* Re: [syzbot] BUG: bad usercopy in io_openat2_prep
[not found] <[email protected]>
@ 2023-02-11 16:36 ` Kees Cook
2023-02-12 15:47 ` Pavel Begunkov
2023-02-13 11:27 ` Dmitry Vyukov
0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2023-02-11 16:36 UTC (permalink / raw)
To: syzbot, akpm, keescook, linux-hardening, linux-kernel, linux-mm,
syzkaller-bugs, io-uring
On February 11, 2023 8:08:52 AM PST, syzbot <[email protected]> wrote:
>Hello,
>
>syzbot found the following issue on:
>
>HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
>kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
>dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
>compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>userspace arch: arm64
>syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
>C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
>
>Downloadable assets:
>disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
>vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
>kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
>
>IMPORTANT: if you fix the issue, please add the following tag to the commit:
>Reported-by: [email protected]
>
>usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
-Kees
> [...]
>Call trace:
> usercopy_abort+0x90/0x94
> __check_heap_object+0xa8/0x100
> __check_object_size+0x208/0x6b8
> io_openat2_prep+0xcc/0x2b8
> io_submit_sqes+0x338/0xbb8
> __arm64_sys_io_uring_enter+0x168/0x1308
> invoke_syscall+0x64/0x178
> el0_svc_common+0xbc/0x180
> do_el0_svc+0x48/0x110
> el0_svc+0x58/0x14c
> el0t_64_sync_handler+0x84/0xf0
> el0t_64_sync+0x190/0x194
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [syzbot] BUG: bad usercopy in io_openat2_prep
2023-02-11 16:36 ` [syzbot] BUG: bad usercopy in io_openat2_prep Kees Cook
@ 2023-02-12 15:47 ` Pavel Begunkov
2023-02-12 16:04 ` syzbot
2023-02-13 11:27 ` Dmitry Vyukov
1 sibling, 1 reply; 4+ messages in thread
From: Pavel Begunkov @ 2023-02-12 15:47 UTC (permalink / raw)
To: Kees Cook, syzbot, akpm, keescook, linux-hardening, linux-kernel,
linux-mm, syzkaller-bugs, io-uring
On 2/11/23 16:36, Kees Cook wrote:
> On February 11, 2023 8:08:52 AM PST, syzbot <[email protected]> wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
>> dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
>> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>> userspace arch: arm64
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
I couldn't reproduce it, let's try latest io_uring first
#syz test: https://git.kernel.dk/linux.git for-6.3/io_uring
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: [email protected]
>>
>> usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
>
> This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
>
> -Kees
>
>> [...]
>> Call trace:
>> usercopy_abort+0x90/0x94
>> __check_heap_object+0xa8/0x100
>> __check_object_size+0x208/0x6b8
>> io_openat2_prep+0xcc/0x2b8
>> io_submit_sqes+0x338/0xbb8
>> __arm64_sys_io_uring_enter+0x168/0x1308
>> invoke_syscall+0x64/0x178
>> el0_svc_common+0xbc/0x180
>> do_el0_svc+0x48/0x110
>> el0_svc+0x58/0x14c
>> el0t_64_sync_handler+0x84/0xf0
>> el0t_64_sync+0x190/0x194
>
>
>
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [syzbot] BUG: bad usercopy in io_openat2_prep
2023-02-12 15:47 ` Pavel Begunkov
@ 2023-02-12 16:04 ` syzbot
0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2023-02-12 16:04 UTC (permalink / raw)
To: akpm, asml.silence, io-uring, kees, keescook, linux-hardening,
linux-kernel, linux-mm, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: bad usercopy in io_openat2_prep
usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4995 Comm: syz-executor.0 Not tainted 6.2.0-rc6-syzkaller-00050-gfbe870a72fd1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94
lr : usercopy_abort+0x90/0x94
sp : ffff800012dd3be0
x29: ffff800012dd3bf0 x28: 000000000000001c x27: ffff0000d0e13400
