Re: [syzbot] BUG: bad usercopy in io_openat2_prep

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>syzbot found the following issue on:
>HEAD commit:    ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>git tree:       git:// for-kernelci
>console output:
>kernel config:
>dashboard link:
>compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>userspace arch: arm64
>syz repro:
>C reproducer:
>Downloadable assets:
>disk image:
>kernel image:
>IMPORTANT: if you fix the issue, please add the following tag to the commit:
>Reported-by: syzbot+cdd9922704fc75e03ffc@xxxxxxxxxxxxxxxxxxxxxxxxx
>usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!

This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??


> [...]
>Call trace:
> usercopy_abort+0x90/0x94
> __check_heap_object+0xa8/0x100
> __check_object_size+0x208/0x6b8
> io_openat2_prep+0xcc/0x2b8
> io_submit_sqes+0x338/0xbb8
> __arm64_sys_io_uring_enter+0x168/0x1308
> invoke_syscall+0x64/0x178
> el0_svc_common+0xbc/0x180
> do_el0_svc+0x48/0x110
> el0_svc+0x58/0x14c
> el0t_64_sync_handler+0x84/0xf0
> el0t_64_sync+0x190/0x194

Kees Cook

[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux