Bug 1814448

Summary: BUG: audit can be crashed by two syzbot crashers
Product: Red Hat Enterprise Linux 8 Reporter: Richard Guy Briggs <rbriggs>
Component: kernelAssignee: Richard Guy Briggs <rbriggs>
kernel sub component: Audit QA Contact: Linqing Lu <lilu>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: lilu, omosnace, pkettman, rkeshri
Version: 8.2   
Target Milestone: rc   
Target Release: 8.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-4.18.0-193.5.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:09:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1819241, 1827303, 1920474, 1921043, 1921045    

Description Richard Guy Briggs 2020-03-17 22:10:37 UTC 
Description of problem:
syzbot found two crashers in audit reported on the upstream linux-audit mailing list:
- KMSAN: uninit-value in audit_receive [1]
  - fix posted [3] 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
- kernel BUG at arch/x86/mm/physaddr.c:LINE! (4) [2]
  - fix posted [4] 2ad3e17ebf94 ("audit: fix error handling in audit_data_to_entry()")

Both fixes have been tagged for the upstream stable branch.

Version-Release number of selected component (if applicable):
RHEL8.2

How reproducible:
See syzbot reports

Steps to Reproduce:
1. See syzbot reports
2.
3.

Actual results:
Kernel is caused to crash.

Expected results:
Kernel doesn't crash.

Additional info:
[1] - https://www.redhat.com/archives/linux-audit/2020-February/msg00091.html
[2] - https://www.redhat.com/archives/linux-audit/2020-February/msg00087.html
[3] - https://www.redhat.com/archives/linux-audit/2020-February/msg00104.html
[4] - https://www.redhat.com/archives/linux-audit/2020-February/msg00094.html
Comment 2 Richard Guy Briggs 2020-03-31 19:36:41 UTC 
Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=27568733
Passes audit-testsuite and both crash source code supplied with reports.
Posted:
http://patchwork.usersys.redhat.com/patch/298835/
http://patchwork.usersys.redhat.com/patch/298836/
http://patchwork.usersys.redhat.com/patch/298837/
Comment 3 Frantisek Hrbata 2020-04-07 12:33:49 UTC 
Patch(es) available on kernel-4.18.0-193.5.el8
Comment 5 errata-xmlrpc 2020-04-07 15:06:10 UTC 
This bug has been added to advisory RHBA-2020:52469 by Frantisek Hrbata (fhrbata)
Comment 11 Linqing Lu 2020-04-16 15:26:59 UTC 
(In reply to Richard Guy Briggs from comment #10)
> After converting "syscall(__NR_mmap, " to "mmap(" and adding its "#include
> <sys/mman.h>" header file, it compiles and runs without segfault or panic. 
> The modified source is in repro-s390x.c on that system.

Thanks! I'll give that a try.

BTW I just realized I pasted the link to a different version of the reproducer earlier in comment#7.
The one used in testing was actually https://syzkaller.appspot.com/x/repro.c?x=1648fe09e00000

Sorry for the confusion.
Comment 15 errata-xmlrpc 2020-11-04 01:09:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4431
Comment 16 Frantisek Hrbata 2021-01-31 19:42:19 UTC 
*** Bug 1921037 has been marked as a duplicate of this bug. ***
Comment 17 Richard Guy Briggs 2021-02-01 17:45:36 UTC 
*** Bug 1921040 has been marked as a duplicate of this bug. ***