From: Esme <esploit@protonmail.ch>
To: "dgilbert@interlog.com" <dgilbert@interlog.com>,
"jejb@linux.ibm.com" <jejb@linux.ibm.com>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: "security@kernel.org" <security@kernel.org>
Subject: PROBLEM: syzkaller found / pool corruption-overwrite / page in user-area or NULL
Date: Thu, 10 Jan 2019 19:12:16 +0000 [thread overview]
Message-ID: <t78EEfgpy3uIwPUvqvmuQEYEWKG9avWzjUD3EyR93Qaf_tfx1gqt4XplrqMgdxR1U9SsrVdA7G9XeUZacgUin0n6lBzoxJHVJ9Ko0yzzrxI=@protonmail.ch> (raw)
[-- Attachment #1: Type: text/plain, Size: 986 bytes --]
Sorry for the resend some mail servers rejected the mime type.
Hi, I've been getting more into Kernel stuff lately and forged ahead with some syzkaller bug finding. I played with reducing it further as you can see from the attached c code but am moving on and hope to get better about this process moving forward as I'm still building out my test systems/debugging tools.
Attached is the report and C repro that still triggers on a fresh git pull as of a few minutes ago, if you need anything else please let me know.
Esme
Linux syzkaller 5.0.0-rc1+ #5 SMP Tue Jan 8 20:39:33 EST 2019 x86_64 GNU/Linux
GNU C 6.3.0
Binutils 2.28
Util-linux 2.29.2
Mount 2.29.2
Module-init-tools 23
E2fsprogs 1.43.4
Linux C Library 2.24
Dynamic linker (ldd) 2.24
Linux C++ Library 6.0.22
Procps 3.3.12
Sh-utils 8.26
Udev 232
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: test3.c --]
[-- Type: text/x-csrc; name="test3.c", Size: 11298 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/genetlink.h>
#include <linux/netlink.h>
unsigned long long procid;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); }
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static long syz_open_dev(long a0, long a1, long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1));
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static long syz_open_pts(long a0, long a1)
{
int ptyno = 0;
if (ioctl(a0, TIOCGPTN, &ptyno))
return -1;
char buf[128];
sprintf(buf, "/dev/pts/%d", ptyno);
return open(buf, a1, 0);
}
static long syz_genetlink_get_family_id(long name)
{
char buf[512] = {0};
struct nlmsghdr* hdr = (struct nlmsghdr*)buf;
struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr);
struct nlattr* attr = (struct nlattr*)(genlhdr + 1);
hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ;
hdr->nlmsg_type = GENL_ID_CTRL;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
genlhdr->cmd = CTRL_CMD_GETFAMILY;
attr->nla_type = CTRL_ATTR_FAMILY_NAME;
attr->nla_len = sizeof(*attr) + GENL_NAMSIZ;
NONFAILING(strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ));
struct iovec iov = {hdr, hdr->nlmsg_len};
struct sockaddr_nl addr = {0};
addr.nl_family = AF_NETLINK;
int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (fd == -1) {
return -1;
}
struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0};
if (sendmsg(fd, &msg, 0) == -1) {
close(fd);
return -1;
}
ssize_t n = recv(fd, buf, sizeof(buf), 0);
close(fd);
if (n <= 0) {
return -1;
}
if (hdr->nlmsg_type != GENL_ID_CTRL) {
return -1;
}
for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == CTRL_ATTR_FAMILY_ID)
return *(uint16_t*)(attr + 1);
}
return -1;
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
int i;
for (i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
#define SYZ_HAVE_SETUP_TEST 1
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
}
#define SYZ_HAVE_RESET_TEST 1
static void reset_test()
{
int fd;
for (fd = 3; fd < 30; fd++)
close(fd);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter;
for (iter = 0;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
reset_test();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5 * 1000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void execute_one(void)
{
long res = 0;
