From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11FFAC636D4 for ; Sun, 12 Feb 2023 15:50:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8A9146B0073; Sun, 12 Feb 2023 10:50:27 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 85A356B0074; Sun, 12 Feb 2023 10:50:27 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 720216B0075; Sun, 12 Feb 2023 10:50:27 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5DC176B0073 for ; Sun, 12 Feb 2023 10:50:27 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 2B2A71C5FDA for ; Sun, 12 Feb 2023 15:50:27 +0000 (UTC) X-FDA: 80459076894.27.506F2A5 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by imf24.hostedemail.com (Postfix) with ESMTP id 435A118000F for ; Sun, 12 Feb 2023 15:50:24 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=RKS4W5PT; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf24.hostedemail.com: domain of asml.silence@gmail.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=asml.silence@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676217025; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=G7TDx0ayV1s6yF8W14tJtZ/gbKxJ6Z8Rxoz1+MRRB7A=; b=61kTIeGIc427ohRtlx/5f+Pejn0IyCImk/hACVtktcDHQtir+vSrKbsvzo9x6ICq31KrEj ZsnNllBCLrvtlDn9fUTx2UnxGNEEg06RAhG7eVHKjJHGHO1DS2uzlASmpyAfly31yQ7Utv A46PmmGfVWy1Vvt9aWZVihKRh5qYv+8= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=RKS4W5PT; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf24.hostedemail.com: domain of asml.silence@gmail.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=asml.silence@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676217025; a=rsa-sha256; cv=none; b=vNS7wR7KFUmsFGknmbzVzlB49EgLpA7wbh2LipWDwWEuTCy1einPdmiQ/xm8sYLzOu9YJH AEevrc6UIni4yngPmnx/stADS9A8y2kGkqOcTk4dlKfsVyg3Men2aGubf6LsGw95jltJgV vuqGHeq6V/zJ9XJqYJoVIrwbbdL9xa0= Received: by mail-wm1-f41.google.com with SMTP id bg5-20020a05600c3c8500b003e00c739ce4so7311903wmb.5 for ; Sun, 12 Feb 2023 07:50:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=G7TDx0ayV1s6yF8W14tJtZ/gbKxJ6Z8Rxoz1+MRRB7A=; b=RKS4W5PTCEt8h9dxpM/VmdNqA+20A8T8yAYMfmPc0dhn6E8Kv9T2xsGcjbUQuohKWI XvPX+mApehJ+YTXwwRMQcnQ833JK5y3nUtP0hMLPJu20MXof8CZ82lmXgnzSCmcFy7wq S9lxWuRM0TPpLaRsYrGcUhGt2bxK80xvVyWLZ8vj2NZ4xAY47YueLcBwNbYnMV28lHo7 O0mhCJf6uovSA05Ecq1hwcMo0+ZlbCca3JkYncMQ8mLXmt92WAAe5iBDs9FWNEA4NhVd sS5zR9mBtKyKnRKSIJ3Y2l9gzpX4Lw8ILxYyc9n4uTYJkDAOpJ/VrrFsAWhH2tOx+2Ao uY7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=G7TDx0ayV1s6yF8W14tJtZ/gbKxJ6Z8Rxoz1+MRRB7A=; b=NHIZkJ5wM9P+hnE0sJ+Gszld1BOAhhUVXB3ALg6OW/6dQd60UjGjyAQo0J8QcAM2pB