From: James Bottomley <jejb@linux.ibm.com>
To: Esme <esploit@protonmail.ch>,
"dgilbert@interlog.com" <dgilbert@interlog.com>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org
Cc: "security@kernel.org" <security@kernel.org>
Subject: Re: PROBLEM: syzkaller found / pool corruption-overwrite / page in user-area or NULL
Date: Thu, 10 Jan 2019 11:58:59 -0800 [thread overview]
Message-ID: <1547150339.2814.9.camel@linux.ibm.com> (raw)
Message-ID: <20190110195859.KAcEJnLIGeixm9z2-b56twd00v3pmVAUtCqkbTuUCUc@z> (raw)
In-Reply-To: <t78EEfgpy3uIwPUvqvmuQEYEWKG9avWzjUD3EyR93Qaf_tfx1gqt4XplrqMgdxR1U9SsrVdA7G9XeUZacgUin0n6lBzoxJHVJ9Ko0yzzrxI=@protonmail.ch>
On Thu, 2019-01-10 at 19:12 +0000, Esme wrote:
> Sorry for the resend some mail servers rejected the mime type.
>
> Hi, I've been getting more into Kernel stuff lately and forged ahead
> with some syzkaller bug finding. I played with reducing it further
> as you can see from the attached c code but am moving on and hope to
> get better about this process moving forward as I'm still building
> out my test systems/debugging tools.
>
> Attached is the report and C repro that still triggers on a fresh git
> pull as of a few minutes ago, if you need anything else please let me
> know.
> Esme
>
> Linux syzkaller 5.0.0-rc1+ #5 SMP Tue Jan 8 20:39:33 EST 2019 x86_64
> GNU/Linux
I'm not sure I'm reading this right, but it seems that a simple
allocation inside block/scsi_ioctl.h
buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN);
(where bytes is < 4k) caused a slub padding check failure on free.
From the internal details, the freeing entity seems to be KASAN as part
of its quarantine reduction (albeit triggered by this kzalloc). I'm
not remotely familiar with what KASAN is doing, but it seems the memory
corruption problem is somewhere within the KASAN tracking?
I added linux-mm in case they can confirm this diagnosis or give me a
pointer to what might be wrong in scsi.
James
next parent reply other threads:[~2019-01-10 19:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <t78EEfgpy3uIwPUvqvmuQEYEWKG9avWzjUD3EyR93Qaf_tfx1gqt4XplrqMgdxR1U9SsrVdA7G9XeUZacgUin0n6lBzoxJHVJ9Ko0yzzrxI=@protonmail.ch>
2019-01-10 19:58 ` James Bottomley [this message]
2019-01-10 19:58 ` James Bottomley
2019-01-10 20:39 ` Qian Cai
2019-01-10 20:39 ` Qian Cai
2019-01-10 20:44 ` Qian Cai
2019-01-10 20:44 ` Qian Cai
2019-01-10 20:47 ` Esme
2019-01-10 21:03 ` Qian Cai
2019-01-10 21:10 ` Esme
2019-01-10 21:35 ` Esme
2019-01-10 22:33 ` Qian Cai
2019-01-10 22:58 ` Esme
2019-01-11 1:30 ` Qian Cai
2019-01-11 3:15 ` Esme
2019-01-11 4:52 ` Qian Cai
2019-01-11 5:01 ` Esme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1547150339.2814.9.camel@linux.ibm.com \
--to=jejb@linux.ibm.com \
--cc=dgilbert@interlog.com \
--cc=esploit@protonmail.ch \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox