Re: BUG: bad usercopy in ___sys_sendmsg
From: Dmitry Vyukov
Date: Sun Dec 31 2017 - 03:10:06 EST
On Sun, Dec 17, 2017 at 12:31 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Sat, Dec 16, 2017 at 12:29 PM, syzbot
> <bot+60f2c3a2a759796bd44ac3f94599ab78756b6a62@xxxxxxxxxxxxxxxxxxxxxxxxx>
> wrote:
>> Hello,
>>
>> syzkaller hit the following crash on
>> 5c13e07580c8bd2af6aa902d6b62faa968c360bc
>> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> Unfortunately, I don't have any reproducer for this bug yet.
>>
>
> The report before the BUG output is:
>
> [ 518.368426] usercopy: kernel memory overwrite attempt detected to
> 000000009919ac15 (kmalloc-1024) (960 bytes)
>
> This looks like a heap overflow (the offset into the 1024 buffer isn't
> being reported, so it's not clear how far it goes):
>
> if (copy_from_user(ctl_buf,
> (void __user __force *)msg_sys->msg_control,
> ctl_len))
>
> I would expect the 960 to be ctl_len, though this somehow means the
> earlier sock_kmalloc() and kmalloc() broke in some insane fashion.
>
> A reproducer would be nice here; maybe there is some other corruption
> happening that manifests as an overflow?
>
> -Kees
>
>
>>
>> ------------[ cut here ]------------
>> netlink: 'syz-executor2': attribute type 5 has an invalid length.
>> kernel BUG at mm/usercopy.c:72!
>> invalid opcode: 0000 [#1] SMP KASAN
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Modules linked in:
>> CPU: 0 PID: 24150 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #153
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
>> RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
>> RSP: 0018:ffff8801cece7940 EFLAGS: 00010282
>> RAX: 0000000000000061 RBX: ffffffff85328d40 RCX: 0000000000000000
>> RDX: 0000000000000061 RSI: ffffc90003cae000 RDI: ffffed0039d9cf1c
>> RBP: ffff8801cece7a30 R08: ffff8801cece71a8 R09: 0000000000000000
>> R10: 00000000712bcb5c R11: 0000000000000000 R12: ffffffff85328d00
>> R13: ffff8801cb8936d0 R14: 00000000000003c0 R15: ffffea00072e2480
>> FS: 00007f8422fd6700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000558e50e10460 CR3: 000000019cd91000 CR4: 00000000001406f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>> check_object_size include/linux/thread_info.h:112 [inline]
>> check_copy_size include/linux/thread_info.h:143 [inline]
>> copy_from_user include/linux/uaccess.h:146 [inline]
>> ___sys_sendmsg+0x58f/0x8a0 net/socket.c:2003
>> __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2116
>> SYSC_sendmmsg net/socket.c:2147 [inline]
>> SyS_sendmmsg+0x35/0x60 net/socket.c:2142
>> entry_SYSCALL_64_fastpath+0x1f/0x96
>> RIP: 0033:0x452a39
>> RSP: 002b:00007f8422fd5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000133
>> RAX: ffffffffffffffda RBX: 00007f8422fd6700 RCX: 0000000000452a39
>> RDX: 0000000000000006 RSI: 000000002077ce98 RDI: 0000000000000015
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
>> R13: 0000000000a6f7ff R14: 00007f8422fd69c0 R15: 0000000000000000
>> Code: 48 0f 44 da e8 e0 6e c2 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c
>> 89 e2 48 89 de 48 c7 c7 00 8e 32 85 49 89 c0 e8 e6 2c ac ff <0f> 0b 48 c7 c0
>> c0 8b 32 85 eb 96 48 c7 c0 00 8c 32 85 eb 8d 48
>> RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801cece7940
>> RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801cece7940
>> ---[ end trace 22ce313ea80c715c ]---
>> Kernel panic - not syncing: Fatal exception
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkaller@xxxxxxxxxxxxxxxxx
>> Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
>>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is merged into any tree, reply to this email with:
>> #syz fix: exact-commit-title
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email body.
Bad things on kmalloc-1024 are most likely caused by an invalid free
in pcrypt, it freed a pointer into a middle of a 1024 byte heap object
which was undetected by KASAN (now there is a patch for this in mm
tree) and later caused all kinds of bad things:
https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
https://patchwork.kernel.org/patch/10126761/
#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)