ib7TUNZaXzlGaTBNNyEUhGlT5zh78a39OWFBxLU1iVSzwa3GnuJ8Pfc59dHTbZvrRYC+ DUEkPCFDJMHAiAt+l7hQeu4Yxc+ZUbQhHFYUsYyegEyBRMrcIAbXXYtFfmjPrIf7pvPB +H9mW52981+qTsP41DdS8ndDp0eyhx84/3XrOo5nwq63lQcBfaYsNV34Yr5/VP8uzQmS w7rHmwOGWkDOzLWNpSNW1Sft/l5fTYs5vffui4RsdtjoZg8sXXFEtZMr0mnbS9D0/69H uQ2g== X-Gm-Message-State: AO0yUKUZo5WyDMGYNOxPst9+z2WLxoIjqPDQAPZPn/1FWq4xKItSs1hw +CNfuj7CQNsU/y5U70TwKxA= X-Google-Smtp-Source: AK7set9vCBDynh/m6z0bywm/EzFdeZoj+1p47ggyzl7F4nwnQ/AjuV3M9XuLjkeEpY/nnWMbixJcmA== X-Received: by 2002:a05:600c:4383:b0:3df:f7f1:4fbe with SMTP id e3-20020a05600c438300b003dff7f14fbemr17209336wmn.1.1676217023726; Sun, 12 Feb 2023 07:50:23 -0800 (PST) Received: from [192.168.8.100] (94.197.108.135.threembb.co.uk. [94.197.108.135]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c308900b003dc3f195abesm11095560wmn.39.2023.02.12.07.50.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 12 Feb 2023 07:50:23 -0800 (PST) Message-ID: <9552a45f-6a26-e7fa-aa63-3c74a7d17261@gmail.com> Date: Sun, 12 Feb 2023 15:47:13 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.0 Subject: Re: [syzbot] BUG: bad usercopy in io_openat2_prep Content-Language: en-US To: Kees Cook , syzbot , akpm@linux-foundation.org, keescook@chromium.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, io-uring@vger.kernel.org References: <00000000000088b3d905f46ed421@google.com> From: Pavel Begunkov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 435A118000F X-Stat-Signature: g3gfdcu1rryx5apapw63zsjwijezjf7x X-HE-Tag: 1676217024-406846 X-HE-Meta: U2FsdGVkX1+zTXQUXKjEJDDjsjogqlWZie/2i2FkV2GfolKm9VT/i4QttZ7Vk3GfZ7fTerWWmiB3Gvn5dcYoPBX8DrqEUeEHsyoXpb1CgyI6LC3GYvD2NRVqabJgqAuXtnFk5gutpxGPIv24rEPeOku4Ng3F9XgnTrghDAMfu15BiJ+Ej1iR1ivRNcZDkInAcN5052T4a2DLCPRFHlHqk2iH7vpZKndvZptY3POsniR8RP/s87gNYLhe29/zcFiAcUmWJO86gXYkiUEi8IeGlHlK9nNXOG7jHB/4Bayn9hAkOGtpnDKqqqMIVA37DmUPtkHNJ8FYP416H3mUac3r/PJRgnWXscvn3G6IKSFAWOA3Z8N6qgZ7EdgjiypuRT8n12z6BfF7WjE0LoJ+QCRiuIpiUxDr1ZG0b/qyM8U0DPqES2V9TikkshYgcvoDdDxlrOiGQNSiB9hE7q/1cyxlbxQYdQeb51ICEp0ku8ES9bZ7jRPOpJWaATM1S5Zy975RoCkvh9T6aUq75Og5AOSTd/nKrBfqSmCP4rCarPnB6NURZQNvVJu2ZzBIggZQrZydzi8sA9XWM/Oyhm+YmCCFz0TDlUIiioz1Hfh7VjYGoyd3rMBGx9sSEyAlgNNUJ2zf5fJ2Z3qiIrfwsNeAJvlJv9x4+8jPV461RzCKYjBsD8D+EPUZ9gLV0ZfaYJnkqP80p3UMnQsgBioepQRftpXq/hstb+3zA3iI/roSsYHwyu75ti1nPKHYgZ6uOpyp/87yS5UHxIrmvjVc2IUm4oMOt/3fQo1jms9OrfS25ly38Uqpf52RkKBPQ8BaGVQmBoWk6AFI4HdmAvTqXRRm3/dYTOoVPrdAuSNGSBuCjMnD0DAEbHpEKajAOJvN5iAT0NDl6naLp7pndrzGMD8F3hLmmB5T7oFOOmu0JqCWJhSstc6IY6NDft0j7UjtVgSNvPzLsF/j0mUnakf6VL6+QOr 40cr1/nv 