[syzbot] [hardening?] [mm?] BUG: bad usercopy in io_openat2_prep (3)

From: syzbot
Date: Tue Feb 21 2023 - 11:33:53 EST

Next message: James Houghton: "Re: [PATCH v2 09/46] mm: add MADV_SPLIT to enable HugeTLB HGM"
Previous message: Theodore Ts'o: "Re: [PATCH] docs: ext4: modify the group desc size to 64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot found the following issue on:

HEAD commit: 2d3827b3f393 Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14eb5abf480000
kernel config: https://syzkaller.appspot.com/x/.config?x=606ed7eeab569393
dashboard link: https://syzkaller.appspot.com/bug?extid=e443ef743ffab8e8bda9
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13088227480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1367b358c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd94d68ff17d/disk-2d3827b3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f304fbef0773/vmlinux-2d3827b3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/74eb318f51b0/Image-2d3827b3.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e443ef743ffab8e8bda9@xxxxxxxxxxxxxxxxxxxxxxxxx

usercopy: Kernel memory overwrite attempt detected to SLUB object 'pid' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor832 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90
lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90
sp : ffff800012ee3b90
x29: ffff800012ee3ba0 x28: 000000000000001c x27: ffff0000c72f8000
x26: 0000000020000000 x25: ffff80000cf52000 x24: fffffc0000000000
x23: 05ffc00000000200 x22: fffffc00030cbe40 x21: ffff0000c32f9f18
x20: 0000000000000000 x19: 0000000000000018 x18: 0000000000002bce
x17: 63656a626f204255 x16: ffff0000c72f89f8 x15: ffff80000dbd2118
x14: ffff0000c72f8000 x13: 00000000ffffffff x12: ffff0000c72f8000
x11: ff808000081bbb4c x10: 0000000000000000 x9 : adc5950f6e29d600
x8 : adc5950f6e29d600 x7 : ffff80000bf650d4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000005d
Call trace:
usercopy_abort+0x90/0x94 mm/usercopy.c:90
__check_heap_object+0xa8/0x100 mm/slub.c:4761
check_heap_object mm/usercopy.c:196 [inline]
__check_object_size+0x208/0x6b8 mm/usercopy.c:251
check_object_size include/linux/thread_info.h:199 [inline]
check_copy_size include/linux/thread_info.h:235 [inline]
copy_from_user include/linux/uaccess.h:160 [inline]
copy_struct_from_user include/linux/uaccess.h:341 [inline]
io_openat2_prep+0xcc/0x2b8 io_uring/openclose.c:89
io_init_req io_uring/io_uring.c:2194 [inline]
io_submit_sqe io_uring/io_uring.c:2241 [inline]
io_submit_sqes+0x338/0xbb8 io_uring/io_uring.c:2395
__do_sys_io_uring_enter io_uring/io_uring.c:3343 [inline]
__se_sys_io_uring_enter io_uring/io_uring.c:3275 [inline]
__arm64_sys_io_uring_enter+0x168/0x1308 io_uring/io_uring.c:3275
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52
el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)
---[ end trace 0000000000000000 ]---

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Next message: James Houghton: "Re: [PATCH v2 09/46] mm: add MADV_SPLIT to enable HugeTLB HGM"
Previous message: Theodore Ts'o: "Re: [PATCH] docs: ext4: modify the group desc size to 64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]