, if possible, mtdinfo -a.

Thanks,
//richard

Yang, Chenyuan

unread,
Jan 23, 2024, 5:44:09 PMJan 23
to Richard Weinberger, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zhao, Zijie, Zhang, Lingming
Hi Richard,

Here is the content of /proc/mtd

```
cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00001000 "mtdram test device"
```

By default, the /dev/mtd0 is empty and there is no mtd-utils installed.
After installing mtd-utils and running mtdinfo -a,

```
mtdinfo -a
Count of MTD devices: 1
Present MTD devices: mtd0
Sysfs interface supported: yes

mtd0
Name: mtdram test device
Type: ram
Eraseblock size: 4096 bytes, 4.0 KiB
Amount of eraseblocks: 32 (131072 bytes, 128.0 KiB)
Minimum input/output unit size: 1 byte
Sub-page size: 1 byte
Character device major/minor: 90:0
Bad blocks are allowed: false
Device is writable: true
```

Best,
Chenyuan

Richard Weinberger

unread,
Jan 24, 2024, 4:30:08 AMJan 24
to Chenyuan Yang, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zijie Zhao, Lingming Zhang
Chenyuan,

----- Ursprüngliche Mail -----
> Von: "Chenyuan Yang" <cy...@illinois.edu>
> mtd0
> Name: mtdram test device
> Type: ram
> Eraseblock size: 4096 bytes, 4.0 KiB

You're working with an extremely small MTD and the fuzzer set the VID
offset to a large value. As a consequence, the LEB size was smaller than
a single volume table record and the calculation of the volume table returned
zero.
Fix sent.

Thanks,
//richard
Reply all
Reply to author
Forward
0 new messages