block: use after free in bio_uncopy_user/copy_page_to_iter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:

[ 1886.693996] BUG: KASAN: use-after-free in memcpy+0x28/0x40 at addr ffff8800b53f902a

[ 1886.694003] Write of size 1320 by task syz-executor/30711

[ 1886.694020] page:ffffea0002d4fe40 count:0 mapcount:-127 mapping:          (null) index:0x0

[ 1886.694025] flags: 0x1fffff80000000()

[ 1886.694030] page dumped because: kasan: bad access detected

[ 1886.694050] CPU: 0 PID: 30711 Comm: syz-executor Not tainted 4.6.0-rc3-next-20160412-sasha-00023-g0b02d6d-dirty #2998

[ 1886.694072]  0000000000000000 000000009c413b9b ffff8800ae5f71f0 ffffffff9efc9d01

[ 1886.694086]  ffffffff00000000 fffffbfff53ad2a0 0000000041b58ab3 ffffffffa965eee0

[ 1886.694101]  ffffffff9efc9b88 ffff8800ae5f71d0 ffffffff9d6d0a8f ffffffff9d5229b3

[ 1886.694105] Call Trace:

[ 1886.694139] dump_stack (lib/dump_stack.c:53)
[ 1886.694221] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 1886.694256] kasan_report (mm/kasan/report.c:299)
[ 1886.694331] __asan_storeN (mm/kasan/kasan.c:738)
[ 1886.694339] memcpy (mm/kasan/kasan.c:321)
[ 1886.694351] copy_to_iter (lib/iov_iter.c:395 (discriminator 15))
[ 1886.694361] copy_page_to_iter (lib/iov_iter.c:454)
[ 1886.694377] bio_uncopy_user (block/bio.c:1065 block/bio.c:1105)
[ 1886.694442] __blk_rq_unmap_user (block/blk-map.c:54)
[ 1886.694454] blk_rq_unmap_user (block/blk-map.c:209)
[ 1886.694463] sg_finish_rem_req (drivers/scsi/sg.c:1793)
[ 1886.694471] sg_read (drivers/scsi/sg.c:538)
[ 1886.694527] do_loop_readv_writev (fs/read_write.c:734)
[ 1886.694557] do_readv_writev (fs/read_write.c:863)
[ 1886.694621] vfs_readv (fs/read_write.c:887)
[ 1886.694634] default_file_splice_read (fs/splice.c:584 fs/splice.c:659)
[ 1886.694745] do_splice_to (fs/splice.c:1151)
[ 1886.694755] SyS_splice (fs/splice.c:1427 fs/splice.c:1704 fs/splice.c:1687)
[ 1886.694827] do_syscall_64 (arch/x86/entry/common.c:350)
[ 1886.694838] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251)
[ 1886.694841] Memory state around the buggy address:

[ 1886.694855]  ffff8800b53f8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 1886.694862]  ffff8800b53f8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 1886.694869] >ffff8800b53f9000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

[ 1886.694872]                                   ^

[ 1886.694878]  ffff8800b53f9080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

[ 1886.694885]  ffff8800b53f9100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

--
To unsubscribe from this list: send the line "unsubscribe linux-block" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux