From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AAEBC636CC for ; Mon, 13 Feb 2023 11:27:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2750D6B0073; Mon, 13 Feb 2023 06:27:51 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 225946B0074; Mon, 13 Feb 2023 06:27:51 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0EDD96B0075; Mon, 13 Feb 2023 06:27:51 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 014AC6B0073 for ; Mon, 13 Feb 2023 06:27:50 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id D269F1A0359 for ; Mon, 13 Feb 2023 11:27:50 +0000 (UTC) X-FDA: 80462043900.17.5906498 Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) by imf12.hostedemail.com (Postfix) with ESMTP id 182EE4000E for ; Mon, 13 Feb 2023 11:27:47 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=e7bciKYc; spf=pass (imf12.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.48 as permitted sender) smtp.mailfrom=dvyukov@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676287668; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Cl0w281rrFrfhiUIdTV/d0ugreNYcSHFpO/ECMy29TE=; b=VKF+c0c24DWoZjImQiVlyZsgQZRVcLG81a9Ppk709R3+h4ORc7kj5B5uxn3JELj4JOr29Y uB/oAitSIHkZyGbyV/ZHvJV9TsQ9c6GttWcgeiSSpVzoGeHWuEdUS2T7z+KjsvPm2ugIan EGzozDNLQF7b2Ke0MfEC+1g+7iI/UBg= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=e7bciKYc; spf=pass (imf12.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.48 as permitted sender) smtp.mailfrom=dvyukov@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676287668; a=rsa-sha256; cv=none; b=z0/phiOM2wKnw2XtEQhqVOsaoTV93lecl54k14e4Tg0P8NgjwEwG0WlVcli9gmgSO1HE1a uNAjWW6EWQidggOeq046RjiuIWYo7H7DmtTY5fT6AC2CE7RO2qCTgLeRLn/HyHkMVjOFs1 fVfhlUBKRG2ySTF9boW+qnvs+zUwQRo= Received: by mail-lf1-f48.google.com with SMTP id h24so18421312lfv.6 for ; Mon, 13 Feb 2023 03:27:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Cl0w281rrFrfhiUIdTV/d0ugreNYcSHFpO/ECMy29TE=; b=e7bciKYc6sFsjk66Q2HY2bAREKMTKUlPhq4a9cTOXcz1xyZcTqDqJymjO7IWB1Ylul IlpvnU0C3ApkMvJ83gxB5SGPm6ITtDB437l8wLQolVA6ASC7B2Zorv70J4IXa3U9roSV JkHZUH0H6nwWXDS8chRMrz0tJNU8lARg6vWJRxRa95lOzSb48KbOXUbv/nOp0xQNBdMY F+plOIGaSRi0g1Vn89ibIzo6wkezIdJyNj8xa6298uzNvgs01+4mRdWW6bTqANcdHWj2 vYDLQ1svqIePbs+6IH7B8EmKzMsT6L7sE0iHj5ZQw9PTf+W3h+V2He4mBCMrKSxqygTq z3ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Cl0w281rrFrfhiUIdTV/d0ugreNYcSHFpO/ECMy29TE=; b=qhaJWHgwfv/fPcW9ldqAWgS8zjO1NQBFlrlqkpvB/OFQ0GTRSLd1RroSgNSfPKOXtA SWihUdI/GC6PRav3WDTFR2YtMdXVZGJ5AML/IC5hcj8c1tN2xg5F62xoUs+qqvgDCaEu USB2JQ2aWXlfm1TC+9n2P/j5bJnAJlrxuSSi+MrzXautDXO9uYHsSGY9xW+GdqgtPJjh 7meXbgRNJlvdvhSJWB3iCLl9lMp4UDBERmLOJFQRRnJTBMfPGzNSprknQWIFkckKQVpG wJK3qNrvfmTZkwdawmXnKE4iTmEj0W4CJojeEgknDv23RGt6HN1L/vEuF8DKLWTyR5xf 6pLQ== X-Gm-Message-State: AO0yUKUa4AWaEJdKd9yL1mataNWl8cFNIK0EofGTzwBmHfn385Ao7jnc tHIHMhXERIwyptXmIrptoA0lxi07uEQBtmy63+1ilw== X-Google-Smtp-Source: AK7set9Nl/fvndCdrr+yNaVI5IGwWhni0J8QZf0QgFahmTSlmPC8iGZMyNCszJ0uH0PTSG7uUARRT9CfcMYfkF9H8vk= X-Received: by 2002:a05:6512:3771:b0:4db:19fb:6aa with SMTP id z17-20020a056512377100b004db19fb06aamr2590302lft.185.1676287666179; Mon, 13 Feb 2023 03:27:46 -0800 (PST) MIME-Version: 1.0 References: <00000000000088b3d905f46ed421@google.com> In-Reply-To: From: Dmitry Vyukov Date: Mon, 13 Feb 2023 12:27:33 +0100 Message-ID: Subject: Re: [syzbot] BUG: bad usercopy in io_openat2_prep To: Kees Cook Cc: syzbot , akpm@linux-foundation.org, keescook@chromium.