5zVP7JqrrWhczlOsyTnUfh3aO9N1GHLWrXlwjnMjyHXR4Ty47MyFYeQl0afYvm8nLqoqwldnF5HbJcUJ3x6oU1aeUu2dE5Bl2aJdcflY33gbEeuuKfY/jYScTxaaPNk9RWf4Imruxm0qpG768jT8gUZLlhfbQT8DcYvCz45H6zo2IysUx0CPK02ECRB7mWzmlK45900lja/dPwVr6VFsxNAo9pv4giYheHa5vquKsN6a8nQH9CFKlkA6rm7MIl1OEn7riiory83+I+gLIV74lw2oqxt0mG9S5pg3ugPhwM6Qz5OR91/n1iiRZ74YpfSY0+Z2K/YJVoeEbaGPh6KKWTQw/+SWXmfLJ5hjzVaevstz7T+1C6qTcpRVYeUT+mVnsiOpIWVBFXSyCy/HN/cZpQL8DqD3aO8g0pXn111Wn6M6AMSUCsNvSk24uN0Pv1xoPHvCY2jc9s6ytZel8+janZJT/gUO9Gz+oNlJmS48mVBQ1l3RUr674zD7tItqyHwYGN6JNoPFtFTzayjjU9Nka0gQEo3LE0h9dbp6lI9IegyspK5tlzbJGz5GGeMOUXJFtqCPbzqVtfS5+6IhHMzhzQ7BjDT9fN05Nzy5sl5iJIs75M6ubQhypvmHg/QJjKIPfBWXC65cfGY192HLNimV2bmNzOZWO+n2TBbFgcQHDcaYzj+RLpE8yILd43mAv8lN/LbgXRKn12ZDFUFMrogm2LK3KdByBuHxbwjsViGUoGLi9vmGUXNIi6CrL4xUdGBomebYNG+19mPhxuaq9bC5VfoSj9ZpxyNEnZUvK7LOi7m1xvtH302o60cac4cZccZ0+a5MkNGXrv151RRKK6L1szA5EWBD0tVmGdodtHAMLVY3BvfjlIt0iKU+iOAAxGpRFNKBjwKP9TGS4J6mUulAtxXupEeqlDtO+RufolnWn7Rwz98HFKuzjwfRfIXTwOCOvobVM6nAhUQxD421CIfSxb4Emp1YP Ctfuepce mHl0www6V6ZpZlYnDiU8XKEQBOda4GZywzmIqvg+8CDODtw7epOuv0WGqb1PkBGcn94hejeqRg3QknfdTkJtJKtQxwnZmUFI/JTBR4KDo1Gwu5x3gwoJUeYs0XaLSUaTLj8bI2x3r42UY1Rs9rWQo1pFNlMNaz/nmPVZf2w49HXXoJdmbsUkhUc7E7NJn6koUaUB4U41dA0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2/11/23 16:36, Kees Cook wrote: > On February 11, 2023 8:08:52 AM PST, syzbot wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci >> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci >> console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43 >> dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc >> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 >> userspace arch: arm64 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000 I couldn't reproduce it, let's try latest io_uring first #syz test: https://git.kernel.dk/linux.git for-6.3/io_uring >> Downloadable assets: >> disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz >> vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz >> kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+cdd9922704fc75e03ffc@syzkaller.appspotmail.com >> >> usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)! > > This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab?? > > -Kees > >> [...] >> Call trace: >> usercopy_abort+0x90/0x94 >> __check_heap_object+0xa8/0x100 >> __check_object_size+0x208/0x6b8 >> io_openat2_prep+0xcc/0x2b8 >> io_submit_sqes+0x338/0xbb8 >> __arm64_sys_io_uring_enter+0x168/0x1308 >> invoke_syscall+0x64/0x178 >> el0_svc_common+0xbc/0x180 >> do_el0_svc+0x48/0x110 >> el0_svc+0x58/0x14c >> el0t_64_sync_handler+0x84/0xf0 >> el0t_64_sync+0x190/0x194 > > > -- Pavel Begunkov