[syzbot] [hardening?] [mm?] BUG: bad usercopy in io_openat2_prep (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+e443ef743ffab8e8bda9@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, keescook@chromium.org,
	linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [hardening?] [mm?] BUG: bad usercopy in io_openat2_prep (3)
Date: Tue, 21 Feb 2023 08:33:48 -0800	[thread overview]
Message-ID: <0000000000001efd4205f53858e1@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    2d3827b3f393 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14eb5abf480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=606ed7eeab569393
dashboard link: https://syzkaller.appspot.com/bug?extid=e443ef743ffab8e8bda9
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13088227480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1367b358c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd94d68ff17d/disk-2d3827b3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f304fbef0773/vmlinux-2d3827b3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/74eb318f51b0/Image-2d3827b3.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e443ef743ffab8e8bda9@syzkaller.appspotmail.com

usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor832 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90
lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90
sp : ffff800012ee3b90
x29: ffff800012ee3ba0 x28: 000000000000001c x27: ffff0000c72f8000
x26: 0000000020000000 x25: ffff80000cf52000 x24: fffffc0000000000
x23: 05ffc00000000200 x22: fffffc00030cbe40 x21: ffff0000c32f9f18
x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000002bce
x17: 63656a626f204255 x16: ffff0000c72f89f8 x15: ffff80000dbd2118
x14: ffff0000c72f8000 x13: 00000000ffffffff x12: ffff0000c72f8000
x11: ff808000081bbb4c x10: 0000000000000000 x9 : adc5950f6e29d600
x8 : adc5950f6e29d600 x7 : ffff80000bf650d4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000005d
Call trace:
 usercopy_abort+0x90/0x94 mm/usercopy.c:90
 __check_heap_object+0xa8/0x100 mm/slub.c:4761
 check_heap_object mm/usercopy.c:196 [inline]
 __check_object_size+0x208/0x6b8 mm/usercopy.c:251
 check_object_size include/linux/thread_info.h:199 [inline]
 check_copy_size include/linux/thread_info.h:235 [inline]
 copy_from_user include/linux/uaccess.h:160 [inline]
 copy_struct_from_user include/linux/uaccess.h:341 [inline]
 io_openat2_prep+0xcc/0x2b8 io_uring/openclose.c:89
 io_init_req io_uring/io_uring.c:2194 [inline]
 io_submit_sqe io_uring/io_uring.c:2241 [inline]
 io_submit_sqes+0x338/0xbb8 io_uring/io_uring.c:2395
 __do_sys_io_uring_enter io_uring/io_uring.c:3343 [inline]
 __se_sys_io_uring_enter io_uring/io_uring.c:3275 [inline]
 __arm64_sys_io_uring_enter+0x168/0x1308 io_uring/io_uring.c:3275
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193
 el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000) 
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

                 reply	other threads:[~2023-02-21 16:33 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000001efd4205f53858e1@google.com \
    --to=syzbot+e443ef743ffab8e8bda9@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.