syzbot


kernel BUG at drivers/android/binder_alloc.c:LINE! (4)

Status: fixed on 2019/08/05 13:45
Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com
Fix commit: bb4a2e48d510 binder: return errors from buffer copy functions
First crash: 1828d, last: 1820d
Cause bisection: introduced by (bisect log) :
commit bde4a19fc04f5f46298c86b1acb7a4af1d5f138d
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 18:35:20 2019 +0000

  binder: use userspace pointer as base of buffer space

Crash: kernel BUG at drivers/android/binder_alloc.c:LINE! (log)
Repro: C syz .config
  
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 5.2 00/61] 5.2.1-stable review 78 (78) 2019/07/14 06:02
[PATCH 5.1 000/138] 5.1.18-stable review 156 (156) 2019/07/14 06:01
Reminder: 3 open syzbot bugs in "android/binder" subsystem 2 (2) 2019/07/03 18:46
kernel BUG at drivers/android/binder_alloc.c:LINE! (4) 3 (4) 2019/06/28 16:55
[PATCH] binder: return errors from buffer copy functions 1 (1) 2019/06/28 16:50
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream kernel BUG at drivers/android/binder_alloc.c:LINE! kernel C 856 2387d 2392d 4/27 fixed on 2018/02/01 10:32
android-414 kernel BUG at drivers/android/binder_alloc.c:LINE! (2) C 3 1828d 1828d 0/1 public: reported C repro on 2019/06/17 23:05
upstream kernel BUG in binder_alloc_deferred_release kernel C done 4 728d 730d 22/27 fixed on 2023/02/24 13:50
upstream kernel BUG at drivers/android/binder_alloc.c:LINE! (3) kernel C done 24 1841d 1910d 12/27 fixed on 2019/06/14 18:22
upstream kernel BUG at drivers/android/binder_alloc.c:LINE! (2) kernel C 1257 1910d 1952d 11/27 fixed on 2019/03/28 12:00
android-414 kernel BUG at drivers/android/binder_alloc.c:LINE! C 30 1911d 1912d 1/1 fixed on 2019/03/28 03:28
android-49 kernel BUG at drivers/android/binder_alloc.c:LINE! C 44 1664d 1912d 1/3 internal: reported C repro on 2019/03/26 19:34

Sample crash report:
------------[ cut here ]------------
kernel BUG at drivers/android/binder_alloc.c:1130!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8617 Comm: syz-executor406 Not tainted 5.2.0-rc5 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 drivers/android/binder_alloc.c:1130
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf 9d 1c fc 4c 89 e6 4c 89 ef e8 d4 9e 1c fc 4d 39 e5 76 07 e8 aa 9d 1c fc <0f> 0b e8 a3 9d 1c fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1
RSP: 0018:ffff88808e96f4e0 EFLAGS: 00010293
RAX: ffff88808c314140 RBX: 0000000020001000 RCX: ffffffff855423cf
RDX: 0000000000000000 RSI: ffffffff855423b6 RDI: 0000000000000006
RBP: ffff88808e96f560 R08: ffff88808c314140 R09: 0000000000000008
R10: ffffed1011d2df15 R11: ffff88808e96f8af R12: 0000000000000078
R13: 0000000000000008 R14: 00000000000000a8 R15: 0000000000000000
FS:  0000555555a2d940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000009ef36000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 binder_alloc_copy_from_buffer+0x37/0x42 drivers/android/binder_alloc.c:1176
 binder_validate_ptr+0xcc/0x1d0 drivers/android/binder.c:2124
 binder_transaction+0x2c9c/0x6620 drivers/android/binder.c:3308
 binder_thread_write+0x64a/0x2820 drivers/android/binder.c:3794
 binder_ioctl_write_read drivers/android/binder.c:4827 [inline]
 binder_ioctl+0x102f/0x1833 drivers/android/binder.c:5004
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x444a29
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd50489248 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd50489250 RCX: 0000000000444a29
RDX: 0000000020000440 RSI: 00000000c0306201 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000401310
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402730
R13: 00000000004027c0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 8b360c91a5745d5e ]---
RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 drivers/android/binder_alloc.c:1130
Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 bf 9d 1c fc 4c 89 e6 4c 89 ef e8 d4 9e 1c fc 4d 39 e5 76 07 e8 aa 9d 1c fc <0f> 0b e8 a3 9d 1c fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 b1
RSP: 0018:ffff88808e96f4e0 EFLAGS: 00010293
RAX: ffff88808c314140 RBX: 0000000020001000 RCX: ffffffff855423cf
RDX: 0000000000000000 RSI: ffffffff855423b6 RDI: 0000000000000006
RBP: ffff88808e96f560 R08: ffff88808c314140 R09: 0000000000000008
R10: ffffed1011d2df15 R11: ffff88808e96f8af R12: 0000000000000078
R13: 0000000000000008 R14: 00000000000000a8 R15: 0000000000000000
FS:  0000555555a2d940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000009ef36000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (26):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/18 03:49 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-smack-root
2019/06/18 03:23 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-smack-root
2019/06/18 02:50 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-root
2019/06/18 02:21 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-root
2019/06/18 01:47 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-root
2019/06/17 22:43 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/06/17 22:35 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce
2019/06/17 22:13 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/06/17 22:08 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce
2019/06/17 21:41 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/06/17 21:39 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-smack-root
2019/06/17 21:34 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce
2019/06/17 23:14 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-386
2019/06/17 22:40 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-386
2019/06/17 22:08 upstream 9e0babf2c06c 442206d7 .config console log report syz C ci-upstream-kasan-gce-386
2019/06/26 09:54 linux-next 902031767aec 0a8d1a96 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/06/26 09:31 linux-next 902031767aec 0a8d1a96 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/06/22 16:38 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce
2019/06/22 15:14 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce-root
2019/06/22 00:42 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce-smack-root
2019/06/20 13:59 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce
2019/06/17 21:07 upstream 9e0babf2c06c 442206d7 .config console log report ci-upstream-kasan-gce
2019/06/17 21:06 upstream 9e0babf2c06c 442206d7 .config console log report ci-upstream-kasan-gce-selinux-root
2019/06/17 21:02 upstream 9e0babf2c06c 442206d7 .config console log report ci-upstream-kasan-gce-smack-root
2019/06/20 14:00 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce-386
2019/06/20 14:02 linux-next c0e4c41afeef 34bf9440 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.