[drivers/scsi/sg.c] general protection fault in sg_read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I've got the following report while fuzzing the kernel with syzkaller.
(on 4.9.58)


kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 2905 Comm: syzkaller217469 Not tainted 4.9.58 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff88007a158000 task.stack: ffff880076840000
RIP: 0010:[<ffffffff822586b5>]  [<ffffffff822586b5>] sg_read_oxfer
drivers/scsi/sg.c:1976 [inline]
RIP: 0010:[<ffffffff822586b5>]  [<ffffffff822586b5>]
sg_read+0xba5/0x1290 drivers/scsi/sg.c:520
RSP: 0018:ffff880076847af8  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8800768d0088 RCX: 000000000000000c
RDX: 0000000000000000 RSI: 00000000208cc024 RDI: ffff8800768d00b8
RBP: ffff880076847be8 R08: ffffed000ee1d19c R09: ffffed000ee1d19c
R10: 0000000000000003 R11: ffffed000ee1d19d R12: ffff8800770e8cc0
R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000000000
FS:  0000000001a2b880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208ccfe0 CR3: 0000000077bd1000 CR4: 00000000000006f0
Stack:
 00000000024280ca ffff8800768d00a0 0000000000001000 0002000000000000
 ffff88007971fa00 0000000000000fdc 1ffff1000ed08f68 ffff8800768d00b0
 00000000208cc024 0000000041b58ab3 ffffffff83457701 ffffffff82257b10
Call Trace:
 [<ffffffff81572b82>] do_loop_readv_writev+0x152/0x200 fs/read_write.c:714
 [<ffffffff815772fd>] do_readv_writev+0x60d/0x710 fs/read_write.c:874
 [<ffffffff8157748b>] vfs_readv+0x8b/0xc0 fs/read_write.c:898
 [<ffffffff8157759b>] do_readv+0xdb/0x230 fs/read_write.c:924
 [<ffffffff8157a877>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff8157a877>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff82f9ba37>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 87 05 00
00 4c 8b 6b 28 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80>
3c 02 00 0f 85 37 06 00 00 4d 8b 6d 00 4d 85 ed 0f 84 a3 02
RIP  [<ffffffff822586b5>] sg_read_oxfer drivers/scsi/sg.c:1976 [inline]
RIP  [<ffffffff822586b5>] sg_read+0xba5/0x1290 drivers/scsi/sg.c:520
 RSP <ffff880076847af8>
---[ end trace bb5ce28de3fd7704 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..





-- 
Regards,
idaifish

Syzkaller hit 'general protection fault in sg_read' bug on commit 4.9.58..

Guilty file: drivers/scsi/sg.c

Maintainers: []

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 2905 Comm: syzkaller217469 Not tainted 4.9.58 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff88007a158000 task.stack: ffff880076840000
RIP: 0010:[<ffffffff822586b5>]  [<ffffffff822586b5>] sg_read_oxfer drivers/scsi/sg.c:1976 [inline]
RIP: 0010:[<ffffffff822586b5>]  [<ffffffff822586b5>] sg_read+0xba5/0x1290 drivers/scsi/sg.c:520
RSP: 0018:ffff880076847af8  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8800768d0088 RCX: 000000000000000c
RDX: 0000000000000000 RSI: 00000000208cc024 RDI: ffff8800768d00b8
RBP: ffff880076847be8 R08: ffffed000ee1d19c R09: ffffed000ee1d19c
R10: 0000000000000003 R11: ffffed000ee1d19d R12: ffff8800770e8cc0
R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000000000
FS:  0000000001a2b880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208ccfe0 CR3: 0000000077bd1000 CR4: 00000000000006f0
Stack:
 00000000024280ca ffff8800768d00a0 0000000000001000 0002000000000000
 ffff88007971fa00 0000000000000fdc 1ffff1000ed08f68 ffff8800768d00b0
 00000000208cc024 0000000041b58ab3 ffffffff83457701 ffffffff82257b10
Call Trace:
 [<ffffffff81572b82>] do_loop_readv_writev+0x152/0x200 fs/read_write.c:714
 [<ffffffff815772fd>] do_readv_writev+0x60d/0x710 fs/read_write.c:874
 [<ffffffff8157748b>] vfs_readv+0x8b/0xc0 fs/read_write.c:898
 [<ffffffff8157759b>] do_readv+0xdb/0x230 fs/read_write.c:924
 [<ffffffff8157a877>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff8157a877>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff82f9ba37>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 87 05 00 00 4c 8b 6b 28 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 37 06 00 00 4d 8b 6d 00 4d 85 ed 0f 84 a3 02 
RIP  [<ffffffff822586b5>] sg_read_oxfer drivers/scsi/sg.c:1976 [inline]
RIP  [<ffffffff822586b5>] sg_read+0xba5/0x1290 drivers/scsi/sg.c:520
 RSP <ffff880076847af8>
---[ end trace bb5ce28de3fd7704 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..


