Re: Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex

Kun Hu <huk23@xxxxxxxxxxxxxx> · Thu, 26 Dec 2024 14:08:11 +0800

>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516

> 
> We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c. 
> The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte).
> To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
> 
> if (sysex->len >= MAX_SYSEX_BUFLEN) { 
>   sysex->len = 0; 
>   sysex->skip = 1; 
>   return -EINVAL;  /* Exit early if sysex->len is out of bounds */ 
> }

If you need any more information, please don't hesitate to let me know.

—————
Best regards,
Kun Hu

> 2024年12月25日 13:37，Kun Hu <huk23@xxxxxxxxxxxxxx> 写道：
> 
> Hello,
> 
>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
> 
> We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c. 
> The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte).
> To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
> 
> if (sysex->len >= MAX_SYSEX_BUFLEN) { 
>   sysex->len = 0; 
>   sysex->skip = 1; 
>   return -EINVAL;  /* Exit early if sysex->len is out of bounds */ 
> }
> 
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>
> 
> —————
> Thanks,
> Kun Hu
> 
>> 2024年12月24日 19:16，Kun Hu <huk23@xxxxxxxxxxxxxx> 写道：
>> 
>> Hello,
>> 
>> When using fuzzer tool to fuzz the latest Linux kernel, the following crash
>> was triggered.
>> 
>> HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
>> git tree: upstream
>> Console output:https://drive.google.com/file/d/17oCyKDW_kNhSW5Bbvm23vnpD1eo0MHFi/view?usp=sharing
>> Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing
>> C reproducer: https://drive.google.com/file/d/177HJht6a7-6F3YLudKb_d4kiPGd1VA_i/view?usp=sharing
>> Syzlang reproducer: https://drive.google.com/file/d/1AuP5UGGc47rEXXPuvjmCKgJ3d0U1P84j/view?usp=sharing
>> 
>> 
>> If you fix this issue, please add the following tag to the commit:
>> Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>
>> 
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
>> Write of size 1 at addr ff1100000588e288 by task syz-executor411/824
>> 
>> CPU: 2 UID: 0 PID: 824 Comm: syz-executor411 Not tainted 6.13.0-rc3 #5
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>> Call Trace:
>> <TASK>
>> __dump_stack lib/dump_stack.c:94 [inline]
>> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
>> print_address_description mm/kasan/report.c:378 [inline]
>> print_report+0xcf/0x5f0 mm/kasan/report.c:489
>> kasan_report+0x93/0xc0 mm/kasan/report.c:602
>> snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
>> snd_seq_oss_process_event+0x46a/0x2620 sound/core/seq/oss/seq_oss_event.c:61
>> insert_queue sound/core/seq/oss/seq_oss_rw.c:167 [inline]
>> snd_seq_oss_write+0x261/0x7f0 sound/core/seq/oss/seq_oss_rw.c:135
>> odev_write+0x53/0xa0 sound/core/seq/oss/seq_oss.c:168
>> vfs_write fs/read_write.c:677 [inline]
>> vfs_write+0x2e3/0x10f0 fs/read_write.c:659
>> ksys_write+0x122/0x240 fs/read_write.c:731
>> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>> do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7f69b379994d
>> Code: c3 e8 97 2a 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007f69b3718d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
>> RAX: ffffffffffffffda RBX: 00007f69b382d2d0 RCX: 00007f69b379994d
>> RDX: 0000000000000008 RSI: 0000000020000140 RDI: 0000000000000003
>> RBP: 00007f69b382d2d8 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69b382d2dc
>> R13: 0000000020000140 R14: 00007f69b37fa008 R15: 000000000000000d
>> </TASK>
>> 
>> Allocated by task 823:
>> kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
>> kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
>> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
>> kmalloc_noprof include/linux/slab.h:901 [inline]
>> kzalloc_noprof include/linux/slab.h:1037 [inline]
>> snd_seq_oss_synth_sysex+0x1d9/0x6c0 sound/core/seq/oss/seq_oss_synth.c:502
>> snd_seq_oss_process_event+0x46a/0x2620 sound/core/seq/oss/seq_oss_event.c:61
>> insert_queue sound/core/seq/oss/seq_oss_rw.c:167 [inline]
>> snd_seq_oss_write+0x261/0x7f0 sound/core/seq/oss/seq_oss_rw.c:135
>> odev_write+0x53/0xa0 sound/core/seq/oss/seq_oss.c:168
>> vfs_write fs/read_write.c:677 [inline]
>> vfs_write+0x2e3/0x10f0 fs/read_write.c:659
>> ksys_write+0x122/0x240 fs/read_write.c:731
>> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>> do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> 
>> The buggy address belongs to the object at ff1100000588e200
>> which belongs to the cache kmalloc-192 of size 192
>> The buggy address is located 0 bytes to the right of
>> allocated 136-byte region [ff1100000588e200, ff1100000588e288)
>> 
>> The buggy address belongs to the physical page:
>> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x588e
>> anon flags: 0x100000000000000(node=0|zone=1)
>> page_type: f5(slab)
>> raw: 0100000000000000 ff1100000103c3c0 ffd4000000162340 dead000000000003
>> raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
>> page dumped because: kasan: bad access detected
>> 
>> Memory state around the buggy address:
>> ff1100000588e180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>> ff1100000588e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> ff1100000588e280: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>                     ^
>> ff1100000588e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ff1100000588e380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>> ==================================================================
>> 
>> ---------------
>> thanks,
>> Kun Hu
> 
> 