From: Entropy Moe <3ntr0py1337@gmail.com>
To: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
akpm@linux-foundation.org
Subject: KASAN: stack-out-of-bounds Write in mpol_to_str
Date: Sun, 15 Mar 2020 23:57:17 +0400 [thread overview]
Message-ID: <CALzBtjLSqFhSNAf4YusxuE1piUTzOSLFGFD4RrhPLQAmgpyL5g@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 237 bytes --]
Hello team,
how are you ?
I wanted to report a bug on mempolicy.c. I found the bug on the latest
version of the kernel.
which is stack out of bound vulnerability.
I am attaching report.
If you need the POC crash code, I can provide.
[-- Attachment #1.2: Type: text/html, Size: 390 bytes --]
[-- Attachment #2: mpol_to_str.txt --]
[-- Type: text/plain, Size: 3127 bytes --]
==================================================================
BUG: KASAN: stack-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: stack-out-of-bounds in __node_set include/linux/nodemask.h:130 [inline]
BUG: KASAN: stack-out-of-bounds in mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
Write of size 8 at addr ffff88806715fb58 by task systemd/1
CPU: 1 PID: 1 Comm: systemd Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc6/0x11e lib/dump_stack.c:118
print_address_description.constprop.5+0x16/0x310 mm/kasan/report.c:374
__kasan_report+0x158/0x1c0 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
__node_set include/linux/nodemask.h:130 [inline]
mpol_to_str+0x2b9/0x380 mm/mempolicy.c:2962
shmem_show_mpol mm/shmem.c:1406 [inline]
shmem_show_options+0x37c/0x540 mm/shmem.c:3611
show_mountinfo+0x5b4/0x870 fs/proc_namespace.c:187
seq_read+0x9fb/0x1030 fs/seq_file.c:268
__vfs_read+0x7a/0x100 fs/read_write.c:425
vfs_read+0x15e/0x370 fs/read_write.c:461
ksys_read+0x17b/0x210 fs/read_write.c:587
do_syscall_64+0x9b/0x520 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f67a589a910
Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 9b 01 00 48 89 04 24
RSP: 002b:00007ffefbf89888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b4a3ba9c00 RCX: 00007f67a589a910
RDX: 0000000000000400 RSI: 000055b4a3bba200 RDI: 0000000000000013
RBP: 0000000000000d68 R08: 00007f67a72cf500 R09: 00000000000000e0
R10: 000055b4a3bba5e3 R11: 0000000000000246 R12: 00007f67a5b55440
R13: 00007f67a5b54900 R14: 000000000000001d R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00019c57c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 ffffea00019c57c8 ffffea00019c57c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
addr ffff88806715fb58 is located in stack of task systemd/1 at offset 40 in frame:
mpol_to_str+0x0/0x380 mm/mempolicy.c:2926
this frame has 1 object:
[32, 40) 'nodes'
Memory state around the buggy address:
ffff88806715fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806715fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806715fb00: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00
^
ffff88806715fb80: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
ffff88806715fc00: 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00
==================================================================
next reply other threads:[~2020-03-15 19:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-15 19:57 Entropy Moe [this message]
2020-03-16 18:46 ` KASAN: stack-out-of-bounds Write in mpol_to_str Randy Dunlap
2020-03-20 8:36 ` Entropy Moe
2020-03-21 6:45 ` Andrew Morton
2020-03-26 0:54 ` Randy Dunlap
2020-03-26 0:45 ` [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED Randy Dunlap
2020-03-26 2:23 KASAN: stack-out-of-bounds Write in mpol_to_str syzbot
2020-03-26 3:47 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALzBtjLSqFhSNAf4YusxuE1piUTzOSLFGFD4RrhPLQAmgpyL5g@mail.gmail.com \
--to=3ntr0py1337@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).