syzbot


UBSAN: array-index-out-of-bounds in arch_uprobe_analyze_insn

Status: fixed on 2021/03/10 01:48
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com
Fix commit: 12cb908a11b2 x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes 84da009f06e6 x86/sev-es: Use new for_each_insn_prefix() macro to loop over prefixes bytes 4e9a5ae8df5b x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
First crash: 1279d, last: 1198d
Cause bisection: introduced by (bisect log) :
commit 4b2bd5fec007a4fd3fc82474b9199af25013de4c
Author: John Stultz <john.stultz@linaro.org>
Date: Sat Oct 8 00:02:33 2016 +0000

  proc: fix timerslack_ns CAP_SYS_NICE check when adjusting self

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config
  
Discussions (10)
Title Replies (including bot) Last reply
[PATCH 4.19 00/39] 4.19.163-rc1 review 50 (50) 2020/12/11 22:40
[PATCH 5.9 00/75] 5.9.14-rc1 review 83 (83) 2020/12/11 14:23
[PATCH 4.4 00/39] 4.4.248-rc1 review 49 (49) 2020/12/11 12:06
[PATCH 4.9 00/45] 4.9.248-rc1 review 49 (49) 2020/12/11 12:03
[PATCH 4.14 00/31] 4.14.212-rc1 review 34 (34) 2020/12/11 09:03
[PATCH 5.4 00/54] 5.4.83-rc1 review 57 (57) 2020/12/10 16:46
[PATCH v2 0/3] x86/insn: Fix not using prefixes.nbytes for loop over prefixes.bytes 32 (32) 2020/12/10 10:36
[PATCH v3 0/3] x86/insn: Fix not using prefixes.nbytes for loop over prefixes.bytes 9 (9) 2020/12/05 10:14
[PATCH 0/3] x86/insn: Fix not using prefixes.nbytes for loop over prefixes.bytes 11 (11) 2020/12/03 04:20
UBSAN: array-index-out-of-bounds in arch_uprobe_analyze_insn 2 (5) 2020/12/02 06:12

