[Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table
655 views
Skip to first unread message
Yang, Chenyuan
Jan 8, 2024, 10:26:36 AMJan 8
to linux-...@vger.kernel.org, linu...@lists.infradead.org, ric...@nod.at, miquel...@bootlin.com, vign...@ti.com, syzk...@googlegroups.com, Zhao, Zijie, Zhang, Lingming
Hello,
We detected one crash, “WARNING: zero-size vmalloc in ubi_read_volume_table” for the volume management system UBI (under linux/drivers/mtd/ubi) by using our generated syscall specification for it.
This crash is triggered by create_empty_lvol (https://elixir.bootlin.com/linux/v6.7/source/drivers/mtd/ubi/vtbl.c#L484), which allocates a zero-size memory by using `vzalloc`. Additionally, this issue is associated with the /dev/ubi_ctrl driver, particularly when using IOCTL with the command value UBI_IOCATT. The size allocated can be manipulated through the ubi_attach_req argument by altering the vid_hdr_offset and max_beb_per1024 fields.
To fix this issue, it would be better to implement a check step in the create_empty_lvol function.
The crash is reproducible by a C program, which is attached in the file.
If you have any questions or require more information, please feel free to contact us.
Best,
Chenyuan
Yang, Chenyuan
Jan 23, 2024, 10:31:15 AMJan 23
to linu...@lists.infradead.org, ric...@nod.at, miquel...@bootlin.com, vign...@ti.com, syzk...@googlegroups.com, Zhao, Zijie, Zhang, Lingming
Dear Linux Kernel Developers for UBI,
I am writing to inquire if there have been any updates regarding the crash issue previously discussed. I would like to suggest a potential solution: adding a check for the malloc size could possibly prevent crashes caused by zero-size vmalloc.
Your insights on this matter would be greatly appreciated. Thank you for your time and dedication
Best,
Chenyuan
---
From: "Yang, Chenyuan" <cy...@illinois.edu>
Date: Monday, January 8, 2024 at 9:26 AM
To: "linux-...@vger.kernel.org" <linux-...@vger.kernel.org>, "linu...@lists.infradead.org" <linu...@lists.infradead.org>
Cc: "ric...@nod.at" <ric...@nod.at>, "miquel...@bootlin.com" <miquel...@bootlin.com>, "vign...@ti.com" <vign...@ti.com>, "syzk...@googlegroups.com" <syzk...@googlegroups.com>, "Zhao, Zijie" <zij...@illinois.edu>, Lingming Zhang <ling...@illinois.edu>
Subject: [Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table
I am writing to inquire if there have been any updates regarding the crash issue previously discussed. I would like to suggest a potential solution: adding a check for the malloc size could possibly prevent crashes caused by zero-size vmalloc.
Your insights on this matter would be greatly appreciated. Thank you for your time and dedication
Best,
Chenyuan
---
From: "Yang, Chenyuan" <cy...@illinois.edu>
Date: Monday, January 8, 2024 at 9:26 AM
To: "linux-...@vger.kernel.org" <linux-...@vger.kernel.org>, "linu...@lists.infradead.org" <linu...@lists.infradead.org>
Cc: "ric...@nod.at" <ric...@nod.at>, "miquel...@bootlin.com" <miquel...@bootlin.com>, "vign...@ti.com" <vign...@ti.com>, "syzk...@googlegroups.com" <syzk...@googlegroups.com>, "Zhao, Zijie" <zij...@illinois.edu>, Lingming Zhang <ling...@illinois.edu>
Subject: [Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table
Richard Weinberger
Jan 23, 2024, 11:15:46 AMJan 23
to Yang, Chenyuan, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zhao, Zijie, Zhang, Lingming
Chenyuan,
----- Ursprüngliche Mail -----
> Von: "Yang, Chenyuan" <cy...@illinois.edu>
> An: "linux-mtd" <linu...@lists.infradead.org>, "richard" <ric...@nod.at>, "Miquel Raynal"
> <miquel...@bootlin.com>, "Vignesh Raghavendra" <vign...@ti.com>
> CC: "syzkaller" <syzk...@googlegroups.com>, "Zhao, Zijie" <zij...@illinois.edu>, "Zhang, Lingming"
> <ling...@illinois.edu>
> Gesendet: Dienstag, 23. Januar 2024 16:30:59
> Betreff: Re: [Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table
> Dear Linux Kernel Developers for UBI,
>
> I am writing to inquire if there have been any updates regarding the crash issue
> previously discussed. I would like to suggest a potential solution: adding a
> check for the malloc size could possibly prevent crashes caused by zero-size
> vmalloc.
