Re: BUG: bad usercopy in __check_object_size (2)

From: Tetsuo Handa
Date: Fri Sep 07 2018 - 12:18:56 EST

Next message: Doug Anderson: "Re: [PATCH V3] spi: spi-geni-qcom: Add SPI driver support for GENI based QUP"
Previous message: Dmitry Vyukov: "Re: WARNING: ODEBUG bug in vudc_probe"
In reply to: syzbot: "Re: BUG: bad usercopy in __check_object_size (2)"
Next in thread: Kees Cook: "Re: BUG: bad usercopy in __check_object_size (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2018/09/08 0:29, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:ÂÂÂ 28619527b8a7 Merge git://git.kernel.org/pub/scm/linux/kern..
> git tree:ÂÂÂÂÂÂ bpf
> console output: https://syzkaller.appspot.com/x/log.txt?x=124e64d1400000
> kernel config:Â https://syzkaller.appspot.com/x/.config?x=62e9b447c16085cf
> dashboard link: https://syzkaller.appspot.com/bug?extid=a3c9d2673837ccc0f22b
> compiler:ÂÂÂÂÂÂ gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:ÂÂÂÂÂ https://syzkaller.appspot.com/x/repro.syz?x=179f9cd1400000
> C reproducer:ÂÂ https://syzkaller.appspot.com/x/repro.c?x=11b3e8be400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a3c9d2673837ccc0f22b@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> Âentry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x440479
> usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 64)!

Kees, is this because check_page_span() is failing to allow on-stack variable

u8 opcodes[OPCODE_BUFSIZE];

which by chance crossed PAGE_SIZE boundary?

Next message: Doug Anderson: "Re: [PATCH V3] spi: spi-geni-qcom: Add SPI driver support for GENI based QUP"
Previous message: Dmitry Vyukov: "Re: WARNING: ODEBUG bug in vudc_probe"
In reply to: syzbot: "Re: BUG: bad usercopy in __check_object_size (2)"
Next in thread: Kees Cook: "Re: BUG: bad usercopy in __check_object_size (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]