Syzkaller reproducer:
# {Threaded:false Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:false Debug:false Repro:false}
mmap(&(0x7f0000000000/0x8cf000)=nil, 0x8cf000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$sg(&(0x7f0000004000)="2f6465762f73672300", 0x1, 0x802)
write(r0, &(0x7f00001e1000-0x1000)="36ebac25e0e259f9330cdd430527f1e989e8dedf07ac5449f28e57f4bc13ae3a350c6bdbc3ba2902a965ff3bc889d147c7539a4fe6ac54086e406683d02e0cd601081ed3a02bd424a6cae44d79afe8886412f6ecc3dda01b", 0x58)
readv(r0, &(0x7f00008cd000-0x20)=[{&(0x7f00008cd000-0x1000)="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x1000}, {&(0x7f00008cc000)="", 0x0}], 0x2)


C reproducer:
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE 

#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/stat.h>

#include <stdint.h>
#include <string.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
	if (a0 == 0xc || a0 == 0xb) {
		char buf[128];
		sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
		return open(buf, O_RDWR, 0);
	} else {
		char buf[1024];
		char* hash;
strncpy(buf, (char*)a0, sizeof(buf));
		buf[sizeof(buf) - 1] = 0;
		while ((hash = strchr(buf, '#'))) {
			*hash = '0' + (char)(a1 % 10);
			a1 /= 10;
		}
		return open(buf, a2, 0);
	}
}

long r[10];
void loop()
{
	memset(r, -1, sizeof(r));
	r[0] = syscall(__NR_mmap, 0x20000000ul, 0x8cf000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20004000, "\x2f\x64\x65\x76\x2f\x73\x67\x23\x00", 9);
	r[2] = syz_open_dev(0x20004000ul, 0x1ul, 0x802ul);
memcpy((void*)0x201e0000, "\x36\xeb\xac\x25\xe0\xe2\x59\xf9\x33\x0c\xdd\x43\x05\x27\xf1\xe9\x89\xe8\xde\xdf\x07\xac\x54\x49\xf2\x8e\x57\xf4\xbc\x13\xae\x3a\x35\x0c\x6b\xdb\xc3\xba\x29\x02\xa9\x65\xff\x3b\xc8\x89\xd1\x47\xc7\x53\x9a\x4f\xe6\xac\x54\x08\x6e\x40\x66\x83\xd0\x2e\x0c\xd6\x01\x08\x1e\xd3\xa0\x2b\xd4\x24\xa6\xca\xe4\x4d\x79\xaf\xe8\x88\x64\x12\xf6\xec\xc3\xdd\xa0\x1b", 88);
	r[4] = syscall(__NR_write, r[2], 0x201e0000ul, 0x58ul);
*(uint64_t*)0x208ccfe0 = (uint64_t)0x208cc000;
*(uint64_t*)0x208ccfe8 = (uint64_t)0x1000;
*(uint64_t*)0x208ccff0 = (uint64_t)0x208cc000;
*(uint64_t*)0x208ccff8 = (uint64_t)0x0;
	r[9] = syscall(__NR_readv, r[2], 0x208ccfe0ul, 0x2ul);
}

int main()
{
	loop();
	return 0;
}


Reproducing stats:
Extracting prog: 56.494147857s
Minimizing prog: 2m23.295957981s
Simplifying prog options: 37.673741735s
Extracting C: 1.500452369s
Simplifying C: 27.488034504s


Reproducing log:
165 programs, 4 VMs
extracting reproducer from 165 programs
single: executing 8 programs separately with timeout 10s
testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-socket$inet_udp-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-recvmmsg-bind$inet-socket$inet_udp-sendto$inet-sendto$inet-getsockopt$sock_cred-mmap-mmap-mmap-mmap-mmap-process_vm_readv-setsockopt$inet_int-recvfrom$inet
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-bpf$MAP_CREATE-mmap-mmap-io_setup-mmap-mmap-syz_open_dev$usb-mmap-creat-mmap-mmap-openat$sequencer2-ioctl$KVM_CREATE_DEVICE-mmap-mmap-mmap-socketpair-mmap-mmap-mmap-openat$hidraw0-mmap-pipe-mmap-openat$hwrng-mmap-io_submit-mmap-mmap-mmap-mmap-bpf$MAP_UPDATE_ELEM
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_IRQCHIP-ioctl-ioctl$KVM_CREATE_VCPU-ioctl$KVM_SET_SREGS-mmap-ioctl$KVM_ENABLE_CAP-syz_open_dev$sg-ioctl$fiemap-ioctl$KVM_SET_LAPIC-setsockopt$inet6_tcp_TCP_CONGESTION-ioctl-select-ioctl$KVM_SET_MSRS-ioctl$KVM_S390_INTERRUPT
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-openat$hpet-mmap-getsockopt$inet_sctp_SCTP_MAX_BURST-mmap-socket$inet-mmap-recvfrom-bind$inet-ioctl$sock_inet6_udp_SIOCINQ-mmap-mmap-socket$inet-bind$inet-connect$inet-mmap-ioctl$PERF_EVENT_IOC_REFRESH-bind$inet-socket$inet6-mmap-mmap-mmap-memfd_create-mmap-ioctl$VT_RESIZEX-getpeername-setsockopt$inet_sctp6_SCTP_EVENTS-socketpair
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-mmap-mmap-mmap-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-mmap-openat$sequencer2-write$sndseq-mmap-mmap-mmap-mmap-setsockopt$inet_sctp_SCTP_RECVRCVINFO-readv-sync-ppoll
program crashed: general protection fault in sg_get_rq_mark
single: successfully extracted reproducer
found reproducer with 40 syscalls
minimizing guilty program
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-openat$sequencer2-write$sndseq-setsockopt$inet_sctp_SCTP_RECVRCVINFO-readv-sync-ppoll
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-openat$sequencer2-write$sndseq-setsockopt$inet_sctp_SCTP_RECVRCVINFO-readv-sync
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-openat$sequencer2-write$sndseq-setsockopt$inet_sctp_SCTP_RECVRCVINFO-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-openat$sequencer2-write$sndseq-setsockopt$inet_sctp_SCTP_RECVRCVINFO
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-openat$sequencer2-write$sndseq-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-openat$sequencer2-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-clock_gettime-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-getsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-semctl$SETVAL-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-sendmmsg$nfc_llcp-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-semget-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-write$evdev-readv
program crashed: general protection fault in sg_get_rq_mark
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-readv
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-write-readv
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): syz_open_dev$sg-write-readv
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
extracting C reproducer
testing compiled C program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program did not crash
simplifying guilty program
testing program (duration=15s, {Threaded:true Collide:false Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
extracting C reproducer
testing compiled C program (duration=15s, {Threaded:true Collide:false Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program did not crash
testing program (duration=15s, {Threaded:false Collide:false Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
extracting C reproducer
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program did not crash
testing program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
extracting C reproducer
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: lost connection to test machine
simplifying C reproducer
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program did not crash
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: lost connection to test machine
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:true Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
testing compiled C program (duration=15s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:false Debug:false Repro:true}): mmap-syz_open_dev$sg-write-readv
program crashed: general protection fault in sg_read
reproducing took 4m40.82354015s
repro crashed as:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 2905 Comm: syzkaller217469 Not tainted 4.9.58 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff88007a158000 task.stack: ffff880076840000
RIP: 0010:[<ffffffff822586b5>]  [<ffffffff822586b5>] sg_read+0xba5/0x1290
RSP: 0018:ffff880076847af8  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8800768d0088 RCX: 000000000000000c
RDX: 0000000000000000 RSI: 00000000208cc024 RDI: ffff8800768d00b8
RBP: ffff880076847be8 R08: ffffed000ee1d19c R09: ffffed000ee1d19c
R10: 0000000000000003 R11: ffffed000ee1d19d R12: ffff8800770e8cc0
R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000000000
FS:  0000000001a2b880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208ccfe0 CR3: 0000000077bd1000 CR4: 00000000000006f0
Stack:
 00000000024280ca ffff8800768d00a0 0000000000001000 0002000000000000
 ffff88007971fa00 0000000000000fdc 1ffff1000ed08f68 ffff8800768d00b0
 00000000208cc024 0000000041b58ab3 ffffffff83457701 ffffffff82257b10
Call Trace:
 [<ffffffff81572b82>] do_loop_readv_writev+0x152/0x200
 [<ffffffff815772fd>] do_readv_writev+0x60d/0x710
 [<ffffffff8157748b>] vfs_readv+0x8b/0xc0
 [<ffffffff8157759b>] do_readv+0xdb/0x230
 [<ffffffff8157a877>] SyS_readv+0x27/0x30
 [<ffffffff82f9ba37>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 87 05 00 00 4c 8b 6b 28 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 37 06 00 00 4d 8b 6d 00 4d 85 ed 0f 84 a3 02 
RIP  [<ffffffff822586b5>] sg_read+0xba5/0x1290
 RSP <ffff880076847af8>
---[ end trace bb5ce28de3fd7704 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..

