Re: [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in io_setup_async_msg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+a4c6e5ef999b68b26ed1@syzkaller.appspotmail.com>
To: asml.silence@gmail.com, axboe@kernel.dk,
	io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in io_setup_async_msg
Date: Thu, 14 Sep 2023 09:04:47 -0700	[thread overview]
Message-ID: <000000000000cee844060553d536@google.com> (raw)
In-Reply-To: <d1285714-a6ad-688a-1adf-6a41771aa301@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in io_setup_async_msg

================================================================================
UBSAN: array-index-out-of-bounds in io_uring/net.c:189:55
index 3779565697114 is out of range for type 'iovec [8]'
CPU: 1 PID: 5467 Comm: syz-executor.0 Not tainted 6.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 io_setup_async_msg+0x2a0/0x2b0 io_uring/net.c:189
 io_recvmsg+0x169f/0x2170 io_uring/net.c:781
 io_issue_sqe+0x54a/0xd80 io_uring/io_uring.c:1878
 io_queue_sqe io_uring/io_uring.c:2063 [inline]
 io_submit_sqe io_uring/io_uring.c:2323 [inline]
 io_submit_sqes+0x96c/0x1ed0 io_uring/io_uring.c:2438
 __do_sys_io_uring_enter+0x14ea/0x2650 io_uring/io_uring.c:3647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f9a8a27cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9a8af210c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007f9a8a39bf80 RCX: 00007f9a8a27cae9
RDX: 0000000000000000 RSI: 0000000000007689 RDI: 0000000000000003
RBP: 00007f9a8a2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f9a8a39bf80 R15: 00007ffd083c1e58
 </TASK>
================================================================================


Tested on:

commit:         0bb80ecc Linux 6.6-rc1
git tree:       https://github.com/isilence/linux.git syz-test/netmsg-init-base
console output: https://syzkaller.appspot.com/x/log.txt?x=15ccbf30680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
dashboard link: https://syzkaller.appspot.com/bug?extid=a4c6e5ef999b68b26ed1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

     prev parent reply	other threads:[~2023-09-14 16:04 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-13 12:11 [syzbot] [io-uring?] UBSAN: array-index-out-of-bounds in io_setup_async_msg syzbot
2023-09-13 13:10 ` Pavel Begunkov
2023-09-14 14:06   ` Pavel Begunkov
2023-09-14 14:08     ` Pavel Begunkov
2023-09-14 14:57       ` syzbot
2023-09-14 15:03       ` Pavel Begunkov
2023-09-14 15:46         ` syzbot
2023-09-14 14:55     ` syzbot
2023-09-14 15:03     ` Pavel Begunkov
2023-09-14 16:04       ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000cee844060553d536@google.com \
    --to=syzbot+a4c6e5ef999b68b26ed1@syzkaller.appspotmail.com \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.