syzbot


KASAN: vmalloc-out-of-bounds Write in kvm_dev_ioctl_get_cpuid

Status: fixed on 2020/01/08 01:07
Subsystems: kvm
[Documentation on labels]
Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
Fix commit: 433f4ba19041 KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
First crash: 1667d, last: 1663d
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 4.9 000/199] 4.9.207-stable review 204 (204) 2019/12/20 18:47
[PATCH 4.4 000/162] 4.4.207-stable review 167 (167) 2019/12/20 18:47
[PATCH] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) 2 (2) 2019/12/18 12:24
[PATCH 4.14 000/267] 4.14.159-stable review 280 (280) 2019/12/17 18:18
[PATCH 3.16 00/72] 3.16.79-rc1 review 87 (87) 2019/12/14 18:44
KASAN: vmalloc-out-of-bounds Write in kvm_dev_ioctl_get_cpuid 1 (2) 2019/12/04 09:26

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in __do_cpuid_func_emulated arch/x86/kvm/cpuid.c:323 [inline]
BUG: KASAN: vmalloc-out-of-bounds in do_cpuid_func arch/x86/kvm/cpuid.c:814 [inline]
BUG: KASAN: vmalloc-out-of-bounds in do_cpuid_func arch/x86/kvm/cpuid.c:810 [inline]
BUG: KASAN: vmalloc-out-of-bounds in kvm_dev_ioctl_get_cpuid+0xad7/0xb0b arch/x86/kvm/cpuid.c:891
Write of size 4 at addr ffffc90000d36050 by task syz-executor885/9172

CPU: 0 PID: 9172 Comm: syz-executor885 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:638
 __asan_report_store4_noabort+0x17/0x20 mm/kasan/generic_report.c:139
 __do_cpuid_func_emulated arch/x86/kvm/cpuid.c:323 [inline]
 do_cpuid_func arch/x86/kvm/cpuid.c:814 [inline]
 do_cpuid_func arch/x86/kvm/cpuid.c:810 [inline]
 kvm_dev_ioctl_get_cpuid+0xad7/0xb0b arch/x86/kvm/cpuid.c:891
 kvm_arch_dev_ioctl+0x300/0x4b0 arch/x86/kvm/x86.c:3387
 kvm_dev_ioctl+0x127/0x17d0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3593
 vfs_ioctl fs/ioctl.c:47 [inline]
 file_ioctl fs/ioctl.c:545 [inline]
 do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4401e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff9da443c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401e9
RDX: 0000000020000000 RSI: 00000000c008ae09 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a70
R13: 0000000000401b00 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90000d35f00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc90000d35f80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
>ffffc90000d36000: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
                                                 ^
 ffffc90000d36080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc90000d36100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (41):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/04 18:00 upstream 63de37476ebd b2088328 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/04 16:32 upstream 63de37476ebd b2088328 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/04 07:34 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/04 06:58 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/04 06:37 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/04 02:42 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/03 10:34 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce
2019/12/03 09:33 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce
2019/12/03 05:41 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce
2019/12/03 02:19 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/03 01:43 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce
2019/12/02 23:25 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/03 11:15 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/03 10:47 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/03 06:30 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/03 03:45 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/04 11:28 upstream 63de37476ebd 0ecb9746 .config console log report ci-upstream-kasan-gce
2019/12/04 11:22 upstream 63de37476ebd 0ecb9746 .config console log report ci-upstream-kasan-gce-root
2019/12/04 10:53 upstream 63de37476ebd 0ecb9746 .config console log report ci-upstream-kasan-gce-selinux-root
2019/12/04 06:09 upstream 76bb8b05960c ae13a849 .config console log report ci-upstream-kasan-gce
2019/12/03 10:50 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-selinux-root
2019/12/03 10:49 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce
2019/12/03 10:49 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-root
2019/12/03 01:41 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-root
2019/12/03 01:30 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-root
2019/12/03 01:07 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce
2019/12/02 23:50 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce
2019/12/02 23:20 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-root
2019/12/02 22:55 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-selinux-root
2019/12/02 22:05 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce
2019/12/02 21:26 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-root
2019/12/04 13:16 upstream 63de37476ebd 0ecb9746 .config console log report ci-upstream-kasan-gce-386
2019/12/03 10:53 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-386
2019/12/02 23:14 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-386
2019/12/02 21:09 upstream 596cf45cbf6e ab342da3 .config console log report ci-upstream-kasan-gce-386
2019/12/04 20:04 linux-next c7c32c43e831 b2088328 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/12/04 11:00 linux-next c7c32c43e831 0ecb9746 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/12/03 10:51 linux-next c5db92909bed ab342da3 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/12/03 05:20 linux-next c5db92909bed ab342da3 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/11/30 05:24 linux-next 419593dad843 3a75be00 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/11/30 03:13 linux-next 419593dad843 3a75be00 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.