block: NULL ptr deref in bio_copy_user_iov

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I've hit the following NULL ptr deref while fuzzing with trinity inside a kvmtool guest
running the latest -next kernel:

[ 1274.081122] BUG: unable to handle kernel NULL pointer dereference at           (null)

[ 1274.081140] IP: __memcpy (arch/x86/lib/memcpy_64.S:36)
[ 1274.081154] PGD 1ac685067 PUD 1ad6a2067 PMD 0

[ 1274.081165] Oops: 0000 [#6] SMP KASAN

[ 1274.081209] Modules linked in:

[ 1274.081228] CPU: 1 PID: 27544 Comm: trinity-c334 Tainted: G    B D         4.5.0-rc4-next-20160219-sasha-00026-g7978205-dirty #2978

[ 1274.081239] task: ffff8801d1071000 ti: ffff8801b4a40000 task.ti: ffff8801b4a40000

[ 1274.081265] RIP: __memcpy (arch/x86/lib/memcpy_64.S:36)
[ 1274.081273] RSP: 0018:ffff8801b4a46dc8  EFLAGS: 00010206

[ 1274.081283] RAX: ffff8801ad4e0000 RBX: 000000000000072b RCX: 00000000000000e5

[ 1274.081292] RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff8801ad4e0000

[ 1274.081302] RBP: ffff8801b4a46de8 R08: ffffed0035a9c0e5 R09: ffff8801ad4e072a

[ 1274.081311] R10: ffffed0035a9c0e6 R11: 1ffff10035a9c000 R12: ffff8801ad4e0000

[ 1274.081319] R13: 0000000000000000 R14: ffff8801b4a47280 R15: 000000000000072b

[ 1274.081330] FS:  00007f20f3ab3700(0000) GS:ffff8801d3b00000(0000) knlGS:0000000000000000

[ 1274.081339] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[ 1274.081346] CR2: 0000000000000000 CR3: 00000001b6b19000 CR4: 00000000000406e0

[ 1274.081360] Stack:

[ 1274.081377]  ffffffffa183a2c6 ffff8801b4a46fd8 000000000000072b 000000000000072b

[ 1274.081392]  ffff8801b4a46e50 ffffffffa3425379 ffff8801d1071000 0000000000000000

[ 1274.081408]  ffff8801b4a47288 ffff8801b4a46fe0 ffff8801b4a46fe8 ffff8801ad4e0000

[ 1274.081411] Call Trace:

[ 1274.081442] copy_from_iter (lib/iov_iter.c:416 (discriminator 15))
[ 1274.081460] copy_page_from_iter (lib/iov_iter.c:467)
[ 1274.081523] bio_copy_user_iov (block/bio.c:1028 block/bio.c:1224)
[ 1274.081573] blk_rq_map_user_iov (block/blk-map.c:111)
[ 1274.081673] blk_rq_map_user (block/blk-map.c:154)
[ 1274.081750] sg_common_write.isra.11 (drivers/scsi/sg.c:1766 drivers/scsi/sg.c:782)
[ 1274.081828] sg_write (drivers/scsi/sg.c:686)
[ 1274.081978] __vfs_write (fs/read_write.c:529)
[ 1274.082037] __kernel_write (fs/read_write.c:551)
[ 1274.082052] write_pipe_buf (fs/splice.c:1062)
[ 1274.082095] __splice_from_pipe (fs/splice.c:771 fs/splice.c:895)
[ 1274.082124] splice_from_pipe (fs/splice.c:931)
[ 1274.082186] default_file_splice_write (fs/splice.c:1081)
[ 1274.082214] direct_splice_actor (fs/splice.c:1290)
[ 1274.082227] splice_direct_to_actor (fs/splice.c:1241)
[ 1274.082312] do_splice_direct (fs/splice.c:1332)
[ 1274.082354] do_sendfile (include/linux/fs.h:1234 include/linux/fs.h:2515 fs/read_write.c:1268)
[ 1274.082414] SyS_sendfile64 (fs/read_write.c:1328 fs/read_write.c:1314)
[ 1274.082462] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:200)
[ 1274.082615] Code: 42 fe eb 85 31 f6 48 c7 c7 e0 a1 7b b2 e8 81 0a 0e 00 e9 bc fe ff ff 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3

All code
========
   0:	42 fe                	rex.X (bad)
   2:	eb 85                	jmp    0xffffffffffffff89
   4:	31 f6                	xor    %esi,%esi
   6:	48 c7 c7 e0 a1 7b b2 	mov    $0xffffffffb27ba1e0,%rdi
   d:	e8 81 0a 0e 00       	callq  0xe0a93
  12:	e9 bc fe ff ff       	jmpq   0xfffffffffffffed3
  17:	90                   	nop
  18:	90                   	nop
  19:	66 66 90             	data32 xchg %ax,%ax
  1c:	66 90                	xchg   %ax,%ax
  1e:	48 89 f8             	mov    %rdi,%rax
  21:	48 89 d1             	mov    %rdx,%rcx
  24:	48 c1 e9 03          	shr    $0x3,%rcx
  28:	83 e2 07             	and    $0x7,%edx
  2b:	f3 48 a5             	rep movsq %ds:(%rsi),%es:*(%rdi)		<-- trapping instruction
  2e:	89 d1                	mov    %edx,%ecx
  30:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
  32:	c3                   	retq
  33:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  39:	48 89 f8             	mov    %rdi,%rax
  3c:	48 89 d1             	mov    %rdx,%rcx
  3f:	f3                   	repz
	...

Code starting with the faulting instruction
===========================================
   0:	f3 48 a5             	rep movsq %ds:(%rsi),%es:(%rdi)
   3:	89 d1                	mov    %edx,%ecx
   5:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
   7:	c3                   	retq
   8:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
   e:	48 89 f8             	mov    %rdi,%rax
  11:	48 89 d1             	mov    %rdx,%rcx
  14:	f3                   	repz
	...
[ 1274.082631] RIP __memcpy (arch/x86/lib/memcpy_64.S:36)
[ 1274.082636]  RSP <ffff8801b4a46dc8>

[ 1274.082641] CR2: 0000000000000000


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-block" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux