Created attachment 279915 [details] poc.c Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug. ================================================================== BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline] BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889 Read of size 8 at addr ffff888000048008 by task syz-executor666/2067 CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x75/0xae lib/dump_stack.c:113 print_address_description+0x65/0x270 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x25b/0x380 mm/kasan/report.c:412 handle_pte_fault mm/memory.c:3744 [inline] __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889 handle_mm_fault+0xfc/0x350 mm/memory.c:3926 do_user_addr_fault arch/x86/mm/fault.c:1423 [inline] __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489 async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142 RIP: 0033:0x4014fd Code: Bad RIP value. RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0 RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0 RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270 R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x0() raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Syzkaller reproducer: # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true Repro:false Trace:false} r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0) ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, "ae"})
Created attachment 279917 [details] repro.log
(switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Mon, 10 Dec 2018 10:56:31 +0000 bugzilla-daemon@bugzilla.kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=201949 > > Bug ID: 201949 > Summary: KASAN: use-after-free Read in __handle_mm_fault > Product: Memory Management > Version: 2.5 > Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > Assignee: akpm@linux-foundation.org > Reporter: jaguo2014@outlook.com > Regression: No > > Created attachment 279915 [details] > --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit > poc.c > > Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug. > > ================================================================== > BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline] > BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 > mm/memory.c:3889 > Read of size 8 at addr ffff888000048008 by task syz-executor666/2067 > > CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x75/0xae lib/dump_stack.c:113 > print_address_description+0x65/0x270 mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report+0x25b/0x380 mm/kasan/report.c:412 > handle_pte_fault mm/memory.c:3744 [inline] > __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889 > handle_mm_fault+0xfc/0x350 mm/memory.c:3926 > do_user_addr_fault arch/x86/mm/fault.c:1423 [inline] > __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489 > async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142 > RIP: 0033:0x4014fd > Code: Bad RIP value. > RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0 > RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0 > RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270 > R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000 > R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000 > > The buggy address belongs to the page: > page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0 > flags: 0x0() > raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000 > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ^ > ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ================================================================== > > > Syzkaller reproducer: > # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox: > Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true > EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true > Repro:false Trace:false} > r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0) > ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, > "ae"}) > > -- > You are receiving this mail because: > You are the assignee for the bug.
On Tue, Dec 11, 2018 at 12:45 AM Andrew Morton <akpm@linux-foundation.org> wrote: > > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). Looking at the reproducer this looks like a bug in sg ioctl. +block/scsi_ioctl.c maintainers > On Mon, 10 Dec 2018 10:56:31 +0000 bugzilla-daemon@bugzilla.kernel.org wrote: > > > https://bugzilla.kernel.org/show_bug.cgi?id=201949 > > > > Bug ID: 201949 > > Summary: KASAN: use-after-free Read in __handle_mm_fault > > Product: Memory Management > > Version: 2.5 > > Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6 > > Hardware: All > > OS: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: Other > > Assignee: akpm@linux-foundation.org > > Reporter: jaguo2014@outlook.com > > Regression: No > > > > Created attachment 279915 [details] > > --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit > > poc.c > > > > Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug. > > > > ================================================================== > > BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline] > > BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 > mm/memory.c:3889 > > Read of size 8 at addr ffff888000048008 by task syz-executor666/2067 > > > > CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 > 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x75/0xae lib/dump_stack.c:113 > > print_address_description+0x65/0x270 mm/kasan/report.c:256 > > kasan_report_error mm/kasan/report.c:354 [inline] > > kasan_report+0x25b/0x380 mm/kasan/report.c:412 > > handle_pte_fault mm/memory.c:3744 [inline] > > __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889 > > handle_mm_fault+0xfc/0x350 mm/memory.c:3926 > > do_user_addr_fault arch/x86/mm/fault.c:1423 [inline] > > __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489 > > async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142 > > RIP: 0033:0x4014fd > > Code: Bad RIP value. > > RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246 > > RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0 > > RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0 > > RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270 > > R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000 > > R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000 > > > > The buggy address belongs to the page: > > page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0 > > flags: 0x0() > > raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000 > > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ^ > > ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ================================================================== > > > > > > Syzkaller reproducer: > > # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox: > > Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true > > EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true > > Repro:false Trace:false} > > r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0) > > ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, > "ae"}) > > > > -- > > You are receiving this mail because: > > You are the assignee for the bug. > > -- > You received this message because you are subscribed to the Google Groups > "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kasan-dev+unsubscribe@googlegroups.com. > To post to this group, send email to kasan-dev@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/kasan-dev/20181210154550.03bf3fe93944a7c786ba924d%40linux-foundation.org. > For more options, visit https://groups.google.com/d/optout.
> Looking at the reproducer this looks like a bug in sg ioctl. > +block/scsi_ioctl.c maintainers No, this is opening /dev/sg, so it's drivers/scsi/sg.c and the SCSI friends. I took a quick look at it, and ioctl cmd == 1 ends up being SCSI_IOCTL_SEND_COMMAND. Don't you just love that we have totally overlapping ioctl commands? Jesus... Anyway, the command is opcode 0x8, which is a READ_6. Hence the smallest unit that can be read is 512b, but the reproducer asks for 1 byte. I'm guessing the hw ends up DMA'ing a full sector (?) even though we ask for just 1 byte, since that isn't valid. Honestly not sure what to do about this one. You're root and you're asking invalid things of the device/kernel. Adding SCSI folks.