[syzbot] BUG: bad usercopy in io_openat2_prep

[syzbot] BUG: bad usercopy in io_openat2_prep

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ca72d58361ee Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com

usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4411 Comm: syz-executor101 Not tainted 6.2.0-rc6-syzkaller-17549-gca72d58361ee #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94
lr : usercopy_abort+0x90/0x94
sp : ffff80000fb8bb90
x29: ffff80000fb8bba0 x28: 000000000000001c x27: ffff0000c76d1a00
x26: 00000000200000c0 x25: ffff80000cf42000 x24: fffffc0000000000
x23: 05ffc00000000200 x22: fffffc0003250440 x21: ffff0000c9411618
x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000002bee
x17: 63656a626f204255 x16: ffff0000c76d23f8 x15: ffff80000dbc2118
x14: ffff0000c76d1a00 x13: 00000000ffffffff x12: ffff0000c76d1a00
x11: ff808000081bbb4c x10: 0000000000000000 x9 : 295e44a4d7b9f900
x8 : 295e44a4d7b9f900 x7 : ffff80000bf60b80 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefbef08 x1 : 0000000100000000 x0 : 000000000000005d
Call trace:
 usercopy_abort+0x90/0x94
 __check_heap_object+0xa8/0x100
 __check_object_size+0x208/0x6b8
 io_openat2_prep+0xcc/0x2b8
 io_submit_sqes+0x338/0xbb8
 __arm64_sys_io_uring_enter+0x168/0x1308
 invoke_syscall+0x64/0x178
 el0_svc_common+0xbc/0x180
 do_el0_svc+0x48/0x110
 el0_svc+0x58/0x14c
 el0t_64_sync_handler+0x84/0xf0
 el0t_64_sync+0x190/0x194
Code: 9133a800 aa0903e1 f90003e8 94e6c80f (d4210000) 
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] BUG: bad usercopy in io_openat2_prep

[Kees Cook]

On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com> wrote:
>Hello,
>
>syzbot found the following issue on:
>
>HEAD commit:    ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
>kernel config:  https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
>dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
>compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>userspace arch: arm64
>syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
>C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
>
>Downloadable assets:
>disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
>vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
>kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
>
>IMPORTANT: if you fix the issue, please add the following tag to the commit:
>Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com
>
>usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!

This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??

-Kees

> [...]
>Call trace:
> usercopy_abort+0x90/0x94
> __check_heap_object+0xa8/0x100
> __check_object_size+0x208/0x6b8
> io_openat2_prep+0xcc/0x2b8
> io_submit_sqes+0x338/0xbb8
> __arm64_sys_io_uring_enter+0x168/0x1308
> invoke_syscall+0x64/0x178
> el0_svc_common+0xbc/0x180
> do_el0_svc+0x48/0x110
> el0_svc+0x58/0x14c
> el0t_64_sync_handler+0x84/0xf0
> el0t_64_sync+0x190/0x194



-- 
Kees Cook

Re: [syzbot] BUG: bad usercopy in io_openat2_prep

[Pavel Begunkov]

On 2/11/23 16:36, Kees Cook wrote:
> On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
>> dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
>> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>> userspace arch: arm64
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000

I couldn't reproduce it, let's try latest io_uring first

#syz test: https://git.kernel.dk/linux.git for-6.3/io_uring


>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com
>>
>> usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
> 
> This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
> 
> -Kees
> 
>> [...]
>> Call trace:
>> usercopy_abort+0x90/0x94
>> __check_heap_object+0xa8/0x100
>> __check_object_size+0x208/0x6b8
>> io_openat2_prep+0xcc/0x2b8
>> io_submit_sqes+0x338/0xbb8
>> __arm64_sys_io_uring_enter+0x168/0x1308
>> invoke_syscall+0x64/0x178
>> el0_svc_common+0xbc/0x180
>> do_el0_svc+0x48/0x110
>> el0_svc+0x58/0x14c
>> el0t_64_sync_handler+0x84/0xf0
>> el0t_64_sync+0x190/0x194
> 
> 
> 

-- 
Pavel Begunkov

Re: [syzbot] BUG: bad usercopy in io_openat2_prep

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: bad usercopy in io_openat2_prep

usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4995 Comm: syz-executor.0 Not tainted 6.2.0-rc6-syzkaller-00050-gfbe870a72fd1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94
lr : usercopy_abort+0x90/0x94
sp : ffff800012dd3be0
x29: ffff800012dd3bf0 x28: 000000000000001c x27: ffff0000d0e13400
x26: 00000000200000c0 x25: ffff80000cf51000 x24: fffffc0000000000
x23: 05ffc00000000200 x22: fffffc0003108280 x21: ffff0000c420a118
x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000000000
x17: 0000000000000000 x16: ffff0000d0e13df8 x15: ffff80000dbd1118
x14: ffff0000d0e13400 x13: 00000000ffffffff x12: ffff0000d0e13400
x11: ff808000081bd5b0 x10: 0000000000000000 x9 : 4c3aa38d2e853f00
x8 : 4c3aa38d2e853f00 x7 : ffff800008162dbc x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000005d
Call trace:
 usercopy_abort+0x90/0x94
 __check_heap_object+0xa8/0x100
 __check_object_size+0x208/0x6b8
 io_openat2_prep+0xcc/0x2f0
 io_submit_sqes+0x330/0xba8
 __arm64_sys_io_uring_enter+0x168/0x9b0
 invoke_syscall+0x64/0x178
 el0_svc_common+0xbc/0x180
 do_el0_svc+0x48/0x150
 el0_svc+0x58/0x14c
 el0t_64_sync_handler+0x84/0xf0
 el0t_64_sync+0x190/0x194
Code: 911d2800 aa0903e1 f90003e8 94e6d3da (d4210000) 
---[ end trace 0000000000000000 ]---


Tested on:

commit:         fbe870a7 io_uring,audit: don't log IORING_OP_MADVISE
git tree:       https://git.kernel.dk/linux.git for-6.3/io_uring
console output: https://syzkaller.appspot.com/x/log.txt?x=17241257480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=22fc000172595f28
dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64

Note: no patches were applied.

Re: [syzbot] BUG: bad usercopy in io_openat2_prep

[Dmitry Vyukov]

On Mon, 13 Feb 2023 at 12:05, Kees Cook <kees@kernel.org> wrote:
>
> On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com> wrote:
> >Hello,
> >
> >syzbot found the following issue on:
> >
> >HEAD commit:    ca72d58361ee Merge branch 'for-next/core' into for-kernelci
> >git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> >console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
> >kernel config:  https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
> >dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
> >compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> >userspace arch: arm64
> >syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
> >C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
> >
> >Downloadable assets:
> >disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
> >vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
> >kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
> >
> >IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com
> >
> >usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
>
> This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??

We've just noticed that some of syzbot arm64 configs did not enable
KASAN, so it could produce false one-off reports caused by previous
silent memory corruptions.

So if you don't see anything obvious, don't spend too much time looking at it.

#syz invalid


> -Kees
>
> > [...]
> >Call trace:
> > usercopy_abort+0x90/0x94
> > __check_heap_object+0xa8/0x100
> > __check_object_size+0x208/0x6b8
> > io_openat2_prep+0xcc/0x2b8
> > io_submit_sqes+0x338/0xbb8
> > __arm64_sys_io_uring_enter+0x168/0x1308
> > invoke_syscall+0x64/0x178
> > el0_svc_common+0xbc/0x180
> > do_el0_svc+0x48/0x110
> > el0_svc+0x58/0x14c
> > el0t_64_sync_handler+0x84/0xf0
> > el0t_64_sync+0x190/0x194
>
>
>
> --
> Kees Cook