On Fri, Jan 17, 2025 at 9:26 AM Niklas Cassel <cassel@xxxxxxxxxx> wrote: > > Hello reveliofuzzing, > > On Thu, Jan 02, 2025 at 11:23:49AM -0500, reveliofuzzing wrote: > > On Thu, Jan 2, 2025 at 5:40 AM Niklas Cassel <cassel@xxxxxxxxxx> wrote: > > > On Wed, Jan 01, 2025 at 09:17:02PM -0500, reveliofuzzing wrote: > > > > Hi there, > > > > > > > > We found an out-of-bounds write in the function ata_pio_sector, which can cause > > > > the kernel to crash. We would like to report it for your reference. > > > > > > > > ## Problem in ata_pio_sector > > > > ata_pio_sector uses the following code to decide which page to use for the I/O: > > > > page = sg_page(qc->cursg); > > > > offset = qc->cursg->offset + qc->cursg_ofs; > > > > > > > > /* get the current page and offset */ > > > > page = nth_page(page, (offset >> PAGE_SHIFT)); > > > > offset %= PAGE_SIZE; > > > > but we found that `offset` could be as high as 0x5000---qc->cursg_ofs==0x5000, > > > > qc->cursg->offset == 0x0, making `page` point to a higher-position page that > > > > belongs to other threads. > > > > > > > > ## Example crash > > > > This out-of-bound write can cause the kernel to crash at arbitrary places, > > > > depending on when the corrupted page is accessed by the other thread. > > > > > > > > We found this problem can happen in Linux kernel 6.1~6.12. Here is one crash in > > > > Linux kernel 6.1: > > > > > > Thank you for reporting! > > > > > > I assume that you haven't tested kernels earlier than 6.1? > > Unfortunately, we haven't tested older kernels. > > > > > > > > (Looking at the driver, there was no major change between 6.0 and 6.1, > > > so this bug has probably been there for a long time.) > > > > > > > > > Could you please share your reproducer and your kernel config as well? > > > > Below we report our setup for linux kernel 6.12: > > > > - General steps to reproduce the bug > > 1. Launch the VM > > 2. Copy the reproducer (compiled binary) into the VM > > 3. Run it with the root user > > 4. Wait for the bug to happen (generally takes less than 3 minutes) > > I managed to reproduce the bug using your bzImage and syz-executor binary. > > However, the .config you provided does not match the bzImage. > E.g. the e1000/e1000e driver is not built-in in your .config, > so I get no networking, while it is enabled in your bzImage. > This makes me worried that you have other changes in your .config. > If you still have the exact config for this bzImage, could you please add > it as an attachment? Hi, we double-checked it but found the config shared above is the one we used. CONFIG_E1000XXX is enabled in this config. > > I've been using the syz-executor binary that you attached, since the C code > pasted below does not compile, it seems like it has some unintended newlines. > Perhaps you could add it as an attachment instead? Here is the C program: https://drive.google.com/file/d/1Uvhqrn-ntEYQT2PBiQjp0xaor-32WYHO/view?usp=sharing Please let us know if you still can't compile it. We can take a look at how Syzkaller generates this C program and compiles it into the syz-executor binary. > > Also, you only talk about 6.12 kernel. Out of curiosity, have you managed to > reproduce this bug on v6.13-rc kernels? Have you tried? We haven't tried it yet, but we can do that in the next few days. Will keep you posted. > > > Kind regards, > Niklas
