|
Hello, We detected another crash bug for the `md` driver implemented in `drivers/md/dm-ioctl.c` and `dm-table.c` by using Syzkaller. This is kind of like “kmalloc bug in ctl_ioctl” but it is related to another CMD value
and argument. (`DM_TABLE_LOAD_CMD` and `struct dm_ioctl.target_count`. Based on our understanding, this bug is caused by `
n_highs = kvcalloc(num, sizeof(struct dm_target) + sizeof(sector_t), GFP_KERNEL); in `dm-table.c` (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-table.c#L112).
This allocates an array with a size over INT_MAX. A possible patch is to have a check for the `struct dm_ioctl.target_count`, which is the argument for the `ioctl` with ` DM_TABLE_LOAD_CMD` as the command value. Currently, there is no any check for this argument. We reproduced this bug in the latest Linux Kernel (reproducible on 3bd7d748816927202268cb335921f7f68b3ca723 and found on d2f51b3516dade79269ff45eae2a7668ae711b25), and the config for the kernel is attached. Here is the log and Syzkaller reproducer. C reproducer is also attached, which can compiled by `gcc -pthread`. ``` ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7921 at mm/util.c:622 kvmalloc_node+0x194/0x1a0 mm/util.c:622 Modules linked in: CPU: 0 PID: 7921 Comm: syz-executor152 Not tainted 6.6.0-gd2f51b3516da #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:kvmalloc_node+0x194/0x1a0 mm/util.c:622 Code: a2 3f 1c 00 eb aa e8 ab 40 c9 ff 41 81 e5 00 20 00 00 31 ff 44 89 ee e8 ba 3c c9 ff 45 85 ed 0f 85 1b ff ff ff e8 8c 40 c9 ff <0f> 0b e9 e3 fe ff ff 0f 1f 44 00 00
f3 0f 1e fa 41 55 49 89 f5 41 RSP: 0018:ffffc900021e7b60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000400 RCX: ffffffff81b9bd56 RDX: ffff888047eada00 RSI: ffffffff81b9bd64 RDI: 0000000000000005 RBP: 00000000b0000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88801ba33000 FS: 0000555556cf93c0(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020200000 CR3: 0000000047ea4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> kvmalloc include/linux/slab.h:738 [inline] kvmalloc_array include/linux/slab.h:756 [inline] kvcalloc include/linux/slab.h:761 [inline] alloc_targets drivers/md/dm-table.c:112 [inline] dm_table_create+0x127/0x390 drivers/md/dm-table.c:150 table_load+0x18a/0x950 drivers/md/dm-ioctl.c:1508 ctl_ioctl+0x707/0xad0 drivers/md/dm-ioctl.c:2081 dm_ctl_ioctl+0x25/0x30 drivers/md/dm-ioctl.c:2103 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0xe0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fe09daec38d Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1
b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8964d0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffd8964d2b8 RCX: 00007fe09daec38d RDX: 0000000020000180 RSI: 00000000c138fd09 RDI: 0000000000000004 RBP: 0000000000000001 R08: 00007ffd8964d2b8 R09: 00007ffd8964d2b8 R10: 00007ffd8964d2b8 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffd8964d2a8 R14: 00007fe09db69530 R15: 0000000000000001 </TASK> ``` Best, Chenyuan |
Attachment:
repro.cprog
Description: repro.cprog
Attachment:
repro.log
Description: repro.log
Attachment:
repro.prog
Description: repro.prog
Attachment:
repro.report
Description: repro.report
Attachment:
repro.stats
Description: repro.stats