NONFAILING(memcpy((void*)0x20000080, "/dev/sg#\x00", 9));
res = syz_open_dev(0x20000080, 0, 0);
if (res != -1)
r[0] = res;
syscall(__NR_socket, 0xc, 0x800, 0x88);
syscall(__NR_ioctl, 0xffffff9c, 0x8933, 0);
NONFAILING(*(uint32_t*)0x200000c0 = 1);
NONFAILING(*(uint32_t*)0x200000c4 = 0);
NONFAILING(*(uint32_t*)0x200000c8 = 8);
NONFAILING(memcpy((void*)0x200000cc, "\x86", 1));
syscall(__NR_ioctl, r[0], 1, 0x200000c0);
syscall(__NR_openat, -1, 0, 0x88400, 0x100);
syscall(__NR_socket, 0x11, 2, 0x300);
syscall(__NR_write, -1, 0, 0);
syscall(__NR_getsockopt, -1, 0x29, 0x39, 0, 0);
syscall(__NR_read, -1, 0, 0);
syscall(__NR_ioctl, -1, 0x5437, 0);
syz_genetlink_get_family_id(0);
syscall(__NR_getpid);
NONFAILING(memcpy((void*)0x20000000, "/dev/loop#\x00", 11));
syz_open_dev(0x20000000, 0, 0);
syz_open_dev(0, 2, 0x100);
syscall(__NR_socket, 0x11, 3, 0x300);
/*
NONFAILING(*(uint64_t*)0x200003c0 = 0x200002c0);
NONFAILING(*(uint16_t*)0x200002c0 = 0x10);
NONFAILING(*(uint16_t*)0x200002c2 = 0);
NONFAILING(*(uint32_t*)0x200002c4 = 0);
NONFAILING(*(uint32_t*)0x200002c8 = 2);
NONFAILING(*(uint32_t*)0x200003c8 = 0xc);
NONFAILING(*(uint64_t*)0x200003d0 = 0x20000380);
NONFAILING(*(uint64_t*)0x20000380 = 0);
NONFAILING(*(uint64_t*)0x20000388 = 0);
NONFAILING(*(uint64_t*)0x200003d8 = 1);
NONFAILING(*(uint64_t*)0x200003e0 = 0);
NONFAILING(*(uint64_t*)0x200003e8 = 0);
NONFAILING(*(uint32_t*)0x200003f0 = 1);
syscall(__NR_sendmsg, -1, 0x200003c0, 0x40040);
syscall(__NR_openat, 0xffffffffffffff9c, 0, 0, 0);
res = syscall(__NR_dup, -1);
if (res != -1)
r[1] = res;
syscall(__NR_ioctl, r[1], 0x8903, 0);
syscall(__NR_fdatasync, -1);
syscall(__NR_shmctl, 0, 3, 0);
syscall(__NR_openat, 0xffffffffffffff9c, 0, 0x20000, 0);
syscall(__NR_creat, 0, 0);
syscall(__NR_fcntl, -1, 4, 0x40003);
syscall(__NR_write, -1, 0, 0);
syscall(__NR_setitimer, 1, 0, 0);
syscall(__NR_inotify_add_watch, -1, 0, 0x24000004);
syscall(__NR_unlink, 0);
NONFAILING(*(uint32_t*)0x20000180 = 0);
NONFAILING(*(uint32_t*)0x20000184 = 0);
NONFAILING(*(uint32_t*)0x20000188 = 0);
NONFAILING(*(uint32_t*)0x2000018c = 0);
NONFAILING(*(uint32_t*)0x20000190 = 0);
NONFAILING(*(uint32_t*)0x20000194 = 0);
syscall(__NR_capset, 0, 0x20000180);
NONFAILING(*(uint64_t*)0x20000100 = 0);
NONFAILING(*(uint64_t*)0x20000108 = 0);
syscall(__NR_vmsplice, -1, 0x20000100, 1, 0);
syscall(__NR_ioctl, -1, 0x89e0, 0);
syscall(__NR_socket, 0xa, 2, 0);
syscall(__NR_pipe2, 0, 0x84800);
syscall(__NR_pipe, 0);
*/
syz_open_pts(0xffffff9c, 0x80000);
syscall(__NR_socket, 0xa, 3, 0x3a);
syscall(__NR_getsockopt, 0xffffff9c, 0x29, 0x22, 0, 0);
syscall(__NR_readv, -1, 0, 0);
syscall(__NR_creat, 0, 0);
syscall(__NR_connect, -1, 0, 0);
syscall(__NR_setsockopt, -1, 1, 0x19, 0, 0);
syscall(__NR_sendmsg, -1, 0, 0x10);
syscall(__NR_socket, 0x10, 3, 0x10);
syscall(__NR_socket, 0x10, 3, 6);
syscall(__NR_openat, 0xffffffffffffff9c, 0, 0x440040, 0);
syscall(__NR_openat, 0xffffffffffffff9c, 0, 0x8000, 0);
syscall(__NR_mmap, 0x20ff7000, 0x9000, 0, 0x5811, -1, 0);
syscall(__NR_fstat, -1, 0);
syscall(__NR_ioctl, -1, 0x40247007, 0);
syscall(__NR_openat, 0xffffffffffffff9c, 0, 0x801, 0);
syscall(__NR_ioctl, -1, 0x891b, 0);
syscall(__NR_ioctl, -1, 0x541c, 0);
syscall(__NR_openat, 0xffffffffffffff9c, 0, 0x200002, 0);
syscall(__NR_socket, 2, 2, 0x88);
syscall(__NR_readv, -1, 0, 0);
syscall(__NR_pipe2, 0x20000000, 0);
}
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
install_segv_handler();
for (procid = 0; procid < 8; procid++) {
if (fork() == 0) {
loop();
}
}
sleep(1000000);
return 0;
}
[-- Attachment #3: repro.report --]
[-- Type: application/octet-stream, Size: 12561 bytes --]
=============================================================================
BUG kmemleak_object (Not tainted): Padding overwritten. 0x0000000010668f30-0x00000000b5ef74a3
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Slab 0x0000000008e279da objects=12 used=12 fp=0x (null) flags=0x100000000010201
CPU: 1 PID: 2098 Comm: syz-executor468 Tainted: G B 4.20.0 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xdc/0x18e lib/dump_stack.c:113
slab_err+0xab/0xcf mm/slub.c:708
slab_pad_check.part.49.cold.81+0x23/0x75 mm/slub.c:848
slab_pad_check mm/slub.c:829 [inline]
check_slab+0x6d/0xc0 mm/slub.c:934
free_debug_processing+0x205/0x260 mm/slub.c:1174
__slab_free+0x241/0x3f0 mm/slub.c:2829
qlink_free mm/kasan/quarantine.c:147 [inline]
qlist_free_all+0x4a/0xc0 mm/kasan/quarantine.c:166
quarantine_reduce+0x13e/0x160 mm/kasan/quarantine.c:259
kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:538
slab_post_alloc_hook mm/slab.h:444 [inline]
slab_alloc_node mm/slub.c:2744 [inline]
slab_alloc mm/slub.c:2752 [inline]
kmem_cache_alloc+0xfb/0x250 mm/slub.c:2757
create_object+0xc1/0xad0 mm/kmemleak.c:578
kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2744 [inline]
slab_alloc mm/slub.c:2752 [inline]
__kmalloc+0x1a5/0x2c0 mm/slub.c:3783
kmalloc include/linux/slab.h:551 [inline]
kzalloc include/linux/slab.h:741 [inline]
sg_scsi_ioctl+0x514/0x790 block/scsi_ioctl.c:445
sg_ioctl+0x10e0/0x2a30 drivers/scsi/sg.c:1106
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0x1d4/0x1640 fs/ioctl.c:696
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
do_syscall_64+0x15c/0x4c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44d799
Code: 00 00 00 75 05 48 83 c4 38 c3 e8 82 32 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc091798f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044d799
RDX: 00000000200000c0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007ffc091799bc R08: 000000000000049f R09: 000000000000049f
R10: 000000000000049f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000004be018 R15: 0000000000000000
Padding 0000000010668f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000662c67d6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 000000001db2b4ef: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 0000000096e07791: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 000000002ec58a8a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000b2946b0d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 0000000099e025a4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 000000002ba4e693: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 000000007d7ee36c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000d4eb8c88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 000000005b3f661d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 0000000084b85032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000f8f63693: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000c63dbbc1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000e6e42dee: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 000000000f7fdb85: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000a10620fb: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000cfc26d57: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 0000000049253b94: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Padding 00000000e1786c5e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
FIX kmemleak_object: Restoring 0x0000000010668f30-0x00000000b5ef74a3=0x5a
=============================================================================
BUG kmemleak_object (Tainted: G B ): Redzone overwritten
-----------------------------------------------------------------------------
INFO: 0x00000000445104b3-0x0000000016f5245b. First byte 0x0 instead of 0xcc
INFO: Slab 0x0000000008e279da objects=12 used=12 fp=0x (null) flags=0x100000000010201
INFO: Object 0x000000001cc31f05 @offset=5256 fp=0x (null)
Redzone 00000000445104b3: 00 00 00 00 00 00 00 00 ........
