On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello,
syzbot found the following issue on:
HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdd9922704fc75e03ffc@xxxxxxxxxxxxxxxxxxxxxxxxx
usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
-Kees
[...]
Call trace:
usercopy_abort+0x90/0x94
__check_heap_object+0xa8/0x100
__check_object_size+0x208/0x6b8
io_openat2_prep+0xcc/0x2b8
io_submit_sqes+0x338/0xbb8
__arm64_sys_io_uring_enter+0x168/0x1308
invoke_syscall+0x64/0x178
el0_svc_common+0xbc/0x180
do_el0_svc+0x48/0x110
el0_svc+0x58/0x14c
el0t_64_sync_handler+0x84/0xf0
el0t_64_sync+0x190/0x194