>
> Your insights on this matter would be greatly appreciated. Thank you for your
> time and dedication
Before we add a check, what MTD are you using?
Can you share the parameters? Erase size, etc...
Thanks,
//richard
----- Ursprüngliche Mail -----
> Von: "Yang, Chenyuan" <cy...@illinois.edu>
> An: "linux-mtd" <linu...@lists.infradead.org>, "richard" <ric...@nod.at>, "Miquel Raynal"
> <miquel...@bootlin.com>, "Vignesh Raghavendra" <vign...@ti.com>
> CC: "syzkaller" <syzk...@googlegroups.com>, "Zhao, Zijie" <zij...@illinois.edu>, "Zhang, Lingming"
> <ling...@illinois.edu>
> Gesendet: Dienstag, 23. Januar 2024 16:30:59
> Betreff: Re: [Linux Kernel Bug] WARNING: zero-size vmalloc in ubi_read_volume_table
> Dear Linux Kernel Developers for UBI,
>
> I am writing to inquire if there have been any updates regarding the crash issue
> previously discussed. I would like to suggest a potential solution: adding a
> check for the malloc size could possibly prevent crashes caused by zero-size
> vmalloc.
>
> Your insights on this matter would be greatly appreciated. Thank you for your
> time and dedication
Can you share the parameters? Erase size, etc...
Thanks,
//richard
Yang, Chenyuan
Jan 23, 2024, 11:39:40 AMJan 23
to Richard Weinberger, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zhao, Zijie, Zhang, Lingming
Hi Richard,
Thanks for your prompt reply! Here are the configs related to MTD, and I attach the whole CONFIG in this email.
```
# CONFIG_GNSS is not set
CONFIG_MTD=y
# CONFIG_MTD_TESTS is not set
#
# Partition parsers
#
# CONFIG_MTD_AR7_PARTS is not set
# CONFIG_MTD_CMDLINE_PARTS is not set
# CONFIG_MTD_OF_PARTS is not set
# CONFIG_MTD_REDBOOT_PARTS is not set
# end of Partition parsers
#
# User Modules And Translation Layers
#
CONFIG_MTD_BLKDEVS=y
CONFIG_MTD_BLOCK=y
#
# Note that in some cases UBI block is preferred. See MTD_UBI_BLOCK.
#
CONFIG_FTL=y
# CONFIG_NFTL is not set
# CONFIG_INFTL is not set
# CONFIG_RFD_FTL is not set
# CONFIG_SSFDC is not set
# CONFIG_SM_FTL is not set
# CONFIG_MTD_OOPS is not set
# CONFIG_MTD_SWAP is not set
# CONFIG_MTD_PARTITIONED_MASTER is not set
#
# RAM/ROM/Flash chip drivers
#
# CONFIG_MTD_CFI is not set
# CONFIG_MTD_JEDECPROBE is not set
CONFIG_MTD_MAP_BANK_WIDTH_1=y
CONFIG_MTD_MAP_BANK_WIDTH_2=y
CONFIG_MTD_MAP_BANK_WIDTH_4=y
CONFIG_MTD_CFI_I1=y
CONFIG_MTD_CFI_I2=y
# CONFIG_MTD_RAM is not set
# CONFIG_MTD_ROM is not set
# CONFIG_MTD_ABSENT is not set
# end of RAM/ROM/Flash chip drivers
#
# Mapping drivers for chip access
#
# CONFIG_MTD_COMPLEX_MAPPINGS is not set
# CONFIG_MTD_INTEL_VR_NOR is not set
# CONFIG_MTD_PLATRAM is not set
# end of Mapping drivers for chip access
#
# Self-contained MTD device drivers
#
# CONFIG_MTD_PMC551 is not set
# CONFIG_MTD_DATAFLASH is not set
# CONFIG_MTD_MCHP23K256 is not set
# CONFIG_MTD_MCHP48L640 is not set
# CONFIG_MTD_SST25L is not set
CONFIG_MTD_SLRAM=y
CONFIG_MTD_PHRAM=y
CONFIG_MTD_MTDRAM=y
CONFIG_MTDRAM_TOTAL_SIZE=128
CONFIG_MTDRAM_ERASE_SIZE=4
CONFIG_MTD_BLOCK2MTD=y
