Re: BUG: bad usercopy in __check_object_size (2)
From: Tetsuo Handa
Date: Fri Sep 07 2018 - 12:18:56 EST
On 2018/09/08 0:29, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:ÂÂÂ 28619527b8a7 Merge git://git.kernel.org/pub/scm/linux/kern..
> git tree:ÂÂÂÂÂÂ bpf
> console output: https://syzkaller.appspot.com/x/log.txt?x=124e64d1400000
> kernel config:Â https://syzkaller.appspot.com/x/.config?x=62e9b447c16085cf
> dashboard link: https://syzkaller.appspot.com/bug?extid=a3c9d2673837ccc0f22b
> compiler:ÂÂÂÂÂÂ gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:ÂÂÂÂÂ https://syzkaller.appspot.com/x/repro.syz?x=179f9cd1400000
> C reproducer:ÂÂ https://syzkaller.appspot.com/x/repro.c?x=11b3e8be400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a3c9d2673837ccc0f22b@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> Âentry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x440479
> usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 64)!
Kees, is this because check_page_span() is failing to allow on-stack variable
u8 opcodes[OPCODE_BUFSIZE];
which by chance crossed PAGE_SIZE boundary?