On Fri, Sep 7, 2018 at 9:57 PM, Kees Cook <keescook@xxxxxxxxxx> wrote: > On Fri, Sep 7, 2018 at 9:17 AM, Tetsuo Handa > <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: >> On 2018/09/08 0:29, syzbot wrote: >>> syzbot has found a reproducer for the following crash on: >>> >>> HEAD commit: 28619527b8a7 Merge git://git.kernel.org/pub/scm/linux/kern.. >>> git tree: bpf >>> console output: https://syzkaller.appspot.com/x/log.txt?x=124e64d1400000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=62e9b447c16085cf >>> dashboard link: https://syzkaller.appspot.com/bug?extid=a3c9d2673837ccc0f22b >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179f9cd1400000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b3e8be400000 >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+a3c9d2673837ccc0f22b@xxxxxxxxxxxxxxxxxxxxxxxxx >>> >>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>> RIP: 0033:0x440479 >>> usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 64)! >> >> Kees, is this because check_page_span() is failing to allow on-stack variable >> >> u8 opcodes[OPCODE_BUFSIZE]; >> >> which by chance crossed PAGE_SIZE boundary? > > There are a lot of failure conditions for the PAGESPAN check. This > might be one (and one that I'm hoping to solve separately). Disabled CONFIG_HARDENED_USERCOPY_PAGESPAN on syzbot: https://github.com/google/syzkaller/commit/be20da425029ecd45b18e99fa5f09691ba0658ea #syz invalid
