Re: [syzbot] BUG: bad usercopy in io_openat2_prep
From: Kees Cook
Date: Sat Feb 11 2023 - 11:37:01 EST
On February 11, 2023 8:08:52 AM PST, syzbot <syzbot+cdd9922704fc75e03ffc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>Hello,
>
>syzbot found the following issue on:
>
>HEAD commit: ca72d58361ee Merge branch 'for-next/core' into for-kernelci
>git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>console output: https://syzkaller.appspot.com/x/log.txt?x=14a882f3480000
>kernel config: https://syzkaller.appspot.com/x/.config?x=f3e78232c1ed2b43
>dashboard link: https://syzkaller.appspot.com/bug?extid=cdd9922704fc75e03ffc
>compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>userspace arch: arm64
>syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1203777b480000
>C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c1ea3480000
>
>Downloadable assets:
>disk image: https://storage.googleapis.com/syzbot-assets/e2c91688b4cd/disk-ca72d583.raw.xz
>vmlinux: https://storage.googleapis.com/syzbot-assets/af105438bee6/vmlinux-ca72d583.xz
>kernel image: https://storage.googleapis.com/syzbot-assets/4a28ec4f8f7e/Image-ca72d583.gz.xz
>
>IMPORTANT: if you fix the issue, please add the following tag to the commit:
>Reported-by: syzbot+cdd9922704fc75e03ffc@xxxxxxxxxxxxxxxxxxxxxxxxx
>
>usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
This looks like some serious memory corruption. The pid slab is 24 bytes in size, but struct io_open is larger... Possible UAF after the memory being reallocated to a new slab??
-Kees
> [...]
>Call trace:
> usercopy_abort+0x90/0x94
> __check_heap_object+0xa8/0x100
> __check_object_size+0x208/0x6b8
> io_openat2_prep+0xcc/0x2b8
> io_submit_sqes+0x338/0xbb8
> __arm64_sys_io_uring_enter+0x168/0x1308
> invoke_syscall+0x64/0x178
> el0_svc_common+0xbc/0x180
> do_el0_svc+0x48/0x110
> el0_svc+0x58/0x14c
> el0t_64_sync_handler+0x84/0xf0
> el0t_64_sync+0x190/0x194
--
Kees Cook