* KASAN: use-after-free Read in do_general_protection
@ 2018-05-26 9:16 syzbot
2018-05-26 9:29 ` Dmitry Vyukov
0 siblings, 1 reply; 5+ messages in thread
From: syzbot @ 2018-05-26 9:16 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e030d7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16b624d7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1364e0d7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a1264132fc103340628f@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in do_general_protection+0x2ac/0x2f0
arch/x86/kernel/traps.c:538
Read of size 8 at addr ffff8801d7187398 by task syz-executor171/4544
CPU: 0 PID: 4544 Comm: syz-executor171 Not tainted 4.17.0-rc6+ #67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
The buggy address belongs to the page:
page:ffffea00075c61c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea00075c0101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d7187280: 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d7187300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801d7187380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801d7187400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d7187480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4544 Comm: syz-executor171 Tainted: G B
4.17.0-rc6+ #67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in do_general_protection
2018-05-26 9:16 KASAN: use-after-free Read in do_general_protection syzbot
@ 2018-05-26 9:29 ` Dmitry Vyukov
2018-05-28 11:25 ` Paolo Bonzini
0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2018-05-26 9:29 UTC (permalink / raw)
To: syzbot, Paolo Bonzini, Radim Krčmář, KVM list
Cc: LKML, syzkaller-bugs
On Sat, May 26, 2018 at 11:16 AM, syzbot
<syzbot+a1264132fc103340628f@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13e030d7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
> dashboard link: https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16b624d7800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1364e0d7800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a1264132fc103340628f@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> ==================================================================
> BUG: KASAN: use-after-free in do_general_protection+0x2ac/0x2f0
> arch/x86/kernel/traps.c:538
> Read of size 8 at addr ffff8801d7187398 by task syz-executor171/4544
>
> CPU: 0 PID: 4544 Comm: syz-executor171 Not tainted 4.17.0-rc6+ #67
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>
> The buggy address belongs to the page:
> page:ffffea00075c61c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> flags: 0x2fffc0000000000()
> raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
> raw: 0000000000000000 ffffea00075c0101 0000000000000000 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8801d7187280: 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801d7187300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>
>> ffff8801d7187380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>
> ^
> ffff8801d7187400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801d7187480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 4544 Comm: syz-executor171 Tainted: G B
> 4.17.0-rc6+ #67
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
Dups of this bug:
KASAN: stack-out-of-bounds Read in do_general_protection
KASAN: slab-out-of-bounds Read in vmx_vcpu_run
KASAN: use-after-scope Read in vmx_vcpu_run
KASAN: stack-out-of-bounds Write in notify_die
See full info at:
https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
There seems to be 2 problems:
1. msr_write_intercepted doing something notoriously bad.
2. general_protection fault handler somehow allocates pt_regs
overlapping with vmx_run frame. This can be an issue with interrupts
too.
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/0000000000006370c3056d1855e7%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in do_general_protection
2018-05-26 9:29 ` Dmitry Vyukov
@ 2018-05-28 11:25 ` Paolo Bonzini
2018-06-05 8:16 ` Dmitry Vyukov
0 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2018-05-28 11:25 UTC (permalink / raw)
To: Dmitry Vyukov, syzbot, Radim Krčmář, KVM list
Cc: LKML, syzkaller-bugs
On 26/05/2018 11:29, Dmitry Vyukov wrote:
> KASAN: stack-out-of-bounds Read in do_general_protection
> KASAN: slab-out-of-bounds Read in vmx_vcpu_run
> KASAN: use-after-scope Read in vmx_vcpu_run
> KASAN: stack-out-of-bounds Write in notify_die
>
> See full info at:
> https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
>
>
> There seems to be 2 problems:
>
> 1. msr_write_intercepted doing something notoriously bad.
The faulting line is
msr_bitmap = to_vmx(vcpu)->loaded_vmcs->msr_bitmap;
so I suppose to_vmx(vcpu)->loaded_vmcs is bogus? That seems like "just"
a corruption of the struct kvm_vcpu, because the loaded_vmcs field is
pointing elsewhere inside the same struct.
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in do_general_protection
2018-05-28 11:25 ` Paolo Bonzini
@ 2018-06-05 8:16 ` Dmitry Vyukov
2018-06-20 7:52 ` Dmitry Vyukov
0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2018-06-05 8:16 UTC (permalink / raw)
To: Paolo Bonzini
Cc: syzbot, Radim Krčmář, KVM list, LKML, syzkaller-bugs
On Mon, May 28, 2018 at 1:25 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> On 26/05/2018 11:29, Dmitry Vyukov wrote:
>> KASAN: stack-out-of-bounds Read in do_general_protection
>> KASAN: slab-out-of-bounds Read in vmx_vcpu_run
>> KASAN: use-after-scope Read in vmx_vcpu_run
>> KASAN: stack-out-of-bounds Write in notify_die
>>
>> See full info at:
>> https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
>>
>>
>> There seems to be 2 problems:
>>
>> 1. msr_write_intercepted doing something notoriously bad.
>
> The faulting line is
>
> msr_bitmap = to_vmx(vcpu)->loaded_vmcs->msr_bitmap;
>
> so I suppose to_vmx(vcpu)->loaded_vmcs is bogus? That seems like "just"
> a corruption of the struct kvm_vcpu, because the loaded_vmcs field is
> pointing elsewhere inside the same struct.
This is reproducible and the reproducer only uses KVM syscalls. So it
seems that KVM corrupts itself. Perhaps it's KVM_SET_MSRS that messes
things?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in do_general_protection
2018-06-05 8:16 ` Dmitry Vyukov
@ 2018-06-20 7:52 ` Dmitry Vyukov
0 siblings, 0 replies; 5+ messages in thread
From: Dmitry Vyukov @ 2018-06-20 7:52 UTC (permalink / raw)
To: Paolo Bonzini
Cc: syzbot, Radim Krčmář, KVM list, LKML, syzkaller-bugs
On Tue, Jun 5, 2018 at 10:16 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Mon, May 28, 2018 at 1:25 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
>> On 26/05/2018 11:29, Dmitry Vyukov wrote:
>>> KASAN: stack-out-of-bounds Read in do_general_protection
>>> KASAN: slab-out-of-bounds Read in vmx_vcpu_run
>>> KASAN: use-after-scope Read in vmx_vcpu_run
>>> KASAN: stack-out-of-bounds Write in notify_die
>>>
>>> See full info at:
>>> https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f
>>>
>>>
>>> There seems to be 2 problems:
>>>
>>> 1. msr_write_intercepted doing something notoriously bad.
>>
>> The faulting line is
>>
>> msr_bitmap = to_vmx(vcpu)->loaded_vmcs->msr_bitmap;
>>
>> so I suppose to_vmx(vcpu)->loaded_vmcs is bogus? That seems like "just"
>> a corruption of the struct kvm_vcpu, because the loaded_vmcs field is
>> pointing elsewhere inside the same struct.
>
> This is reproducible and the reproducer only uses KVM syscalls. So it
> seems that KVM corrupts itself. Perhaps it's KVM_SET_MSRS that messes
> things?
This one looks like the same root cause as here:
KASAN: stack-out-of-bounds Read in unwind_next_frame
https://groups.google.com/d/msg/syzkaller-bugs/MGQ_W8DPYXA/k-xK7sBrBgAJ
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-06-20 9:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-26 9:16 KASAN: use-after-free Read in do_general_protection syzbot
2018-05-26 9:29 ` Dmitry Vyukov
2018-05-28 11:25 ` Paolo Bonzini
2018-06-05 8:16 ` Dmitry Vyukov
2018-06-20 7:52 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).