et: disabled
==
Regards,
Kyungtae Kim
On Mon, Nov 9, 2020 at 2:08 PM Kyungtae Kim wrote:
>
> We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version
> of syzkaller).
>
> The bug happens when the freed object tty->port is accessed in
&g
c016732a0
RBP: 7ffc01673320 R08: R09: 7ffc01674ee1
R10: 0005 R11: 0206 R12:
R13: 00403200 R14: 000000403290 R15:
==
Regards,
Kyungtae Kim
It cannot be reproducible, unfortunately.
Thanks,
Kyungtae Kim
On Sat, Oct 31, 2020 at 9:40 PM Alan Stern wrote:
>
> On Wed, Oct 28, 2020 at 04:51:09PM -0400, Kyungtae Kim wrote:
> > We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version
> > of syzkaller
On Wed, Oct 28, 2020 at 4:13 PM Kyungtae Kim wrote:
>
> FuzzUSB (a variant of syzkaller) found the bug
> when accessing a freed instance of struct f_hidg.
>
> Reference: https://www.spinics.net/lists/linux-usb/msg195103.html
>
> The fix uses reference count to ensure the rig
fb fb
^
88806bc94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
88806bc94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==
Regards,
Kyungtae Kim
On Sun, Oct 25, 2020 at 3:32 PM Kyungtae Kim wrote:
>
> We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version
> of syzkaller).
>
> An instance of struct usb_request allocated in f_audio_set_alt() leaked.
>
> ===
fb fb fb fb fb
==
Regards,
Kyungtae Kim
==
Thanks,
Kyungtae Kim
We report a bug (in linux-5.7) found by FuzzUSB (a modified version
of syzkaller)
The bug happened when accessing a deallocated instance of gs_port.
While spinning a lock in gs_flush_chars(),
port is allowed to be freed in gser_free_inst().
This ends up tringgering an memory error.
To fix this, i
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
of syzkaller)
This bug happened during enumeration (i.e., set_config) for an acm gadget.
Although tty (instance of tty_struct) held by port->port in
gs_start_io() is null,
this tries to access its field (tty->flags) in tty_wak
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
of syzkaller)
This bug happened when accessing a deallocated instance in printer_ioctl().
This seems to be in line with the following bug.
https://groups.google.com/forum/#!topic/syzkaller/U2SJOYi-S08
===
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
of syzkaller)
The buf of an usbtest_dev instance (dev->buf) allocated in
usbtest_probe() leaked.
The usbtest_dev instance holding the buf is attached to a
corresponding device instance
through usb_set_intfdata().
But later, th
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
of syzkaller)
This bug happened when accessing a deallocated instance in printer_read().
printer_read() tries to access lock_printer_io of the printer_dev instance
(f_printer.c:430). However, UAF arises because it had been fre
On Fri, May 01, 2020 at 09:05:38AM +0200, Greg KH wrote:
> On Thu, Apr 30, 2020 at 11:03:54PM -0400, Kyungtae Kim wrote:
> > We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version
> > of syzkaller).
> >
> > This happened when the size of "name
fs/read_write.c:623 [inline]
__se_sys_write fs/read_write.c:620 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:620
do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Signed-off-by: Kyungtae Kim
Reported-and-tested-by: Kyungtae Kim
---
drivers
fc 00 fc fc fb fc fc fb
88806a55de00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
======
Regards,
Kyungtae Kim
I'm reporting a bug in linux-4.19.19: "INFO: task hung in reiserfs_sync_fs"
(no reproducer)
=
INFO: task kworker/0:1:13513 blocked for more than 120 seconds.
Not tainted 4.19.19 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this messag
I'm reporting a bug in linux-4.19.19: "UBSAN: Undefined behaviour in
fs/jfs/jfs_dmap.c"
(don't have repro)
A memory access violation (invalid array index) arose in dmtree
function dbAdjTree().
For now, however, it's hard to say for sure this caused by user-supplied input.
I'm reporting a bug in linux-4.19.19: "UBSAN: Undefined behaviour in
fs/xfs/xfs_ioctl.c"
kernel config: https://kt0755.github.io/etc/config_4.19.19
repro: https://kt0755.github.io/etc/repro.8d35e.c (xfs is mounted on
/mnt/xfs/)
Integer overflow arose in xfs_ioc_space() when bf->l_start + bf->l_le
322 RDI: 0013
RBP: 0071bea0 R08: R09:
R10: R11: 0246 R12:
R13: 2dd8 R14: 006ebe78 R15: 7f4a7013a700
=====
Thanks,
Kyungtae Kim
That's my bad. Thank you for your comment and effort.
Regards,
Kyungtae Kim
On Wed, Jan 23, 2019 at 4:34 PM Willem de Bruijn
wrote:
>
> On Mon, Jan 21, 2019 at 2:25 PM Kyungtae Kim wrote:
> >
> > I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined beha
I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in
net/ipv4/ip_output.c"
kernel config: https://kt0755.github.io/etc/config-5.0-rc2
repro: https://kt0755.github.io/etc/repro.b6a11.c
Integer overflow happened in __ip_append_data() when 2 * sk->sk_sndbuf
(at line 1004)
is larger t
e.c:548
#2: dc29e189 (&sb->s_type->i_mutex_key#16){+.+.}, at:
inode_lock include/linux/fs.h:713 [inline]
#2: dc29e189 (&sb->s_type->i_mutex_key#16){+.+.}, at:
f2fs_file_write_iter+0x27a/0xcd0 fs/f2fs/file.c:2917
1 lock held by syz-executor5/10898:
#0: b6b59b71 (&f->f_pos_lock){+.+.}, at:
__fdget_pos+0xd6/0x100 fs/file.c:766
=
Thanks,
Kyungtae Kim
b fb fb fb fb fb fb fb
=====
Thanks,
Kyungtae Kim
00 R11: 0246 R12:
R13: bb50 R14: 006f4bf0 R15: 7f1ea15ee700
=========
Thanks,
Kyungtae Kim
73c46cc RCX: 004497b9
RDX: 2000 RSI: 004040105504 RDI: 0013
RBP: 0071bea0 R08: R09:
R10: R11: 0246 R12:
R13: 5ca0 R14: 006eed40 R15: 7f7b273c4700
=====
Thanks,
Kyungtae Kim
46 R12:
R13: ba60 R14: 006f4b00 R15: 7f6045f44700
=========
Thanks,
Kyungtae Kim
RDX: 0048 RSI: 20c0 RDI: 0013
RBP: 0071bea0 R08: R09:
R10: R11: 0246 R12:
R13: ba60 R14: 006f4b00 R15: 7fc2e6feb700
=====
Thanks,
Kyungtae Kim
It seems that timeout.nsec doesn't need to be patched.
But before going further, I'm just curious why such timeout variables
in the kernel
are defined as signed type variable in the first place?
Thanks,
Kyungtae Kim
On Wed, Jan 9, 2019 at 4:20 AM Rodolfo Giometti wrote:
>
> On
X / HZ)
+ return -EINVAL;
ticks = fdata->timeout.sec * HZ;
ticks += fdata->timeout.nsec / (NSEC_PER_SEC / HZ);
Thanks,
Kyungtae Kim
On Tue, Jan 8, 2019 at 8:50 AM Greg KH wrote:
>
> On Tue, Jan 08, 2019 at 08:37:37AM -0500, Kyungtae Kim wrote:
> > We report a bug in linux-4.20: "general protection fault in
> > spk_ttyio_ldisc_close"
> >
> > kernel config: https://kt0755.github.io/
9c0 R15: 7f607f746700
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
=========
Thanks,
Kyungtae Kim
-- Forwarded message -
From: Kyungtae Kim
Date: Mon, Nov 26, 2018 at 12:26 AM
Subject: UBSAN: Undefined behaviour in drivers/input/mousedev.c
To:
Cc: Byoungyoung Lee , DaeRyong Jeong
, ,
,
We report a crash found in v4.20-rc2:
kernel config: https://kt0755.github.io/etc
Ah, I got that. Thanks.
Kyungtae
Thank you for your reply.
But I think this kind of crash can occur in real PC as well, and I'm
just thinking of some way to stop it in the first place (if possible).
because malicious users can use this, so as to make the whole system
(kernel) work incorrectly.
Thanks,
Kyungtae
Thank you for all your comments.
Thanks,
Kyungtae Kim
On Wed, Nov 14, 2018 at 11:05 AM Paul E. McKenney wrote:
>
> On Wed, Nov 14, 2018 at 04:31:11PM +0100, Alexander Potapenko wrote:
> > On Wed, Nov 14, 2018 at 4:09 PM Paul E. McKenney
> > wrote:
> > >
> > >
t+0x8d/0xb0 net/socket.c:1354
__x64_sys_socket+0x4a/0x70 net/socket.c:1354
do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
=========
Thanks,
Kyungtae Kim
83 c3 01 4d 85 ed 0f 95 c2 49 81 fc
RIP: outb arch/x86/include/asm/io.h:333 [inline] RSP: 88011095fc40
RIP: write_port+0xda/0x190 drivers/char/mem.c:640 RSP: 88011095fc40
CR2: c90001eb5f90
---[ end trace 6917feb3b143574b ]---
=
Thanks,
Kyungtae Kim
006ed530 R15: 7fb5ef0e3700
=
Thanks,
Kyungtae Kim
88100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
======
Thanks,
Kyungtae Kim
On Thu, May 17, 2018 at 2:04 PM, Kyungtae Kim wrote:
> We report the crash:
> "KASAN: use-after-free Read in vgacon_invert_r
0 00 00 00
>8810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
88100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
88100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==
Tha
f ff ff ff ff
^
88139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
88139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
======
Thanks,
Kyungtae Kim
-- Forwarded message --
From: Kyungtae Kim
Date: Sat, May 12, 2018 at 9:47 AM
Subject: KASAN: use-after-free Write in do_con_write
To: gre...@linuxfoundation.org, jsl...@suse.com, linux-kernel@vger.kernel.org
Cc: Byoungyoung Lee , DaeRyong Jeong
We report the crash:
"KASAN
-- Forwarded message --
From: Kyungtae Kim
Date: Sat, May 12, 2018 at 9:44 AM
Subject: KASAN: use-after-free Write in vgacon_scroll
To: b.zolnier...@samsung.com, dri-de...@lists.freedesktop.org,
linux-fb...@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Byoungyoung Lee
-- Forwarded message --
From: Kyungtae Kim
Date: Sat, May 12, 2018 at 9:40 AM
Subject: BUG: unable to handle kernel paging request in write_port
To: Arnd Bergmann , gre...@linuxfoundation.org,
linux-kernel@vger.kernel.org
Cc: Byoungyoung Lee , DaeRyong Jeong
We report the crash
-- Forwarded message --
From: Kyungtae Kim
Date: Fri, May 11, 2018 at 11:38 AM
Subject: KASAN: use-after-free Write in write_mem
To: a...@arndb.de, gre...@linuxfoundation.org, linux-kernel@vger.kernel.org
Cc: Byoungyoung Lee , DaeLyong Jeong
We report the crash:
"KASAN
46 matches
Mail list logo
