KASAN: slab-out-of-bounds Read in getname_kernel
8 views
Skip to first unread message
syzbot
Apr 13, 2019, 8:00:32 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 71fce1ed UPSTREAM: tracing: always define trace_{irq,preem..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=103d3f17800000
kernel config: https://syzkaller.appspot.com/x/.config?x=a54f56879744de40
dashboard link: https://syzkaller.appspot.com/bug?extid=07886784c012dc64011e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c67a47800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=114786a7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+078867...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: slab-out-of-bounds in strlen+0x91/0xa0 lib/string.c:481
Read of size 1 at addr ffff8801b78f4740 by task syz-executor676/3790
CPU: 0 PID: 3790 Comm: syz-executor676 Not tainted 4.9.96-g71fce1e #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801b6b0f978 ffffffff81eb0b69 ffffea0006de3d00 ffff8801b78f4740
0000000000000000 ffff8801b78f4740 ffff8801b78f4738 ffff8801b6b0f9b0
ffffffff8156540b ffff8801b78f4740 0000000000000001 0000000000000000
Call Trace:
[<ffffffff81eb0b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb0b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8156540b>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81565815>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81565815>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff81539434>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:430
[<ffffffff81ecdeb1>] strlen+0x91/0xa0 lib/string.c:481
[<ffffffff815a6064>] getname_kernel+0x24/0x340 fs/namei.c:215
[<ffffffff815a7684>] kern_path_mountpoint+0x24/0x70 fs/namei.c:2754
[<ffffffff81901dce>] find_autofs_mount.isra.4+0x8e/0x200
fs/autofs4/dev-ioctl.c:213
[<ffffffff81902c03>] autofs_dev_ioctl_open_mountpoint
fs/autofs4/dev-ioctl.c:258 [inline]
[<ffffffff81902c03>] autofs_dev_ioctl_openmount+0x153/0x2d0
fs/autofs4/dev-ioctl.c:303
[<ffffffff81901b4b>] _autofs_dev_ioctl+0x4fb/0x690
fs/autofs4/dev-ioctl.c:699
[<ffffffff81901cfb>] autofs_dev_ioctl+0x1b/0x30 fs/autofs4/dev-ioctl.c:714
[<ffffffff815b051c>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815b051c>] file_ioctl fs/ioctl.c:493 [inline]
[<ffffffff815b051c>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
[<ffffffff815b159f>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff815b159f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 3790:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
__kmalloc_track_caller+0xdc/0x2b0 mm/slub.c:4232
memdup_user+0x2c/0xb0 mm/util.c:161
copy_dev_ioctl fs/autofs4/dev-ioctl.c:110 [inline]
_autofs_dev_ioctl+0x13a/0x690 fs/autofs4/dev-ioctl.c:645
autofs_dev_ioctl+0x1b/0x30 fs/autofs4/dev-ioctl.c:714
vfs_ioctl fs/ioctl.c:43 [inline]
file_ioctl fs/ioctl.c:493 [inline]
do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 2441:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
single_release+0x88/0xb0 fs/seq_file.c:609
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801b78f4720
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes to the right of
32-byte region [ffff8801b78f4720, ffff8801b78f4740)
The buggy address belongs to the page:
page:ffffea0006de3d00 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b78f4600: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
ffff8801b78f4680: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
> ffff8801b78f4700: fb fb fc fc 00 00 00 00 fc fc fb fb fb fb fc fc
^
ffff8801b78f4780: 00 00 00 00 fc fc fb fb fb fb fc fc fb fb fb fb
ffff8801b78f4800: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 71fce1ed UPSTREAM: tracing: always define trace_{irq,preem..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=103d3f17800000
kernel config: https://syzkaller.appspot.com/x/.config?x=a54f56879744de40
dashboard link: https://syzkaller.appspot.com/bug?extid=07886784c012dc64011e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c67a47800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=114786a7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+078867...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: slab-out-of-bounds in strlen+0x91/0xa0 lib/string.c:481
Read of size 1 at addr ffff8801b78f4740 by task syz-executor676/3790
CPU: 0 PID: 3790 Comm: syz-executor676 Not tainted 4.9.96-g71fce1e #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801b6b0f978 ffffffff81eb0b69 ffffea0006de3d00 ffff8801b78f4740
0000000000000000 ffff8801b78f4740 ffff8801b78f4738 ffff8801b6b0f9b0
ffffffff8156540b ffff8801b78f4740 0000000000000001 0000000000000000
Call Trace:
[<ffffffff81eb0b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb0b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8156540b>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81565815>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81565815>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff81539434>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:430
[<ffffffff81ecdeb1>] strlen+0x91/0xa0 lib/string.c:481
[<ffffffff815a6064>] getname_kernel+0x24/0x340 fs/namei.c:215
[<ffffffff815a7684>] kern_path_mountpoint+0x24/0x70 fs/namei.c:2754
[<ffffffff81901dce>] find_autofs_mount.isra.4+0x8e/0x200
fs/autofs4/dev-ioctl.c:213
[<ffffffff81902c03>] autofs_dev_ioctl_open_mountpoint
fs/autofs4/dev-ioctl.c:258 [inline]
[<ffffffff81902c03>] autofs_dev_ioctl_openmount+0x153/0x2d0
fs/autofs4/dev-ioctl.c:303
[<ffffffff81901b4b>] _autofs_dev_ioctl+0x4fb/0x690
fs/autofs4/dev-ioctl.c:699
[<ffffffff81901cfb>] autofs_dev_ioctl+0x1b/0x30 fs/autofs4/dev-ioctl.c:714
[<ffffffff815b051c>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815b051c>] file_ioctl fs/ioctl.c:493 [inline]
[<ffffffff815b051c>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
[<ffffffff815b159f>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff815b159f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 3790:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
__kmalloc_track_caller+0xdc/0x2b0 mm/slub.c:4232
memdup_user+0x2c/0xb0 mm/util.c:161
copy_dev_ioctl fs/autofs4/dev-ioctl.c:110 [inline]
_autofs_dev_ioctl+0x13a/0x690 fs/autofs4/dev-ioctl.c:645
autofs_dev_ioctl+0x1b/0x30 fs/autofs4/dev-ioctl.c:714
vfs_ioctl fs/ioctl.c:43 [inline]
file_ioctl fs/ioctl.c:493 [inline]
do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 2441:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
single_release+0x88/0xb0 fs/seq_file.c:609
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801b78f4720
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes to the right of
32-byte region [ffff8801b78f4720, ffff8801b78f4740)
The buggy address belongs to the page:
page:ffffea0006de3d00 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b78f4600: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
ffff8801b78f4680: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
> ffff8801b78f4700: fb fb fc fc 00 00 00 00 fc fc fb fb fb fb fc fc
^
ffff8801b78f4780: 00 00 00 00 fc fc fb fb fb fb fc fc fb fb fb fb
ffff8801b78f4800: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages