From: Sasha Levin <sasha.levin@oracle.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>
Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>
Subject: tty: BUG: KASAN: out-of-bounds in tty_ioctl
Date: Tue, 26 Jan 2016 13:47:30 -0500 [thread overview]
Message-ID: <56A7BF42.3000905@oracle.com> (raw)
Hi all,
I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:
[ 814.161028] ==================================================================
[ 814.162169] BUG: KASAN: out-of-bounds in tty_ioctl+0x2544/0x2810 at addr ffff8801c5034bd0
[ 814.163163] Read of size 8 by task syz-executor/22516
[ 814.163700] =============================================================================
[ 814.164592] BUG kmalloc-16 (Not tainted): kasan: bad access detected
[ 814.165171] -----------------------------------------------------------------------------
[ 814.165171]
[ 814.166374] Disabling lock debugging due to kernel taint
[ 814.167042] INFO: Allocated in tty_ldisc_get.part.0+0x66/0x140 age=7 cpu=6 pid=22524
[ 814.167983] ___slab_alloc+0x6fa/0x9a0
[ 814.168571] __slab_alloc.isra.43+0xae/0x160
[ 814.169085] kmem_cache_alloc+0x19e/0x2e0
[ 814.171274] tty_ldisc_get.part.0+0x66/0x140
[ 814.172337] tty_set_ldisc+0x746/0xa20
[ 814.172772] tty_ioctl+0xaf6/0x2810
[ 814.173212] do_vfs_ioctl+0x1cd/0x12a0
[ 814.178436] SyS_ioctl+0x8f/0xc0
[ 814.178931] entry_SYSCALL_64_fastpath+0x16/0x75
[ 814.179496] INFO: Freed in tty_ldisc_put+0x3e/0xa0 age=19 cpu=6 pid=22524
[ 814.180317] __slab_free+0x24b/0x530
[ 814.180767] kfree+0x192/0x2e0
[ 814.181125] tty_ldisc_put+0x3e/0xa0
[ 814.181522] tty_set_ldisc+0x484/0xa20
[ 814.181978] tty_ioctl+0xaf6/0x2810
[ 814.182392] do_vfs_ioctl+0x1cd/0x12a0
[ 814.185156] SyS_ioctl+0x8f/0xc0
[ 814.185584] entry_SYSCALL_64_fastpath+0x16/0x75
[ 814.186160] INFO: Slab 0xffffea0007140d00 objects=24 used=24 fp=0x (null) flags=0x2fffff80004080
[ 814.187297] INFO: Object 0xffff8801c5034bd0 @offset=3024 fp=0xffffffffb2bb8620
[ 814.187297]
[ 814.192003] Bytes b4 ffff8801c5034bc0: e1 cf 07 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
[ 814.193024] Object ffff8801c5034bd0: 20 86 bb b2 ff ff ff ff 40 9a dc c5 01 88 ff ff .......@.......
[ 814.193885] Redzone ffff8801c5034be0: cc cc cc cc cc cc cc cc ........
[ 814.194857] Padding ffff8801c5034d18: 00 00 00 00 00 00 00 00 ........
[ 814.195752] CPU: 3 PID: 22516 Comm: syz-executor Tainted: G B 4.4.0-next-20160125-sasha-12175-gc123483-dirty #2838
[ 814.197028] 1ffff10038c0df34 00000000a361be01 ffff8801c606fa20 ffffffffa24447d1
[ 814.197865] 0000000041b58ab3 ffffffffae6f38a8 ffffffffa2444706 ffff8800c39a2000
[ 814.198698] ffffffffae710866 ffff8801d1407a80 0000000000000008 ffff8801c5034bd0
[ 814.199532] Call Trace:
[ 814.199841] dump_stack (lib/dump_stack.c:52)
[ 814.201790] print_trailer (mm/slub.c:655)
[ 814.202368] object_err (mm/slub.c:662)
[ 814.202923] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:170 mm/kasan/report.c:237)
[ 814.204772] __asan_report_load8_noabort (mm/kasan/report.c:259 mm/kasan/report.c:280)
[ 814.206045] tty_ioctl (drivers/tty/tty_io.c:2877)
[ 814.212597] do_vfs_ioctl (fs/ioctl.c:44 fs/ioctl.c:674)
[ 814.217113] SyS_ioctl (fs/ioctl.c:689 fs/ioctl.c:680)
[ 814.217660] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
[ 814.218355] Memory state around the buggy address:
[ 814.218866] ffff8801c5034a80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 814.219606] ffff8801c5034b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 814.220357] >ffff8801c5034b80: fc fc fc fc fc fc fc fc fc fc 00 00 fc fc fc fc
[ 814.221095] ^
[ 814.221725] ffff8801c5034c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 814.222496] ffff8801c5034c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
In tty_ioctl(), this is the following line:
case TIOCGETD:
return put_user(tty->ldisc->ops->num, (int __user *)p); <=== HERE
Thanks,
Sasha
next reply other threads:[~2016-01-26 18:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-26 18:47 Sasha Levin [this message]
2016-01-26 18:55 ` tty: BUG: KASAN: out-of-bounds in tty_ioctl Peter Hurley
2016-01-26 18:58 ` Sasha Levin
2016-01-26 19:02 ` Peter Hurley
2016-01-26 20:23 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56A7BF42.3000905@oracle.com \
--to=sasha.levin@oracle.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.