Re: out-of-bounds write in the function ata_pio_sector

[Niklas Cassel <cassel@kernel.org>]

Hello reveliofuzzing,

On Thu, Jan 02, 2025 at 11:23:49AM -0500, reveliofuzzing wrote:
> On Thu, Jan 2, 2025 at 5:40 AM Niklas Cassel <cassel@kernel.org> wrote:
> > On Wed, Jan 01, 2025 at 09:17:02PM -0500, reveliofuzzing wrote:
> > > Hi there,
> > >
> > > We found an out-of-bounds write in the function ata_pio_sector, which can cause
> > > the kernel to crash. We would like to report it for your reference.
> > >
> > > ## Problem in ata_pio_sector
> > > ata_pio_sector uses the following code to decide which page to use for the I/O:
> > > page = sg_page(qc->cursg);
> > > offset = qc->cursg->offset + qc->cursg_ofs;
> > >
> > > /* get the current page and offset */
> > > page = nth_page(page, (offset >> PAGE_SHIFT));
> > > offset %= PAGE_SIZE;
> > > but we found that `offset` could be as high as 0x5000---qc->cursg_ofs==0x5000,
> > > qc->cursg->offset == 0x0, making `page` point to a higher-position page that
> > > belongs to other threads.
> > >
> > > ## Example crash
> > > This out-of-bound write can cause the kernel to crash at arbitrary places,
> > > depending on when the corrupted page is accessed by the other thread.
> > >
> > > We found this problem can happen in Linux kernel 6.1~6.12. Here is one crash in
> > > Linux kernel 6.1:
> >
> > Thank you for reporting!
> >
> > I assume that you haven't tested kernels earlier than 6.1?
> Unfortunately, we haven't tested older kernels.
> 
> >
> > (Looking at the driver, there was no major change between 6.0 and 6.1,
> > so this bug has probably been there for a long time.)
> >
> >
> > Could you please share your reproducer and your kernel config as well?
> 
> Below we report our setup for linux kernel 6.12:
> 
> - General steps to reproduce the bug
> 1. Launch the VM
> 2. Copy the reproducer (compiled binary) into the VM
> 3. Run it with the root user
> 4. Wait for the bug to happen (generally takes less than 3 minutes)

I managed to reproduce the bug using your bzImage and syz-executor binary.

However, the .config you provided does not match the bzImage.
E.g. the e1000/e1000e driver is not built-in in your .config,
so I get no networking, while it is enabled in your bzImage.
This makes me worried that you have other changes in your .config.
If you still have the exact config for this bzImage, could you please add
it as an attachment?

I've been using the syz-executor binary that you attached, since the C code
pasted below does not compile, it seems like it has some unintended newlines.
Perhaps you could add it as an attachment instead?

Also, you only talk about 6.12 kernel. Out of curiosity, have you managed to
reproduce this bug on v6.13-rc kernels? Have you tried?


Kind regards,
Niklas