x26: 00000000200000c0 x25: ffff80000cf51000 x24: fffffc0000000000
x23: 05ffc00000000200 x22: fffffc0003108280 x21: ffff0000c420a118
x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000000000
x17: 0000000000000000 x16: ffff0000d0e13df8 x15: ffff80000dbd1118
x14: ffff0000d0e13400 x13: 00000000ffffffff x12: ffff0000d0e13400
x11: ff808000081bd5b0 x10: 0000000000000000 x9 : 4c3aa38d2e853f00
x8 : 4c3aa38d2e853f00 x7 : ffff800008162dbc x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000005d
Call trace:
usercopy_abort+0x90/0x94
__check_heap_object+0xa8/0x100
__check_object_size+0x208/0x6b8
io_openat2_prep+0xcc/0x2f0
io_submit_sqes+0x330/0xba8
__arm64_sys_io_uring_enter+0x168/0x9b0
invoke_syscall+0x64/0x178
el0_svc_common+0xbc/0x180
do_el0_svc+0x48/0x150
el0_svc+0x58/0x14c
el0t_64_sync_handler+0x84/0xf0
el0t_64_sync+0x190/0x194
Code: 911d2800 aa0903e1 f90003e8 94e6d3da (d4210000)
---[ end trace 0000000000000000 ]---
Tested on:
commit: fbe870a7 io_uring,audit: don't log IORING_OP_MADVISE
git tree: https://git.kernel.dk/linux.git for-6.3/io_uring
console output: https://syzkaller.appspot.com/x/log.txt?x=17241257480000
kernel config: https://syzkaller.appspot.com/x/.config?x=22fc000172595f28
dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Note: no patches were applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [syzbot] BUG: bad usercopy in io_openat2_prep
2023-02-11 16:36 ` [syzbot] BUG: bad usercopy in io_openat2_prep Kees Cook
2023-02-12 15:47 ` Pavel Begunkov
@ 2023-02-13 11:27 ` Dmitry Vyukov
1 sibling, 0 replies; 4+ messages in thread
From: Dmitry Vyukov @ 2023-02-13 11:27 UTC (permalink / raw)
To: Kees Cook
Cc: syzbot, akpm, keescook, linux-hardening, linux-kernel, linux-mm,
syzkaller-bugs, io-uring, Aleksandr Nogikh
On Mon, 13 Feb 2023 at 12:05, Kees Cook <[email protected]> wrote:
>
> On February 11, 2023 8:08:52 AM PST, syzbot <[email protected]> wrote:
> >Hello,
> >
> >syzbot found the following issue on:
> >
> >HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
> >git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> >console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
> >kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
> >dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
> >compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> >userspace arch: arm64
> >syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
> >C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
> >
> >Downloadable assets:
> >disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
> >vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
> >kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
> >
> >IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >Reported-by: [email protected]
> >
> >usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
>
> This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
We've just noticed that some of syzbot arm64 configs did not enable
KASAN, so it could produce false one-off reports caused by previous
silent memory corruptions.
So if you don't see anything obvious, don't spend too much time looking at it.
#syz invalid
> -Kees
>
> > [...]
> >Call trace:
> > usercopy_abort+0x90/0x94
> > __check_heap_object+0xa8/0x100
> > __check_object_size+0x208/0x6b8
> > io_openat2_prep+0xcc/0x2b8
> > io_submit_sqes+0x338/0xbb8
> > __arm64_sys_io_uring_enter+0x168/0x1308
> > invoke_syscall+0x64/0x178
> > el0_svc_common+0xbc/0x180
> > do_el0_svc+0x48/0x110
> > el0_svc+0x58/0x14c
> > el0t_64_sync_handler+0x84/0xf0
> > el0t_64_sync+0x190/0x194
>
>
>
> --
> Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-02-13 11:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <[email protected]>
2023-02-11 16:36 ` [syzbot] BUG: bad usercopy in io_openat2_prep Kees Cook
2023-02-12 15:47 ` Pavel Begunkov
2023-02-12 16:04 ` syzbot
2023-02-13 11:27 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox