From: Greg KH <gregkh@linuxfoundation.org>
To: Dipanjan Das <mail.dipanjan.das@gmail.com>
Cc: perex@perex.cz, tiwai@suse.com, consult.awy@gmail.com,
alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
syzkaller@googlegroups.com, fleischermarius@googlemail.com,
its.priyanka.bose@gmail.com
Subject: Re: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params
Date: Sat, 23 Jul 2022 09:00:08 +0200 [thread overview]
Message-ID: <YtuceCr5OCJcDatJ@kroah.com> (raw)
In-Reply-To: <CANX2M5Zw_zW6ez0_wvaXL1pbLnR2jWY=T7MgkT=4a-zNkiwVig@mail.gmail.com>
On Fri, Jul 22, 2022 at 09:37:52AM -0700, Dipanjan Das wrote:
> Hi,
>
> We would like to report the following bug which has been found by our
> modified version of syzkaller.
>
> ======================================================
> description: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params
> affected file: sound/core/pcm_native.c
> kernel version: 5.10.131
> kernel commit: de62055f423f5dcb548f74cebd68f03c8903f73a
> git tree: upstream
> kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9
> crash reproducer: attached
> ======================================================
> Crash log:
> ======================================================
> BUG: KASAN: vmalloc-out-of-bounds in memset include/linux/string.h:384 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in snd_pcm_hw_params+0x19b0/0x1db0
> sound/core/pcm_native.c:799
> Write of size 2097152 at addr ffffc900113b2000 by task syz-executor.5/14437
>
> CPU: 1 PID: 14437 Comm: syz-executor.5 Tainted: G OE 5.10.131+ #3
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x107/0x163 lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0x5/0x4f7 mm/kasan/report.c:385
> __kasan_report mm/kasan/report.c:545 [inline]
> kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
> check_memory_region_inline mm/kasan/generic.c:194 [inline]
> check_memory_region+0x187/0x1e0 mm/kasan/generic.c:200
> memset+0x20/0x40 mm/kasan/common.c:85
> memset include/linux/string.h:384 [inline]
> snd_pcm_hw_params+0x19b0/0x1db0 sound/core/pcm_native.c:799
> snd_pcm_kernel_ioctl+0xd1/0x240 sound/core/pcm_native.c:3401
> snd_pcm_oss_change_params_locked+0x17b6/0x3aa0 sound/core/oss/pcm_oss.c:965
> snd_pcm_oss_change_params+0x76/0xd0 sound/core/oss/pcm_oss.c:1107
> snd_pcm_oss_make_ready+0xb7/0x170 sound/core/oss/pcm_oss.c:1166
> snd_pcm_oss_set_trigger.isra.0+0x34f/0x770 sound/core/oss/pcm_oss.c:2074
> snd_pcm_oss_poll+0x679/0xb40 sound/core/oss/pcm_oss.c:2858
> vfs_poll include/linux/poll.h:90 [inline]
> do_pollfd fs/select.c:872 [inline]
> do_poll fs/select.c:920 [inline]
> do_sys_poll+0x63c/0xe40 fs/select.c:1014
> __do_sys_poll fs/select.c:1079 [inline]
> __se_sys_poll fs/select.c:1067 [inline]
> __x64_sys_poll+0x18c/0x490 fs/select.c:1067
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x7f095de4f4ed
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f095bdffbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
> RAX: ffffffffffffffda RBX: 00007f095df6df60 RCX: 00007f095de4f4ed
> RDX: 0000000000000009 RSI: 0000000000000001 RDI: 00000000200000c0
> RBP: 00007f095bdffc40 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001d
> R13: 00007ffff286ceff R14: 00007f095df6df60 R15: 00007f095bdffd80
>
>
> Memory state around the buggy address:
> ffffc900115b1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffc900115b1d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffffc900115b1e00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc900115b1e80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc900115b1f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
Wondeful, do you have a fix for this that solves the reported problem
that you have tested with the reproducer?
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Dipanjan Das <mail.dipanjan.das@gmail.com>
Cc: alsa-devel@alsa-project.org, fleischermarius@googlemail.com,
tiwai@suse.com, linux-kernel@vger.kernel.org,
consult.awy@gmail.com, syzkaller@googlegroups.com,
its.priyanka.bose@gmail.com
Subject: Re: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params
Date: Sat, 23 Jul 2022 09:00:08 +0200 [thread overview]
Message-ID: <YtuceCr5OCJcDatJ@kroah.com> (raw)
In-Reply-To: <CANX2M5Zw_zW6ez0_wvaXL1pbLnR2jWY=T7MgkT=4a-zNkiwVig@mail.gmail.com>
On Fri, Jul 22, 2022 at 09:37:52AM -0700, Dipanjan Das wrote:
> Hi,
>
> We would like to report the following bug which has been found by our
> modified version of syzkaller.
>
> ======================================================
> description: KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params
> affected file: sound/core/pcm_native.c
> kernel version: 5.10.131
> kernel commit: de62055f423f5dcb548f74cebd68f03c8903f73a
> git tree: upstream
> kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9
> crash reproducer: attached
> ======================================================
> Crash log:
> ======================================================
> BUG: KASAN: vmalloc-out-of-bounds in memset include/linux/string.h:384 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in snd_pcm_hw_params+0x19b0/0x1db0
> sound/core/pcm_native.c:799
> Write of size 2097152 at addr ffffc900113b2000 by task syz-executor.5/14437
>
> CPU: 1 PID: 14437 Comm: syz-executor.5 Tainted: G OE 5.10.131+ #3
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x107/0x163 lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0x5/0x4f7 mm/kasan/report.c:385
> __kasan_report mm/kasan/report.c:545 [inline]
> kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
> check_memory_region_inline mm/kasan/generic.c:194 [inline]
> check_memory_region+0x187/0x1e0 mm/kasan/generic.c:200
> memset+0x20/0x40 mm/kasan/common.c:85
> memset include/linux/string.h:384 [inline]
> snd_pcm_hw_params+0x19b0/0x1db0 sound/core/pcm_native.c:799
> snd_pcm_kernel_ioctl+0xd1/0x240 sound/core/pcm_native.c:3401
> snd_pcm_oss_change_params_locked+0x17b6/0x3aa0 sound/core/oss/pcm_oss.c:965
> snd_pcm_oss_change_params+0x76/0xd0 sound/core/oss/pcm_oss.c:1107
> snd_pcm_oss_make_ready+0xb7/0x170 sound/core/oss/pcm_oss.c:1166
> snd_pcm_oss_set_trigger.isra.0+0x34f/0x770 sound/core/oss/pcm_oss.c:2074
> snd_pcm_oss_poll+0x679/0xb40 sound/core/oss/pcm_oss.c:2858
> vfs_poll include/linux/poll.h:90 [inline]
> do_pollfd fs/select.c:872 [inline]
> do_poll fs/select.c:920 [inline]
> do_sys_poll+0x63c/0xe40 fs/select.c:1014
> __do_sys_poll fs/select.c:1079 [inline]
> __se_sys_poll fs/select.c:1067 [inline]
> __x64_sys_poll+0x18c/0x490 fs/select.c:1067
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x7f095de4f4ed
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f095bdffbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
> RAX: ffffffffffffffda RBX: 00007f095df6df60 RCX: 00007f095de4f4ed
> RDX: 0000000000000009 RSI: 0000000000000001 RDI: 00000000200000c0
> RBP: 00007f095bdffc40 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001d
> R13: 00007ffff286ceff R14: 00007f095df6df60 R15: 00007f095bdffd80
>
>
> Memory state around the buggy address:
> ffffc900115b1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffc900115b1d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffffc900115b1e00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ^
> ffffc900115b1e80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffffc900115b1f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ==================================================================
Wondeful, do you have a fix for this that solves the reported problem
that you have tested with the reproducer?
thanks,
greg k-h
next prev parent reply other threads:[~2022-07-23 7:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-22 16:37 KASAN: vmalloc-out-of-bounds Write in snd_pcm_hw_params Dipanjan Das
2022-07-22 16:37 ` Dipanjan Das
2022-07-23 7:00 ` Greg KH [this message]
2022-07-23 7:00 ` Greg KH
2022-07-23 10:16 ` Takashi Iwai
2022-07-23 10:16 ` Takashi Iwai
2022-07-26 21:40 ` Dipanjan Das
2022-07-26 21:40 ` Dipanjan Das
2022-07-27 4:06 ` Lukas Bulwahn
2022-07-27 4:06 ` Lukas Bulwahn
2022-07-27 5:25 ` Takashi Iwai
2022-07-27 5:25 ` Takashi Iwai
2022-07-28 23:24 ` Dipanjan Das
2022-07-28 23:24 ` Dipanjan Das
2022-07-29 6:07 ` Takashi Iwai
2022-07-29 6:07 ` Takashi Iwai
2022-07-29 8:13 ` Greg KH
2022-07-29 8:13 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtuceCr5OCJcDatJ@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=alsa-devel@alsa-project.org \
--cc=consult.awy@gmail.com \
--cc=fleischermarius@googlemail.com \
--cc=its.priyanka.bose@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mail.dipanjan.das@gmail.com \
--cc=perex@perex.cz \
--cc=syzkaller@googlegroups.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.