syzbot


BUG: bad usercopy in memdup_user

Status: closed as dup on 2017/12/31 08:11
Reported-by: syzbot+719398b443fd30155f92f2a888e749026c62b427@syzkaller.appspotmail.com
First crash: 1821d, last: 1797d
Duplicate of (1):
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: use-after-free Read in __list_del_entry_valid (2) C 11 1815d 1817d

Sample crash report:
usercopy: kernel memory overwrite attempt detected to 000000003605deae (kmalloc-1024) (1024 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:72!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 15442 Comm: syz-executor4 Not tainted 4.15.0-rc6+ #245
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:report_usercopy mm/usercopy.c:64 [inline]
RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:264
RSP: 0018:ffff8801d99d7158 EFLAGS: 00010286
RAX: 0000000000000062 RBX: ffffffff85d2b020 RCX: 0000000000000000
RDX: 0000000000000062 RSI: ffffc90002cda000 RDI: ffffed003b33ae1f
RBP: ffff8801d99d7248 R08: 1ffff1003b33adad R09: 0000000000000000
R10: 0000000090d5452a R11: 0000000000000000 R12: ffffffff85d2afe0
R13: ffff8801c9b7e990 R14: 0000000000000400 R15: ffffea000726df80
FS:  00007fb16e23c700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020fc3000 CR3: 00000001c589a001 CR4: 00000000001626e0
Call Trace:
 check_object_size include/linux/thread_info.h:112 [inline]
 check_copy_size include/linux/thread_info.h:143 [inline]
 copy_from_user include/linux/uaccess.h:146 [inline]
 memdup_user+0x46/0x90 mm/util.c:168
 kvm_arch_vcpu_ioctl+0x1974/0x4740 arch/x86/kvm/x86.c:3499
 kvm_vcpu_ioctl+0x240/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2734
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007fb16e23bc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb16e23c700 RCX: 0000000000452ac9
RDX: 000000002057b000 RSI: 000000004400ae8f RDI: 0000000000000015
RBP: 0000000000a2f870 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a2f7ef R14: 00007fb16e23c9c0 R15: 0000000000000008
Code: 48 0f 44 da e8 00 32 c1 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c 89 e2 48 89 de 48 c7 c7 e0 b0 d2 85 49 89 c0 e8 36 e7 aa ff <0f> 0b 48 c7 c0 a0 ae d2 85 eb 96 48 c7 c0 e0 ae d2 85 eb 8d 48 
RIP: report_usercopy mm/usercopy.c:64 [inline] RSP: ffff8801d99d7158
RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:264 RSP: ffff8801d99d7158
---[ end trace 8d221e3bc1742827 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (107):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2018/01/01 13:04 upstream 30a7acd57389 00193447 .config log report
ci-upstream-kasan-gce 2017/12/31 10:28 upstream 71ee203389f7 bb6384b8 .config log report
ci-upstream-kasan-gce 2017/12/31 09:45 upstream 71ee203389f7 bb6384b8 .config log report
ci-upstream-kasan-gce 2017/12/30 20:06 upstream 5aa90a845892 bb6384b8 .config log report
ci-upstream-net-kasan-gce 2018/01/07 07:03 net-next d0adb51edb73 19c05fff .config log report
ci-upstream-net-kasan-gce 2018/01/07 03:02 net-next d0adb51edb73 19c05fff .config log report
ci-upstream-net-kasan-gce 2018/01/04 18:01 net-next 4b24dd802280 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/03 20:46 net-next 4b24dd802280 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/03 08:05 net-next 72bca2084a21 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/03 07:36 net-next 72bca2084a21 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/02 02:35 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/01 23:34 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/01 23:10 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/01 21:44 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/01 20:48 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/01 15:40 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2018/01/01 04:31 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2017/12/31 20:30 net-next 6bb8824732f6 00193447 .config log report
ci-upstream-net-kasan-gce 2017/12/31 05:42 net-next 6bb8824732f6 bb6384b8 .config log report
ci-upstream-net-kasan-gce 2017/12/30 22:05 net-next 6bb8824732f6 bb6384b8 .config log report
ci-upstream-net-kasan-gce 2017/12/30 21:29 net-next 6bb8824732f6 bb6384b8 .config log report
ci-upstream-net-kasan-gce 2017/12/30 05:31 net-next 6bb8824732f6 bb6384b8 .config log report
ci-upstream-mmots-kasan-gce 2018/01/03 00:32 mmots 37759fa6d0fa 00193447 .config log report
ci-upstream-mmots-kasan-gce 2018/01/03 00:00 mmots 37759fa6d0fa 00193447 .config log report
ci-upstream-mmots-kasan-gce 2018/01/02 03:45 mmots 37759fa6d0fa 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/02 00:41 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-mmots-kasan-gce 2018/01/01 22:37 mmots 37759fa6d0fa 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 21:51 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 21:11 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 21:10 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 14:16 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 10:32 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-mmots-kasan-gce 2018/01/01 10:29 mmots 37759fa6d0fa 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 09:20 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 09:13 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2018/01/01 07:45 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2017/12/31 22:32 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-mmots-kasan-gce 2017/12/31 21:25 mmots 37759fa6d0fa 00193447 .config log report
ci-upstream-next-kasan-gce 2017/12/31 20:30 linux-next 0e08c463db38 00193447 .config log report
ci-upstream-next-kasan-gce 2017/12/31 13:23 linux-next 0e08c463db38 00193447 .config log report
* Struck through repros no longer work on HEAD.