Prior to this, there have been two syzkaller reports involving the sg
driver. The first was a real bug fixed by:
"sg: fix dxferp in from_to case"
[ Upstream commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 ]
The second one I have been unable to replicate:
https://groups.google.com/forum/#!topic/syzkaller/oQ3Hg-JUVKA
It seems to blast some arbitrary structure (which has nothing to
do with the sg driver) and purposely misaligns aligns it before
writing it to a /dev/sg device. There is no dump, just a statement
that the "whole machine becomes unusable for several minutes".
So this time we have a dump, but not what was written to the sg
driver that caused it. So could you send me the user space
program that caused this?
Doug Gilbert
On 16-04-17 02:37 PM, Christoph Hellwig wrote:
Adding Doug as this involves the SG driver, which has a slightly
unusual usage of the blk-map.c code.
Does anyone know if the __asan_storeN in the trace implies the memory
stored to was invalid and not the memory read from?
On Sun, Apr 17, 2016 at 06:57:34AM -0400, Sasha Levin wrote:
Hi all,
I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:
[ 1886.693996] BUG: KASAN: use-after-free in memcpy+0x28/0x40 at addr ffff8800b53f902a
[ 1886.694003] Write of size 1320 by task syz-executor/30711
[ 1886.694020] page:ffffea0002d4fe40 count:0 mapcount:-127 mapping: (null) index:0x0
[ 1886.694025] flags: 0x1fffff80000000()
[ 1886.694030] page dumped because: kasan: bad access detected
[ 1886.694050] CPU: 0 PID: 30711 Comm: syz-executor Not tainted 4.6.0-rc3-next-20160412-sasha-00023-g0b02d6d-dirty #2998
[ 1886.694072] 0000000000000000 000000009c413b9b ffff8800ae5f71f0 ffffffff9efc9d01
[ 1886.694086] ffffffff00000000 fffffbfff53ad2a0 0000000041b58ab3 ffffffffa965eee0
[ 1886.694101] ffffffff9efc9b88 ffff8800ae5f71d0 ffffffff9d6d0a8f ffffffff9d5229b3
[ 1886.694105] Call Trace:
[ 1886.694139] dump_stack (lib/dump_stack.c:53)
[ 1886.694221] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 1886.694256] kasan_report (mm/kasan/report.c:299)
[ 1886.694331] __asan_storeN (mm/kasan/kasan.c:738)
[ 1886.694339] memcpy (mm/kasan/kasan.c:321)
[ 1886.694351] copy_to_iter (lib/iov_iter.c:395 (discriminator 15))
[ 1886.694361] copy_page_to_iter (lib/iov_iter.c:454)
[ 1886.694377] bio_uncopy_user (block/bio.c:1065 block/bio.c:1105)
[ 1886.694442] __blk_rq_unmap_user (block/blk-map.c:54)
[ 1886.694454] blk_rq_unmap_user (block/blk-map.c:209)
[ 1886.694463] sg_finish_rem_req (drivers/scsi/sg.c:1793)
[ 1886.694471] sg_read (drivers/scsi/sg.c:538)
[ 1886.694527] do_loop_readv_writev (fs/read_write.c:734)
[ 1886.694557] do_readv_writev (fs/read_write.c:863)
[ 1886.694621] vfs_readv (fs/read_write.c:887)
[ 1886.694634] default_file_splice_read (fs/splice.c:584 fs/splice.c:659)
[ 1886.694745] do_splice_to (fs/splice.c:1151)
[ 1886.694755] SyS_splice (fs/splice.c:1427 fs/splice.c:1704 fs/splice.c:1687)
[ 1886.694827] do_syscall_64 (arch/x86/entry/common.c:350)
[ 1886.694838] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251)
[ 1886.694841] Memory state around the buggy address:
[ 1886.694855] ffff8800b53f8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1886.694862] ffff8800b53f8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1886.694869] >ffff8800b53f9000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1886.694872] ^
[ 1886.694878] ffff8800b53f9080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1886.694885] ffff8800b53f9100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
--
To unsubscribe from this list: send the line "unsubscribe linux-block" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
---end quoted text---
--
To unsubscribe from this list: send the line "unsubscribe linux-block" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