Object 000000001cc31f05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 000000000c167900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 000000009b6650d8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000ae424d1e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000c211cd23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000556bb10a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000f1c56b7a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000c228871c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 0000000035c38d94: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000bdf01376: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 000000005d08d28e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 0000000053f1468c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000aba1cdfd: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 0000000001403e97: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000f9c746df: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000f996b51f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000bca8e4cd: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 000000002ecac069: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object 00000000cb0a63f5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Redzone 00000000bbe98e22: 00 00 00 00 00 00 00 00 ........
Padding 000000002205a78c: 00 00 00 00 00 00 00 00 ........
CPU: 1 PID: 2098 Comm: syz-executor468 Tainted: G B 4.20.0 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xdc/0x18e lib/dump_stack.c:113
check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:754
check_object+0x160/0x270 mm/slub.c:862
free_consistency_checks mm/slub.c:1139 [inline]
free_debug_processing+0x14a/0x260 mm/slub.c:1182
__slab_free+0x241/0x3f0 mm/slub.c:2829
qlink_free mm/kasan/quarantine.c:147 [inline]
qlist_free_all+0x4a/0xc0 mm/kasan/quarantine.c:166
quarantine_reduce+0x13e/0x160 mm/kasan/quarantine.c:259
kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:538
slab_post_alloc_hook mm/slab.h:444 [inline]
slab_alloc_node mm/slub.c:2744 [inline]
slab_alloc mm/slub.c:2752 [inline]
kmem_cache_alloc+0xfb/0x250 mm/slub.c:2757
create_object+0xc1/0xad0 mm/kmemleak.c:578
kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2744 [inline]
slab_alloc mm/slub.c:2752 [inline]
__kmalloc+0x1a5/0x2c0 mm/slub.c:3783
kmalloc include/linux/slab.h:551 [inline]
kzalloc include/linux/slab.h:741 [inline]
sg_scsi_ioctl+0x514/0x790 block/scsi_ioctl.c:445
sg_ioctl+0x10e0/0x2a30 drivers/scsi/sg.c:1106
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0x1d4/0x1640 fs/ioctl.c:696
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
do_syscall_64+0x15c/0x4c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44d799
Code: 00 00 00 75 05 48 83 c4 38 c3 e8 82 32 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc091798f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044d799
RDX: 00000000200000c0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007ffc091799bc R08: 000000000000049f R09: 000000000000049f
R10: 000000000000049f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000004be018 R15: 0000000000000000
FIX kmemleak_object: Restoring 0x00000000445104b3-0x0000000016f5245b=0xcc
FIX kmemleak_object: Object at 0x000000001cc31f05 not freed
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
CPU: 1 PID: 2077 Comm: sshd Tainted: G B 4.20.0 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
RIP: 0010:unlink_anon_vmas+0x1a5/0x930 mm/rmap.c:388
Code: 84 8c 01 00 00 e8 6b 08 da ff 48 8d 7d 08 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 8a 05 00 00 4c 8b 65 08 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 68 05 00 00 4d 8b 34 24 4d 39 fe 74 1c e8 33 08
RSP: 0018:ffff8880b9b572d8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8162f177
RDX: 0000000000000000 RSI: ffffffff816787e5 RDI: ffff8880b74cc1b0
RBP: ffff8880b74cc1a8 R08: ffff8880bb180fc0 R09: 0000000024db2db2
R10: 000000001efd7fbf R11: ffff88811ab2a8fb R12: 0000000000000000
R13: fffffffffffffff0 R14: ffff888111183548 R15: 0000000000000000
FS: 00007f7b39931d40(0000) GS:ffff88811ab00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b35737160 CR3: 00000000aedbe006 CR4: 0000000000160ee0
Call Trace:
free_pgtables+0x266/0x380 mm/memory.c:393
exit_mmap+0x28e/0x520 mm/mmap.c:3146
__mmput kernel/fork.c:1050 [inline]
mmput+0x1ca/0x4e0 kernel/fork.c:1071
exit_mm kernel/exit.c:545 [inline]
do_exit+0xa01/0x23e0 kernel/exit.c:854
do_group_exit+0x170/0x420 kernel/exit.c:970
__do_sys_exit_group kernel/exit.c:981 [inline]
__se_sys_exit_group kernel/exit.c:979 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:979
do_syscall_64+0x15c/0x4c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f7b37a7a618
Code: Bad RIP value.
RSP: 002b:00007fff5ab54008 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7b37a7a618
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00007f7b37d578e0 R08: 00000000000000e7 R09: fffffffffffffe00
R10: 00007f7b35737148 R11: 0000000000000246 R12: 00007f7b37d578e0
R13: 00007f7b37d5cc20 R14: 0000000000000003 R15: 0000563c8f10be50
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 1a879148c41b9587 ]---
RIP: 0010:unlink_anon_vmas+0x1a5/0x930 mm/rmap.c:388
Code: 84 8c 01 00 00 e8 6b 08 da ff 48 8d 7d 08 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 8a 05 00 00 4c 8b 65 08 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 68 05 00 00 4d 8b 34 24 4d 39 fe 74 1c e8 33 08
RSP: 0018:ffff8880b9b572d8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8162f177
RDX: 0000000000000000 RSI: ffffffff816787e5 RDI: ffff8880b74cc1b0
RBP: ffff8880b74cc1a8 R08: ffff8880bb180fc0 R09: 0000000024db2db2
R10: 000000001efd7fbf R11: ffff88811ab2a8fb R12: 0000000000000000
R13: fffffffffffffff0 R14: ffff888111183548 R15: 0000000000000000
FS: 00007f7b39931d40(0000) GS:ffff88811ab00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b37a7a5ee CR3: 00000000aedbe006 CR4: 0000000000160ee0
next reply other threads:[~2019-01-10 19:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-10 19:12 Esme [this message]
2019-01-10 19:58 ` PROBLEM: syzkaller found / pool corruption-overwrite / page in user-area or NULL James Bottomley
2019-01-10 19:58 ` James Bottomley
2019-01-10 20:39 ` Qian Cai
2019-01-10 20:39 ` Qian Cai
2019-01-10 20:44 ` Qian Cai
2019-01-10 20:44 ` Qian Cai
2019-01-10 20:47 ` Esme
2019-01-10 21:03 ` Qian Cai
2019-01-10 21:10 ` Esme
2019-01-10 21:35 ` Esme
2019-01-10 22:33 ` Qian Cai
2019-01-10 22:58 ` Esme
2019-01-11 1:30 ` Qian Cai
2019-01-11 3:15 ` Esme
2019-01-11 4:52 ` Qian Cai
2019-01-11 5:01 ` Esme
[not found] <FTiTvUZRA5yMupEMxO6bakUBM0kgENu3iSyKzomSMpfDWnMJ-AQbx4X3GRTNzNE2ZxaMAEU3nfYARed4mpJV-xC6lBR6PR5hsWKwbvAs5II=@protonmail.ch>
2019-01-10 19:27 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='t78EEfgpy3uIwPUvqvmuQEYEWKG9avWzjUD3EyR93Qaf_tfx1gqt4XplrqMgdxR1U9SsrVdA7G9XeUZacgUin0n6lBzoxJHVJ9Ko0yzzrxI=@protonmail.ch' \
--to=esploit@protonmail.ch \
--cc=dgilbert@interlog.com \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.