From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27A5BC636CC for ; Sat, 11 Feb 2023 16:36:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 800AC6B0074; Sat, 11 Feb 2023 11:36:54 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 7B04B6B0075; Sat, 11 Feb 2023 11:36:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6777E6B0078; Sat, 11 Feb 2023 11:36:54 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 5799E6B0074 for ; Sat, 11 Feb 2023 11:36:54 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 11D361601CF for ; Sat, 11 Feb 2023 16:36:54 +0000 (UTC) X-FDA: 80455565148.20.CE68FCA Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf12.hostedemail.com (Postfix) with ESMTP id 6525340012 for ; Sat, 11 Feb 2023 16:36:52 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=NjaXE8ie; spf=pass (imf12.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676133412; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=CnwllmYfS87pxirNMxSypf0Wcpuwowhu7HJAfGXfma4=; b=LM8Z36rYvnABoL+tHOOby0lQf080XFrPKXuNtPOb1Py2JR6jTIYCkwMJwhe5DtsgESZcIF vbuYCScUqJfho8WPm+7dH2p3yz6QFNOYug92Sgeu4iWzdNf3uOf7hSU2hJLtLmfRDnFplQ yLoUkYmIIGPkuWFTy7+gbYrovAIyfm8= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=NjaXE8ie; spf=pass (imf12.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676133412; a=rsa-sha256; cv=none; b=lXHUhcM2CEeybbwW2Yqw/Tvl4wUzzWuLwS3wpRUdj+2qyl9RQydNdqttIJOLvImCDMv8Dh rKaiGy2DGd8q9dbihNAnYJS3PnOI/DJwAgJB3zMI8+LvjHWVG5NPq416mVwKSC70HDazRK zaYT1FIcMV417hippse9c/Gu9+12PRY= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5667960B60; Sat, 11 Feb 2023 16:36:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 963D6C433EF; Sat, 11 Feb 2023 16:36:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676133410; bh=GE2rigzIx2DjQ8O+jrd3+B734zaDnbN6WgDv4gJ5k2g=; h=Date:From:To:Subject:In-Reply-To:References:From; b=NjaXE8ie7K93I3+rPEAmtn704ih65qNievx7OSVmX41+zPGQhtQE4qfYz7DP2DGFq sd9mgfbt2441+L0tYRKZMPYyoZQoJwBhQMtwYlRdcwyFRNVCkQRNR3Kr7mKTK4sgh9 2k5mpFVjbD7SF+zZ9IgYb7tmvg9Mdwn7XZxA5tSPmBAQ7lMyqnc1lnK+VK/SRHaNBG jtVj0Oeg5Z2z4E19cKtAwfsiw3MPqAEjzmteKjfNms2eW8lBzeoRXc8MqqNYft1b+V 8x1FWOj8QvkILsIYzQbTcXI3YEHVwYTAsKX3iKcDvizkKlPcuFPOHPLrzz4BRKTerG sf0l/ArpUTqFw== Date: Sat, 11 Feb 2023 08:36:50 -0800 From: Kees Cook To: syzbot , akpm@linux-foundation.org, keescook@chromium.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, io-uring@vger.kernel.org Subject: Re: [syzbot] BUG: bad usercopy in io_openat2_prep User-Agent: K-9 Mail for Android In-Reply-To: <00000000000088b3d905f46ed421@google.com> References: <00000000000088b3d905f46ed421@google.com> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: bh85uinmyuptqbt7w19gnpnz7wqa3wzg X-Rspamd-Queue-Id: 6525340012 X-HE-Tag: 1676133412-286393 X-HE-Meta: U2FsdGVkX1+xxkolXUmuyySRALnI79fKwGObkdjMNx8IWWS4Jqlfk3+U35HguGfLID/cvTe6bmPZtwLvFp1MZPyTh/fX6LfN99Eyi1VAtYtSwj5evG4qQFMpEkyAGVJPyEz1lfJI+VXzChJ2InMCrigx32YTLsr4rOacuBJ2GQx7GqtdVk6gBXscWPM86PmDAsBsp0uRfBGG0n2lbczqVMxv0eqojGKIy+JCJdXfsTloU0ne2+TMo97OLmx45HGy6o5egaC9WXq6XJ3wuC/YNZ/fEJoUTLKoPSHAz7t88s5r/Uhg5pB9pAk8g5g216cv49lNMnndYrBbONL5mc/aGUziGm1cl4sW/foGEpMmVYpASl+0jAK660LwTnwl2SDTDViMv+rvEtfECOzfi2qRQeXaSQ2VfuGEZbf656BXCGV6KJsVQntdjQRY8MeF6goXpof0tFYTQbF1yBYeLMQwenBUcHdwwKJTpR0sTu9i6jf8cV1aTi6FRKPGFB7zUzDK8forKNG5cpAfJEe5TSorjOc2a/EeFCxx5D6QQuH6W4rLsK8IPvypsuxeOoRwV/7tHQ2VODaEv758VDRihoQUXQeoDosrSvFIjCeFepAoUHA8o+V2TFrU39Z7tIzDF/TXS/yToZnjKX1P21Zx0RvsLi9b5G6gvxEFg6BUoy0K9apvEQIodqI+Olm5y7b/LtpvTex/6raRdcsHfpOpWR5vFT3KpPUiGmLAjeRus613KCZMjzkB7gZMqJ13hXH7KUIkdL/h+G/YG8rZqeNCLCtTHdKO/lg68Oa8vOxdwJyYQlI0m7umVpOS5CLEyb6TMmMMOampSqxsHFd/W0rq34GwqPyom1ukqdHnrERtmvtxJsLMGJWOEg6QCflqqrlCDqTO6gvHHiFCevZK4BRRkzDMaYP3sS1O8Q7maNBMOR9VwXm17UTKjES1i3bvY2xrr/78lZTVg2jozZrjHuadEJ3 