#
# Disk-On-Chip Device Drivers
#
# CONFIG_MTD_DOCG3 is not set
# end of Self-contained MTD device drivers
#
# NAND
#
# CONFIG_MTD_ONENAND is not set
# CONFIG_MTD_RAW_NAND is not set
# CONFIG_MTD_SPI_NAND is not set
#
# ECC engine support
#
# CONFIG_MTD_NAND_ECC_SW_HAMMING is not set
# CONFIG_MTD_NAND_ECC_SW_BCH is not set
# CONFIG_MTD_NAND_ECC_MXIC is not set
# end of ECC engine support
# end of NAND
#
# LPDDR & LPDDR2 PCM memory drivers
#
# CONFIG_MTD_LPDDR is not set
# end of LPDDR & LPDDR2 PCM memory drivers
# CONFIG_MTD_SPI_NOR is not set
CONFIG_MTD_UBI=y
CONFIG_MTD_UBI_WL_THRESHOLD=4096
CONFIG_MTD_UBI_BEB_LIMIT=20
# CONFIG_MTD_UBI_FASTMAP is not set
# CONFIG_MTD_UBI_GLUEBI is not set
# CONFIG_MTD_UBI_BLOCK is not set
# CONFIG_MTD_HYPERBUS is not set
CONFIG_OF=y
# CONFIG_OF_UNITTEST is not set
CONFIG_OF_KOBJ=y
CONFIG_OF_ADDRESS=y
CONFIG_OF_IRQ=y
# CONFIG_OF_OVERLAY is not set
CONFIG_OF_NUMA=y
CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
CONFIG_PARPORT=y
# CONFIG_PARPORT_PC is not set
# CONFIG_PARPORT_1284 is not set
CONFIG_PARPORT_NOT_PC=y
CONFIG_PNP=y
CONFIG_PNP_DEBUG_MESSAGES=y
```
If you need more information, feel free to contact me.
Best,
Chenyuan
Thanks for your prompt reply! Here are the configs related to MTD, and I attach the whole CONFIG in this email.
```
# CONFIG_GNSS is not set
CONFIG_MTD=y
# CONFIG_MTD_TESTS is not set
#
# Partition parsers
#
# CONFIG_MTD_AR7_PARTS is not set
# CONFIG_MTD_CMDLINE_PARTS is not set
# CONFIG_MTD_OF_PARTS is not set
# CONFIG_MTD_REDBOOT_PARTS is not set
# end of Partition parsers
#
# User Modules And Translation Layers
#
CONFIG_MTD_BLKDEVS=y
CONFIG_MTD_BLOCK=y
#
# Note that in some cases UBI block is preferred. See MTD_UBI_BLOCK.
#
CONFIG_FTL=y
# CONFIG_NFTL is not set
# CONFIG_INFTL is not set
# CONFIG_RFD_FTL is not set
# CONFIG_SSFDC is not set
# CONFIG_SM_FTL is not set
# CONFIG_MTD_OOPS is not set
# CONFIG_MTD_SWAP is not set
# CONFIG_MTD_PARTITIONED_MASTER is not set
#
# RAM/ROM/Flash chip drivers
#
# CONFIG_MTD_CFI is not set
# CONFIG_MTD_JEDECPROBE is not set
CONFIG_MTD_MAP_BANK_WIDTH_1=y
CONFIG_MTD_MAP_BANK_WIDTH_2=y
CONFIG_MTD_MAP_BANK_WIDTH_4=y
CONFIG_MTD_CFI_I1=y
CONFIG_MTD_CFI_I2=y
# CONFIG_MTD_RAM is not set
# CONFIG_MTD_ROM is not set
# CONFIG_MTD_ABSENT is not set
# end of RAM/ROM/Flash chip drivers
#
# Mapping drivers for chip access
#
# CONFIG_MTD_COMPLEX_MAPPINGS is not set
# CONFIG_MTD_INTEL_VR_NOR is not set
# CONFIG_MTD_PLATRAM is not set
# end of Mapping drivers for chip access
#
# Self-contained MTD device drivers
#
# CONFIG_MTD_PMC551 is not set
# CONFIG_MTD_DATAFLASH is not set
# CONFIG_MTD_MCHP23K256 is not set
# CONFIG_MTD_MCHP48L640 is not set
# CONFIG_MTD_SST25L is not set
CONFIG_MTD_SLRAM=y
CONFIG_MTD_PHRAM=y
CONFIG_MTD_MTDRAM=y
CONFIG_MTDRAM_TOTAL_SIZE=128
CONFIG_MTDRAM_ERASE_SIZE=4
CONFIG_MTD_BLOCK2MTD=y
#
# Disk-On-Chip Device Drivers
#
# CONFIG_MTD_DOCG3 is not set
# end of Self-contained MTD device drivers
#
# NAND
#
# CONFIG_MTD_ONENAND is not set
# CONFIG_MTD_RAW_NAND is not set
# CONFIG_MTD_SPI_NAND is not set
#
# ECC engine support
#
# CONFIG_MTD_NAND_ECC_SW_HAMMING is not set
# CONFIG_MTD_NAND_ECC_SW_BCH is not set
# CONFIG_MTD_NAND_ECC_MXIC is not set
# end of ECC engine support
# end of NAND
#
# LPDDR & LPDDR2 PCM memory drivers
#
# CONFIG_MTD_LPDDR is not set
# end of LPDDR & LPDDR2 PCM memory drivers
# CONFIG_MTD_SPI_NOR is not set
CONFIG_MTD_UBI=y
CONFIG_MTD_UBI_WL_THRESHOLD=4096
CONFIG_MTD_UBI_BEB_LIMIT=20