Attachment: config
Description: Binary data

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/stat.h>

#include <stdint.h>
#include <string.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
	if (a0 == 0xc || a0 == 0xb) {
		char buf[128];
		sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
		return open(buf, O_RDWR, 0);
	} else {
		char buf[1024];
		char* hash;
strncpy(buf, (char*)a0, sizeof(buf));
		buf[sizeof(buf) - 1] = 0;
		while ((hash = strchr(buf, '#'))) {
			*hash = '0' + (char)(a1 % 10);
			a1 /= 10;
		}
		return open(buf, a2, 0);
	}
}

long r[10];
void loop()
{
	memset(r, -1, sizeof(r));
	r[0] = syscall(__NR_mmap, 0x20000000ul, 0x8cf000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20004000, "\x2f\x64\x65\x76\x2f\x73\x67\x23\x00", 9);
	r[2] = syz_open_dev(0x20004000ul, 0x1ul, 0x802ul);
memcpy((void*)0x201e0000, "\x36\xeb\xac\x25\xe0\xe2\x59\xf9\x33\x0c\xdd\x43\x05\x27\xf1\xe9\x89\xe8\xde\xdf\x07\xac\x54\x49\xf2\x8e\x57\xf4\xbc\x13\xae\x3a\x35\x0c\x6b\xdb\xc3\xba\x29\x02\xa9\x65\xff\x3b\xc8\x89\xd1\x47\xc7\x53\x9a\x4f\xe6\xac\x54\x08\x6e\x40\x66\x83\xd0\x2e\x0c\xd6\x01\x08\x1e\xd3\xa0\x2b\xd4\x24\xa6\xca\xe4\x4d\x79\xaf\xe8\x88\x64\x12\xf6\xec\xc3\xdd\xa0\x1b", 88);
	r[4] = syscall(__NR_write, r[2], 0x201e0000ul, 0x58ul);
*(uint64_t*)0x208ccfe0 = (uint64_t)0x208cc000;
*(uint64_t*)0x208ccfe8 = (uint64_t)0x1000;
*(uint64_t*)0x208ccff0 = (uint64_t)0x208cc000;
*(uint64_t*)0x208ccff8 = (uint64_t)0x0;
	r[9] = syscall(__NR_readv, r[2], 0x208ccfe0ul, 0x2ul);
}

int main()
{
	loop();
	return 0;
}
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux