On Sat, May 26, 2018 at 11:16 AM, syzbot <syzbot+a1264132fc103340628f@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13e030d7800000 > kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02 > dashboard link: https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16b624d7800000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1364e0d7800000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a1264132fc103340628f@xxxxxxxxxxxxxxxxxxxxxxxxx > > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > ================================================================== > BUG: KASAN: use-after-free in do_general_protection+0x2ac/0x2f0 > arch/x86/kernel/traps.c:538 > Read of size 8 at addr ffff8801d7187398 by task syz-executor171/4544 > > CPU: 0 PID: 4544 Comm: syz-executor171 Not tainted 4.17.0-rc6+ #67 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > The buggy address belongs to the page: > page:ffffea00075c61c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 > flags: 0x2fffc0000000000() > raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff > raw: 0000000000000000 ffffea00075c0101 0000000000000000 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8801d7187280: 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff8801d7187300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >> >> ffff8801d7187380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ^ > ffff8801d7187400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff8801d7187480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ================================================================== > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 4544 Comm: syz-executor171 Tainted: G B > 4.17.0-rc6+ #67 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > Dumping ftrace buffer: > (ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. Dups of this bug: KASAN: stack-out-of-bounds Read in do_general_protection KASAN: slab-out-of-bounds Read in vmx_vcpu_run KASAN: use-after-scope Read in vmx_vcpu_run KASAN: stack-out-of-bounds Write in notify_die See full info at: https://syzkaller.appspot.com/bug?extid=a1264132fc103340628f There seems to be 2 problems: 1. msr_write_intercepted doing something notoriously bad. 2. general_protection fault handler somehow allocates pt_regs overlapping with vmx_run frame. This can be an issue with interrupts too. > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/0000000000006370c3056d1855e7%40google.com. > For more options, visit https://groups.google.com/d/optout.