# CONFIG_MTD_UBI_FASTMAP is not set
# CONFIG_MTD_UBI_GLUEBI is not set
# CONFIG_MTD_UBI_BLOCK is not set
# CONFIG_MTD_HYPERBUS is not set
CONFIG_OF=y
# CONFIG_OF_UNITTEST is not set
CONFIG_OF_KOBJ=y
CONFIG_OF_ADDRESS=y
CONFIG_OF_IRQ=y
# CONFIG_OF_OVERLAY is not set
CONFIG_OF_NUMA=y
CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
CONFIG_PARPORT=y
# CONFIG_PARPORT_PC is not set
# CONFIG_PARPORT_1284 is not set
CONFIG_PARPORT_NOT_PC=y
CONFIG_PNP=y
CONFIG_PNP_DEBUG_MESSAGES=y
```
If you need more information, feel free to contact me.
Best,
Chenyuan
Richard Weinberger
Jan 23, 2024, 3:24:07 PMJan 23
to Chenyuan Yang, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zijie Zhao, Lingming Zhang
----- Ursprüngliche Mail -----
> Von: "Chenyuan Yang" <cy...@illinois.edu>
Please show me the contents of /proc/mtd and, if possible, mtdinfo -a.
Thanks,
//richard
> Von: "Chenyuan Yang" <cy...@illinois.edu>
> If you need more information, feel free to contact me.
What is mtd0 in your case?
Please show me the contents of /proc/mtd and, if possible, mtdinfo -a.
Thanks,
//richard
Yang, Chenyuan
Jan 23, 2024, 5:44:09 PMJan 23
to Richard Weinberger, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zhao, Zijie, Zhang, Lingming
Hi Richard,
Here is the content of /proc/mtd
```
cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00001000 "mtdram test device"
```
By default, the /dev/mtd0 is empty and there is no mtd-utils installed.
After installing mtd-utils and running mtdinfo -a,
```
mtdinfo -a
Count of MTD devices: 1
Present MTD devices: mtd0
Sysfs interface supported: yes
mtd0
Name: mtdram test device
Type: ram
Eraseblock size: 4096 bytes, 4.0 KiB
Amount of eraseblocks: 32 (131072 bytes, 128.0 KiB)
Minimum input/output unit size: 1 byte
Sub-page size: 1 byte
Character device major/minor: 90:0
Bad blocks are allowed: false
Device is writable: true
```
Best,
Chenyuan
Here is the content of /proc/mtd
```
cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00001000 "mtdram test device"
```
By default, the /dev/mtd0 is empty and there is no mtd-utils installed.
After installing mtd-utils and running mtdinfo -a,
```
mtdinfo -a
Count of MTD devices: 1
Present MTD devices: mtd0
Sysfs interface supported: yes
mtd0
Name: mtdram test device
Type: ram
Eraseblock size: 4096 bytes, 4.0 KiB
Amount of eraseblocks: 32 (131072 bytes, 128.0 KiB)
Minimum input/output unit size: 1 byte
Sub-page size: 1 byte
Character device major/minor: 90:0
Bad blocks are allowed: false
Device is writable: true
```
Best,
Chenyuan
Richard Weinberger
Jan 24, 2024, 4:30:08 AMJan 24
to Chenyuan Yang, linux-mtd, Miquel Raynal, Vignesh Raghavendra, syzkaller, Zijie Zhao, Lingming Zhang
Chenyuan,
offset to a large value. As a consequence, the LEB size was smaller than
a single volume table record and the calculation of the volume table returned
zero.
Fix sent.
Thanks,
//richard
> mtd0
> Name: mtdram test device
> Type: ram
> Eraseblock size: 4096 bytes, 4.0 KiB
You're working with an extremely small MTD and the fuzzer set the VID
> Name: mtdram test device
> Type: ram
> Eraseblock size: 4096 bytes, 4.0 KiB
offset to a large value. As a consequence, the LEB size was smaller than
a single volume table record and the calculation of the volume table returned
zero.
Fix sent.
Thanks,
//richard
Reply all
Reply to author
Forward
0 new messages