2024年12月25日 13:37,Kun Hu huk23@m.fudan.edu.cn 写道:
Hello,
BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c. The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte). To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
if (sysex->len >= MAX_SYSEX_BUFLEN) { sysex->len = 0; sysex->skip = 1; return -EINVAL; /* Exit early if sysex->len is out of bounds */ }
If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu huk23@m.fudan.edu.cn
————— Thanks, Kun Hu
2024年12月24日 19:16,Kun Hu huk23@m.fudan.edu.cn 写道:
Hello,
When using fuzzer tool to fuzz the latest Linux kernel, the following crash was triggered.
HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 git tree: upstream Console output:https://drive.google.com/file/d/17oCyKDW_kNhSW5Bbvm23vnpD1eo0MHFi/view?usp=s... Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=s... C reproducer: https://drive.google.com/file/d/177HJht6a7-6F3YLudKb_d4kiPGd1VA_i/view?usp=s... Syzlang reproducer: https://drive.google.com/file/d/1AuP5UGGc47rEXXPuvjmCKgJ3d0U1P84j/view?usp=s...
If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu huk23@m.fudan.edu.cn
================================================================== BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 Write of size 1 at addr ff1100000588e288 by task syz-executor411/824
CPU: 2 UID: 0 PID: 824 Comm: syz-executor411 Not tainted 6.13.0-rc3 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace:
<TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x5f0 mm/kasan/report.c:489 kasan_report+0x93/0xc0 mm/kasan/report.c:602 snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 snd_seq_oss_process_event+0x46a/0x2620 sound/core/seq/oss/seq_oss_event.c:61 insert_queue sound/core/seq/oss/seq_oss_rw.c:167 [inline] snd_seq_oss_write+0x261/0x7f0 sound/core/seq/oss/seq_oss_rw.c:135 odev_write+0x53/0xa0 sound/core/seq/oss/seq_oss.c:168 vfs_write fs/read_write.c:677 [inline] vfs_write+0x2e3/0x10f0 fs/read_write.c:659 ksys_write+0x122/0x240 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Hello,
Is this issue being considered and is it possible that the value of sysex->len in line 509 of the snd_seq_oss_synth_sysex function could exceed 127 and thus be out of bounds?
——— Best Regards, Kun Hu
On Sat, 28 Dec 2024 09:07:16 +0100, Kun Hu wrote:
2024年12月25日 13:37,Kun Hu huk23@m.fudan.edu.cn 写道:
Hello,
BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c. The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte). To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
if (sysex->len >= MAX_SYSEX_BUFLEN) { sysex->len = 0; sysex->skip = 1; return -EINVAL; /* Exit early if sysex->len is out of bounds */ }
If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu huk23@m.fudan.edu.cn
――――― Thanks, Kun Hu
2024年12月24日 19:16,Kun Hu huk23@m.fudan.edu.cn 写道:
Hello,
When using fuzzer tool to fuzz the latest Linux kernel, the following crash was triggered.
HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 git tree: upstream Console output:https://drive.google.com/file/d/17oCyKDW_kNhSW5Bbvm23vnpD1eo0MHFi/view?usp=s... Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=s... C reproducer: https://drive.google.com/file/d/177HJht6a7-6F3YLudKb_d4kiPGd1VA_i/view?usp=s... Syzlang reproducer: https://drive.google.com/file/d/1AuP5UGGc47rEXXPuvjmCKgJ3d0U1P84j/view?usp=s...
If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu huk23@m.fudan.edu.cn
================================================================== BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 Write of size 1 at addr ff1100000588e288 by task syz-executor411/824
CPU: 2 UID: 0 PID: 824 Comm: syz-executor411 Not tainted 6.13.0-rc3 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace:
<TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x5f0 mm/kasan/report.c:489 kasan_report+0x93/0xc0 mm/kasan/report.c:602 snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516 snd_seq_oss_process_event+0x46a/0x2620 sound/core/seq/oss/seq_oss_event.c:61 insert_queue sound/core/seq/oss/seq_oss_rw.c:167 [inline] snd_seq_oss_write+0x261/0x7f0 sound/core/seq/oss/seq_oss_rw.c:135 odev_write+0x53/0xa0 sound/core/seq/oss/seq_oss.c:168 vfs_write fs/read_write.c:677 [inline] vfs_write+0x2e3/0x10f0 fs/read_write.c:659 ksys_write+0x122/0x240 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Hello,
Is this issue being considered and is it possible that the value of sysex->len in line 509 of the snd_seq_oss_synth_sysex function could exceed 127 and thus be out of bounds?
Sorry for the late reaction, as I've been (still) off since the last week. Will check in details later.
But, through a quick glance, it's likely the racy access, and your suggested fix won't suffice, I'm afraid.
thanks,
Takashi
Sorry for the late reaction, as I've been (still) off since the last week. Will check in details later.
But, through a quick glance, it's likely the racy access, and your suggested fix won't suffice, I'm afraid.
So sorry to have disturbed your rest. Let me know if you need any more info.
Best Regards,
Kun Hu
linux-stable-mirror@lists.linaro.org
-
Kun Hu -
Takashi Iwai