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in arch/x86/kernel/uprobes.c:263:36
index 4 is out of range for type 'insn_byte_t [4]'
CPU: 1 PID: 8455 Comm: syz-executor886 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 ubsan_epilogue lib/ubsan.c:148 [inline]
 __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:356
 is_prefix_bad arch/x86/kernel/uprobes.c:263 [inline]
 uprobe_init_insn arch/x86/kernel/uprobes.c:286 [inline]
 arch_uprobe_analyze_insn+0x1e7/0x12c0 arch/x86/kernel/uprobes.c:856
 prepare_uprobe kernel/events/uprobes.c:860 [inline]
 install_breakpoint+0x3f1/0x450 kernel/events/uprobes.c:903
 uprobe_mmap+0xd6f/0x1270 kernel/events/uprobes.c:1394
 mmap_region+0xa44/0x1bc0 mm/mmap.c:1886
 do_mmap+0x964/0x11e0 mm/mmap.c:1583
 vm_mmap_pgoff+0x12c/0x1c0 mm/util.c:507
 ksys_mmap_pgoff+0x358/0x4f0 mm/mmap.c:1634
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440379
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffeb3813ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379
RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020007000
RBP: 00000000006ca018 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000412 R11: 0000000000000246 R12: 0000000000401b80
R13: 0000000000401c10 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (604):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/03 14:16 upstream 34816d20f173 e6b0d314 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/11/06 21:42 upstream 521b619acdc8 64069d48 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/11/06 06:11 upstream 521b619acdc8 64069d48 .config console log report syz C ci-upstream-kasan-gce-root
2020/10/13 05:13 upstream bbf5c979011a d32b0bbf .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/09/21 00:12 upstream 325d0eab4f31 9564d2e9 .config console log report syz C ci-upstream-kasan-gce-root
2020/12/05 02:12 linux-next 0eedceafd3a6 20366b87 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/12/06 17:05 upstream 33256ce19411 f12ba0c5 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/06 09:06 upstream 33256ce19411 f12ba0c5 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/06 01:55 upstream b3298500b23f 50503117 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/05 18:17 upstream b3298500b23f 50503117 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/05 10:07 upstream e87297fa080a 20366b87 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/04 22:43 upstream e87297fa080a 20366b87 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/03 22:36 upstream 34816d20f173 59ad4022 .config console log report info ci-qemu-upstream
2020/12/03 12:55 upstream 34816d20f173 e6b0d314 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/03 07:11 upstream 3bb61aa61828 8c9190ef .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/03 04:58 upstream 3bb61aa61828 8c9190ef .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/02 11:51 upstream 509a15421674 c42a35e9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/02 06:28 upstream 509a15421674 c42a35e9 .config console log report info ci-upstream-kasan-gce-root
2020/12/01 18:25 upstream b65054597872 07bfe8a5 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/01 15:45 upstream b65054597872 07bfe8a5 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/01 12:24 upstream b65054597872 b3a34598 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/30 17:13 upstream b65054597872 76831598 .config console log report info ci-qemu-upstream
2020/11/30 11:08 upstream b65054597872 a0092f9d .config console log report info ci-upstream-kasan-gce-root
2020/11/29 06:31 upstream 45e885c439e8 a0092f9d .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/27 13:39 upstream 85a2c56cb445 5018c946 .config console log report info ci-upstream-kasan-gce-root
2020/11/27 06:28 upstream 85a2c56cb445 5018c946 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/26 19:26 upstream fa02fcd94b0c 1d2b823e .config console log report info ci-upstream-kasan-gce-root
2020/11/26 18:12 upstream fa02fcd94b0c 1d2b823e .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/26 16:53 upstream fa02fcd94b0c 1d2b823e .config console log report info ci-upstream-kasan-gce-root
2020/11/26 16:05 upstream fa02fcd94b0c 1d2b823e .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/26 07:59 upstream fa02fcd94b0c 2f1cec62 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/26 01:06 upstream fa02fcd94b0c 2f1cec62 .config console log report info ci-upstream-kasan-gce-root
2020/11/26 00:16 upstream fa02fcd94b0c 2f1cec62 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/25 15:45 upstream 127c501a03d5 1a1f4bd8 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/11/25 13:30 upstream 127c501a03d5 1a1f4bd8 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/25 10:06 upstream 127c501a03d5 1a1f4bd8 .config console log report info ci-upstream-kasan-gce-root
2020/11/25 02:44 upstream 80145ac2f739 e34b696c .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/24 11:08 upstream d5beb3140f91 1ab681a4 .config console log report info ci-upstream-kasan-gce-root
2020/11/24 10:42 upstream d5beb3140f91 1ab681a4 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/24 01:54 upstream d5beb3140f91 878fb17a .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/23 11:19 upstream 418baf2c28f3 0d27f508 .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/20 20:35 upstream 325d0eab4f31 9564d2e9 .config console log report info ci-upstream-kasan-gce-root
2020/11/30 08:51 upstream b65054597872 a0092f9d .config console log report info ci-qemu-upstream-386
2020/12/06 13:45 linux-next 0eedceafd3a6 f12ba0c5 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/06 05:43 linux-next 0eedceafd3a6 50503117 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/03 15:20 linux-next 0eedceafd3a6 e6b0d314 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/02 10:48 linux-next 0eedceafd3a6 c42a35e9 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/01 18:14 linux-next 0eedceafd3a6 07bfe8a5 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/01 08:07 linux-next c6b11acc5f85 b3a34598 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/11/29 09:02 linux-next 6174f05255e6 a0092f9d .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/11/27 12:36 linux-next 6147c83fd749 5018c946 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/11/26 02:21 linux-next 62918e6fd7b5 2f1cec62 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/11/22 10:11 linux-next 95065cb54210 0d27f508 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/16 22:55 linux-next 5fa35f247b56 8247808b .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.