g1lJCxn6 oDMklFqzgYF6bjErhl+kHmsIr6WmBFInw4R4+S/Pb7llSAjUkarRLw5ZZR0K2XAllMmTyTYXGP8hEPaR9ihIgmF+YdBl6QK1t06MlNV0kh8KDmvjip2SdtsISHsrK667UKiYgPvYZ4ZPDpO8ElUeAHadrxLrWVw6p5w6M2pqlrCwYsZaD4oAHbnfdDyvQKGYLqwf8UDonB18TAW6O81pzplr3feJmat4jJSY8Dg0JUigMahjDaq5pef0YbEcwQHc+DZSy0Vd8dL5LM4PjQteD3ubFXhfEYW6fqKki0cNUrVkJYnZrmFcLVmotaaBRnFqPQ1TQDXqPzHxDTmlBxHf+eRGL5bsTse1oOdMLqjawuJLJPs4xM0Hd7LRSQybe2bm/PMBDPE6NoSNF5Zij1eLZIvA0uNXYLd191lIC7TH83jq7H+p5O0KSVrhYi6hYNubWuQJARRC1eF2na1y4suEwI3dQl8e+EMrsh0a7yXOfy+mMoV6xtyFYQachzddIQlnpqwAcqu+CZwGF7usIKF+IL2Sf6i73HSrES9C2rR1K4h4s1uKwFQckMtLOqNv5JBJ7cnty6EI4Wj1vmislWmAsB/yzf7lmnB8sWp6+/3XVzWI/NmQShzHa8IsVsOqsVFevqEaFDqGSomDVembsE0XwpeckPwK6v5GRZzzHMJG4zK3mTXB05AoSG9ADgEUubphdnlGVYgbqWl+x4ueFIE3fkESRmGZAjRTkja1e+DYHiLk6EMYuHpbEc3f1y1ImqLWT+mcKS8hjkaB2q4PEnjz8fNh41SJ2RTl/JJfY+Y9FpF/YVtzC/tdJb9s5SIxx3/wz1wm97axbTsvCpdNXl9ogIS9/7HVWmO6KwJChFTevGuz5mIX93eiZRkEcTW4/n1zDUowwZV7yMQp39NLhMCzfzx3txu0dde3/2/vigsSXG7mIMlZxaV0PkHBw6Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On February 11, 2023 8:08:52 AM PST, syzbot wrote: >Hello, > >syzbot found the following issue on: > >HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernel= ci >git tree: git://git=2Ekernel=2Eorg/pub/scm/linux/kernel/git/arm64/l= inux=2Egit for-kernelci >console output: https://syzkaller=2Eappspot=2Ecom/x/log=2Etxt?x=3D14a882f= 3480000 >kernel config: https://syzkaller=2Eappspot=2Ecom/x/=2Econfig?x=3Df3e7823= 2c1ed2b43 >dashboard link: https://syzkaller=2Eappspot=2Ecom/bug?extid=3Dcdd9922704f= c75e03ffc >compiler: Debian clang version 15=2E0=2E7, GNU ld (GNU Binutils for= Debian) 2=2E35=2E2 >userspace arch: arm64 >syz repro: https://syzkaller=2Eappspot=2Ecom/x/repro=2Esyz?x=3D12037= 77b480000 >C reproducer: https://syzkaller=2Eappspot=2Ecom/x/repro=2Ec?x=3D124c1ea= 3480000 > >Downloadable assets: >disk image: https://storage=2Egoogleapis=2Ecom/syzbot-assets/e2c91688b4cd= /disk-ca72d583=2Eraw=2Exz >vmlinux: https://storage=2Egoogleapis=2Ecom/syzbot-assets/af105438bee6/vm= linux-ca72d583=2Exz >kernel image: https://storage=2Egoogleapis=2Ecom/syzbot-assets/4a28ec4f8f= 7e/Image-ca72d583=2Egz=2Exz > >IMPORTANT: if you fix the issue, please add the following tag to the comm= it: >Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller=2Eappspotmail=2Ecom > >usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (= offset 24, size 24)! This looks like some serious memory corruption=2E The pid slab is 24 bytes= in size, but struct io_open is larger=2E=2E=2E Possible UAF after the memo= ry being reallocated to a new slab?? -Kees > [=2E=2E=2E] >Call trace: > usercopy_abort+0x90/0x94 > __check_heap_object+0xa8/0x100 > __check_object_size+0x208/0x6b8 > io_openat2_prep+0xcc/0x2b8 > io_submit_sqes+0x338/0xbb8 > __arm64_sys_io_uring_enter+0x168/0x1308 > invoke_syscall+0x64/0x178 > el0_svc_common+0xbc/0x180 > do_el0_svc+0x48/0x110 > el0_svc+0x58/0x14c > el0t_64_sync_handler+0x84/0xf0 > el0t_64_sync+0x190/0x194 --=20 Kees Cook