4845 – There is a stack-out-of-bounds read in profile_pc

Bug 4845 - There is a stack-out-of-bounds read in profile_pc

Summary: There is a stack-out-of-bounds read in profile_pc

Status:	NEW

Alias:	None

Product:	ANCK 5.10 Dev
Classification:	ANCK
Component:	X86 (show other bugs)	X86
Sub Component:
Version:	unspecified
Hardware:	x86_64 Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	Guanjun
QA Contact:	shuming

URL:
Whiteboard:
Keywords:	CVE

Depends on:
Blocks:

Reported:	2023-04-27 15:51 UTC by DuckRui
Modified:	2023-04-27 16:06 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
config file to compile kernel (171.86 KB, text/plain) 2023-04-27 15:51 UTC, DuckRui	Details
Poc files that can trigger vulnerabilities (4.77 KB, text/x-csrc) 2023-04-27 15:52 UTC, DuckRui	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description DuckRui 2023-04-27 15:51:24 UTC

Created attachment 718 [details]
config file to compile kernel

Description of problem:
An issue was discovered in arch/x86/kernel/time.c in the cloud-kernel-devel-5.10.
There is a stack-out-of-bounds read in profile_pc. This flaw allows a local user to crash or potentially cause a denial of service.

Version-Release number of selected component (if applicable):
5.10.134

How reproducible:
Compile the cloud-kernel-devel-5.10 source code using the config file provided in attachment 1 [details], compile the poc file(attachment 2 [details]) and execute it.

Steps to Reproduce:
1.  cp .config /path/to/cloud-kernel-devel-5.10/
    make
  (Copy the config file(attachment 1 [details]) to the cloud-kernel-devel-5.10's source code and run command "make" to compile the kernel.)
2.  gcc -pthread gcc.c -o gcc
  (Copy poc.c to the compiled kernel and generate poc binary files.)
3.  ./poc

Actual results:
DOS
The Call Trace is 
[   61.777341] Call Trace:
[   61.778853]  <IRQ>
[   61.780083]  dump_stack+0x9c/0xd3
[   61.782051]  print_address_description.constprop.0+0x1c/0x220
[   61.785435]  ? _raw_spin_lock_irqsave+0x70/0xc0
[   61.788019]  ? _raw_write_lock_irqsave+0xb0/0xb0
[   61.790616]  ? profile_pc+0x125/0x130
[   61.792686]  kasan_report.cold+0x1f/0x37
[   61.795034]  ? profile_pc+0x125/0x130
[   61.797203]  ? _raw_spin_lock+0x42/0xb0
[   61.799432]  profile_pc+0x125/0x130
[   61.801513]  profile_tick+0xa2/0xe0
[   61.803458]  tick_sched_timer+0xee/0x130
[   61.805706]  ? tick_sched_do_timer+0x190/0x190
[   61.808202]  __hrtimer_run_queues+0x3a5/0x780
[   61.810572]  ? enqueue_hrtimer+0x1d0/0x1d0
[   61.812908]  ? kvm_clock_get_cycles+0xd/0x20
[   61.815304]  hrtimer_interrupt+0x2de/0x8f0
[   61.817556]  __sysvec_apic_timer_interrupt+0xd0/0x270
[   61.820306]  asm_call_irq_on_stack+0x12/0x20
[   61.822744]  </IRQ>
[   61.824062]  sysvec_apic_timer_interrupt+0x6f/0x80
[   61.826709]  asm_sysvec_apic_timer_interrupt+0x12/0x20

Expected results:
No crash


=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=
Rui Yang from Ant Group TianQiong Security Lab find it by using AntFuzz. 

Best Regards,
Rui Yang

Comment 1 DuckRui 2023-04-27 15:52:34 UTC

Created attachment 719 [details]
Poc files that can trigger vulnerabilities

the poc file

Comment 2 DuckRui 2023-04-27 16:06:25 UTC

Sorry, I made a mistake.
Please ignore this report, I will report this issue again in the next.