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, io-uring@vger.kernel.org, Aleksandr Nogikh Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 182EE4000E X-Stat-Signature: fzqjz37gpx1sfouftwxe4bh8f7y985th X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1676287667-148135 X-HE-Meta: U2FsdGVkX1+qVqDXuLofUsaTFcd4H914v6Pc5vJkzSG9csZXUJMxb31D1klhZC45HdP6y47GQQ+ceO51POCCgaj3hQQ0ZygIz6JTQIOOHUpg6Fyok9izKXSFdPDaY0jltgskqugWsDKwRe1urcPCLgB/OhIu42RPMfu89uGuVg018TP0/4KpM1szezBytC7AGWnRwOoMIM2dHRLAWJEJGBCAC1yr/UCV7QpDVECwGJ6mNDco8Hxb/eGWut6Qywtnz8XzHoQok8DbiIxJLQc1fnfMLCE2BWHjDO3hW2YUP1WNOar8dBH9cJ3wbNuqWaEcrRFD97Gje8URPJGOa107kcNYNHgzSB9WF248GdPclmUZguI9C0ELiP4cE44CvZ5+PggZHu0/wFg7ysZvpaqK0qLrE+4pDSUpm8vhRKIvOWEu/k7PBJBXI7XDZJQdHWM91a+A72OV1JLvhfL/H9htqROLuQfdqQxppFLP2dSGiSrcvBOGZl71zbcLRzUusdh3L6bJPK3pznnrVNOPInYgPV7Gv8xDFVCFVE0ruedd2rb8j+uZrOzJH8B/alzrt/UGMCC9Yj+XIvvNH2HR9i5+3zwTp2d5raaN7Z1yGCWcaeBX+l9X6TURkCU1zXB2deLcDw2o+3eSF0mwcFzKd/jiWkJ5y/qWkutei9PY8dsPHc5D22/qIACYO5ZYknmr7ZdjQ9vMQHnbnfF1qdnheUivLiJXWyWBpYvLvvMS1oUsALxoD1gMgP6e5RsnTpxJu6vqk25DdiuIK+AGN/JhOEbaFaixuHjGZ6iRTic9bfx917Zb4K8c/ceBzLnTqvSPxd3gDNuWZrEFo8y/uVFED231JdF6gM75G3JDf/9UVFSxaM5dKOlb1y1shT7CSxy7OdCXthprPu0ZthMXv1xeToOsKa4X6N+6BEfGKR5nWlulwkx21KhiILwXYzpizPvnPJrxDifBJtqo2ri8zMCUU8C LN+jBSoX nxyXAfdmSjo1qLSq0Jy3p9M8ntPdn82WMDjsqSh2UnZzg2Wz86tlZ2/mRit133yxmUQMQqy9HR5+Zwnab36u6NtJyfoDTTWWm4jDAE38GwaVBmyGzPI1lCv5zw90oo7pRPgLDzAAgJxHZHpU3lotxac5yc/3MEgHh0JWCUjTHfqV93OsOQR6gJNyqRidKrJ3gfKpmX7/hTQzG+sR0b0KXpTx5hoaHqOnRvWffPJ8w3jYHd+7hhv3Mq6qRa3i2aJNpLFBqfy8+B8lZzS8KI7PWqJpD6wx6dm1rZLwTdKB5hrSWMdFJ2w1/StFIn09FckpKc93Mf4/zDxXWnwJJtMnta49v881sekPSXffHsCsmdlk7l/u8JgPwN2INUfAHIwMaL3+tDK+8xHU/fVRCHnjfg+6A08v9tW+zPD4AabuRMJo94eEC9Hx1uoqMipRehGlr9DFAuoUDJLikGoNkWHfhf3ecaLq7k+HjGPx3MaPHM9Lyfj1m03RoA44//Tlx8uGP9h+aF/ejsCNgwmApl1aSgH/n92Cp9nV62kUmnTadRmh8j6KZg9v5YDGrFJ0yC3j+U9v/lU3zLDkbt2kkzTtRsqZM2BHIFNmk03zW0pZ4iXpTWU30sBtWoHNMYYUf5Rl+/LSnHeRbLYk7IplawOT6sJQuYekI9dUjT0SEUba1zWMTFFlPPtvks4ldtNutO+ON6T434Ox56UV0YKqoZ3rgYUnOw8Gu2OcxWHWWy+gBzD6wxcoynMRMV/XUz9SsxIXzYDXzIjp/Z3Nwu3rPx1Z+SJ2QAZRCeDyz/+9cSfI0fGCY21nyuPIcN4YEsT6L3DlPuJGLtzjdi75AdJPLJ1T492aIkfK424D9USiiN6XScXxEkwDnhmbjokInfg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, 13 Feb 2023 at 12:05, Kees Cook wrote: > > On February 11, 2023 8:08:52 AM PST, syzbot wrote: > >Hello, > > > >syzbot found the following issue on: > > > >HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci > >git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > >console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000 > >kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43 > >dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc > >compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 > >userspace arch: arm64 > >syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000 > >C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000 > > > >Downloadable assets: > >disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz > >vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz > >kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz > > > >IMPORTANT: if you fix the issue, please add the following tag to the commit: > >Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com > > > >usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)! > > This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab?? We've just noticed that some of syzbot arm64 configs did not enable KASAN, so it could produce false one-off reports caused by previous silent memory corruptions. So if you don't see anything obvious, don't spend too much time looking at it. #syz invalid > -Kees > > > [...] > >Call trace: > > usercopy_abort+0x90/0x94 > > __check_heap_object+0xa8/0x100 > > __check_object_size+0x208/0x6b8 > > io_openat2_prep+0xcc/0x2b8 > > io_submit_sqes+0x338/0xbb8 > > __arm64_sys_io_uring_enter+0x168/0x1308 > > invoke_syscall+0x64/0x178 > > el0_svc_common+0xbc/0x180 > > do_el0_svc+0x48/0x110 > > el0_svc+0x58/0x14c > > el0t_64_sync_handler+0x84/0xf0 > > el0t_64_sync+0x190/0x194 > > > > -- > Kees Cook