scsi: NULL deref in sg_start_req

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

The following program causes NULL deref in sg_start_req:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

#ifndef SYS_memfd_create
#define SYS_memfd_create 319
#endif

int main()
{
  long r[26];

  syscall(SYS_mmap, 0x20000000ul, 0xdee000ul, 0x3ul, 0x32ul,
                 0xfffffffffffffffful, 0x0ul);
  r[2] = syscall(SYS_memfd_create,
"\x73\x65\x63\x75\x72\x69\x76\x69\x00", 0x3ul, 0, 0, 0, 0);
  memcpy((void*)0x20dea2be, "\x2f\x64\x65\x76\x2f\x73\x67\x23", 8);
  r[4] = syscall(SYS_open, "/dev/sg0", 0x2ul, 0, 0, 0);
  *(uint64_t*)0x20000ffe = (uint64_t)0x20000000;
  *(uint64_t*)0x20001006 = (uint64_t)0x4f;
  *(uint64_t*)0x2000100e = (uint64_t)0x20000f7c;
  *(uint64_t*)0x20001016 = (uint64_t)0x84;
  *(uint64_t*)0x2000101e = (uint64_t)0x20003f9e;
  *(uint64_t*)0x20001026 = (uint64_t)0xe0;
  *(uint64_t*)0x2000102e = (uint64_t)0x20decf72;
  *(uint64_t*)0x20001036 = (uint64_t)0xc6;
  syscall(SYS_pwritev, r[2], 0x20000ffeul, 0x4ul, 0x0ul, 0, 0);
  *(uint32_t*)0x208b1fea = (uint32_t)0x20;
  *(uint32_t*)0x208b1fee = (uint32_t)0xffff;
  *(uint64_t*)0x208b1ff2 = (uint64_t)0x0;
  *(uint64_t*)0x208b1ffa = (uint64_t)0x0;
  *(uint32_t*)0x208b2002 = (uint32_t)0x1;
  syscall(SYS_write, r[2], 0x208b1feaul, 0x20ul, 0, 0, 0);
  *(uint64_t*)0x20deb20e = (uint64_t)0x0;
  syscall(SYS_sendfile, r[4], r[2], 0x20deb20eul, 0x19cbul, 0, 0);
  return 0;
}


sg_write: data in/out 65499/591 bytes for SCSI command 0x0-- guessing data in;
   program a.out not setting count and/or reply_len properly
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff81323fd2>] __memcpy+0x12/0x20 arch/x86/lib/memcpy_64.S:35
PGD 7ce53067 PUD 7cef8067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 2 PID: 2650 Comm: a.out Not tainted 4.4.0+ #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88007fa25cc0 ti: ffff88007ccf0000 task.ti: ffff88007ccf0000
RIP: 0010:[<ffffffff81323fd2>]  [<ffffffff81323fd2>] __memcpy+0x12/0x20
RSP: 0018:ffff88007ccf3800  EFLAGS: 00010246
RAX: ffff88007cc20000 RBX: ffff88007ccf38e0 RCX: 0000000000000200
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88007cc20000
RBP: ffff88007ccf3840 R08: ffff88007ccf39c0 R09: 0000000002080020
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000001000
R13: 0000000000001000 R14: 0000000000001000 R15: 0000000000000000
FS:  00000000012df880(0063) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000007fab8000 CR4: 00000000000006e0
Stack:
 ffffffff81328682 ffff88007ccf39c0 ffff88007cc21000 ffff88007ccf38e0
 ffff88007fa25cc0 ffff88007cd69a40 ffff88007ccf3a68 ffff88007ccf3a68
 ffff88007ccf38a0 ffffffff8132a1a4 000000000000ffdb ffff88007ccf38a0
Call Trace:
 [<ffffffff8132a1a4>] copy_page_from_iter+0x274/0x370 lib/iov_iter.c:467
 [<     inline     >] bio_copy_from_iter block/bio.c:1023
 [<ffffffff812f1356>] bio_copy_user_iov+0x2e6/0x380 block/bio.c:1221
 [<ffffffff812fd214>] blk_rq_map_user_iov+0x1e4/0x270 block/blk-map.c:111
 [<ffffffff812fd2ed>] blk_rq_map_user+0x4d/0x60 block/blk-map.c:154
 [<     inline     >] sg_start_req drivers/scsi/sg.c:1766
 [<ffffffff8152a277>] sg_common_write.isra.17+0x327/0x540 drivers/scsi/sg.c:782
 [<ffffffff8152b4af>] sg_write+0x1af/0x330 drivers/scsi/sg.c:685
 [<ffffffff81170143>] __vfs_write+0x23/0xe0 fs/read_write.c:528
 [<ffffffff8117024f>] __kernel_write+0x4f/0xf0 fs/read_write.c:550
 [<ffffffff8119c9ce>] write_pipe_buf+0x5e/0x70 fs/splice.c:1068
 [<     inline     >] splice_from_pipe_feed fs/splice.c:770
 [<ffffffff8119c579>] __splice_from_pipe+0xf9/0x170 fs/splice.c:895
 [<ffffffff8119ddec>] splice_from_pipe+0x4c/0x70 fs/splice.c:930
 [<ffffffff8119de44>] default_file_splice_write+0x14/0x20 fs/splice.c:1080
 [<     inline     >] do_splice_from fs/splice.c:1122
 [<ffffffff8119c011>] direct_splice_actor+0x31/0x40 fs/splice.c:1288
 [<ffffffff8119c770>] splice_direct_to_actor+0x90/0x1f0 fs/splice.c:1241
 [<ffffffff8119c947>] do_splice_direct+0x77/0xa0 fs/splice.c:1331
 [<ffffffff811713e8>] do_sendfile+0x198/0x380 fs/read_write.c:1266
 [<     inline     >] SYSC_sendfile64 fs/read_write.c:1321
 [<ffffffff811720fa>] SyS_sendfile64+0x4a/0x90 fs/read_write.c:1313
 [<ffffffff8189f86e>] entry_SYSCALL_64_fastpath+0x12/0x71
arch/x86/entry/entry_64.S:185
Code: 60 48 2b 43 50 88 43 4e 5b 5d c3 e8 b9 fc ff ff eb eb 90 90 90
90 90 90 90 0f 1f 44 00 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3>
48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3
RIP  [<ffffffff81323fd2>] __memcpy+0x12/0x20 arch/x86/lib/memcpy_64.S:35
 RSP <ffff88007ccf3800>
CR2: 0000000000000000
---[ end trace 581bd080ffa39d79 ]---


note: a.out[7919] exited with preempt_count 1

BUG: sleeping function called from invalid context at include/linux/sched.h:2805
in_atomic(): 1, irqs_disabled(): 0, pid: 7919, name: a.out
INFO: lockdep is turned off.
CPU: 3 PID: 7919 Comm: a.out Tainted: G      D         4.5.0-rc1+ #300
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff880061656a90 ffffffff82be118d ffff88006146c740
 0000000000001eef 0000000000000000 ffff880061656ab8 ffffffff813cb8cb
 ffff88006146c740 ffffffff867387a0 0000000000000af5 ffff880061656af8
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82be118d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff813cb8cb>] ___might_sleep+0x27b/0x3a0 kernel/sched/core.c:7703
 [<ffffffff813cba80>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7665
 [<     inline     >] threadgroup_change_begin include/linux/sched.h:2805
 [<ffffffff813830d1>] exit_signals+0x81/0x430 kernel/signal.c:2392
 [<ffffffff8135c3dc>] do_exit+0x23c/0x2cb0 kernel/exit.c:701
 [<ffffffff811aa28f>] oops_end+0x9f/0xd0 arch/x86/kernel/dumpstack.c:250
 [<ffffffff811aa686>] die+0x46/0x60 arch/x86/kernel/dumpstack.c:316
 [<ffffffff811a4725>] do_general_protection+0x235/0x3e0
arch/x86/kernel/traps.c:463
 [<ffffffff866554e8>] general_protection+0x28/0x30 arch/x86/entry/entry_64.S:982
 [<     inline     >] check_memory_region mm/kasan/kasan.c:264
 [<ffffffff81763d64>] __asan_loadN+0x124/0x1a0 mm/kasan/kasan.c:512
 [<ffffffff817642ed>] memcpy+0x1d/0x40 mm/kasan/kasan.c:297
 [<ffffffff82c1ff41>] copy_from_iter+0x581/0x960 lib/iov_iter.c:416
 [<ffffffff82c25400>] copy_page_from_iter+0x510/0xa50 lib/iov_iter.c:467
 [<     inline     >] bio_copy_from_iter block/bio.c:1023
 [<ffffffff82b37e98>] bio_copy_user_iov+0xac8/0xe10 block/bio.c:1221
 [<ffffffff82b69720>] blk_rq_map_user_iov+0x4b0/0x8e0 block/blk-map.c:111
 [<ffffffff82b69c50>] blk_rq_map_user+0x100/0x170 block/blk-map.c:154
 [<     inline     >] sg_start_req drivers/scsi/sg.c:1766
 [<ffffffff839f5392>] sg_common_write.isra.19+0x1042/0x16d0
drivers/scsi/sg.c:782
 [<ffffffff839f90ff>] sg_write+0x60f/0xa20 drivers/scsi/sg.c:685
 [<ffffffff817b9093>] __vfs_write+0x113/0x480 fs/read_write.c:528
 [<ffffffff817b94e7>] __kernel_write+0xe7/0x320 fs/read_write.c:550
 [<ffffffff8185bcb9>] write_pipe_buf+0x159/0x1e0 fs/splice.c:1068
 [<     inline     >] splice_from_pipe_feed fs/splice.c:770
 [<ffffffff8185cb17>] __splice_from_pipe+0x257/0x710 fs/splice.c:895
 [<ffffffff81860547>] splice_from_pipe+0xf7/0x140 fs/splice.c:930
 [<ffffffff81860620>] default_file_splice_write+0x40/0x90 fs/splice.c:1080
 [<     inline     >] do_splice_from fs/splice.c:1122
 [<ffffffff8185a0a5>] direct_splice_actor+0x125/0x180 fs/splice.c:1288
 [<ffffffff8185b3b9>] splice_direct_to_actor+0x2c9/0x820 fs/splice.c:1241
 [<ffffffff8185bab0>] do_splice_direct+0x1a0/0x250 fs/splice.c:1331
 [<ffffffff817bcac3>] do_sendfile+0x673/0x1000 fs/read_write.c:1266
 [<     inline     >] SYSC_sendfile64 fs/read_write.c:1321
 [<ffffffff817bf4e7>] SyS_sendfile64+0xb7/0x140 fs/read_write.c:1313
 [<ffffffff86653236>] entry_SYSCALL_64_fastpath+0x

On commit 4e5448a31d73d0e944b7adb9049438a09bc332cb.
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux