[syzbot] [orangefs?] KASAN: slab-out-of-bounds Read in orangefs_debug_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 59dbb9d81adf Merge tag 'xsa465+xsa466-6.13-tag' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1320cb44580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1327f4f8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1720cb44580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c5dbdd280188/disk-59dbb9d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9a6753a4cd2e/vmlinux-59dbb9d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa643efa107f/bzImage-59dbb9d8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc519d...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in strlen+0x93/0xa0 lib/string.c:413
Read of size 1 at addr ffff88814d695800 by task syz-executor153/5822

CPU: 0 UID: 0 PID: 5822 Comm: syz-executor153 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
strlen+0x93/0xa0 lib/string.c:413
kstrdup+0x29/0xb0 mm/util.c:81
debug_string_to_mask+0x82/0x570 fs/orangefs/orangefs-debugfs.c:836
orangefs_debug_write+0x22e/0x780 fs/orangefs/orangefs-debugfs.c:423
full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f11f9893a39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc84d45838 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f11f9893a39
RDX: 00000000fffffdef RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f11f99065f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>

Allocated by task 5822:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
orangefs_debug_write+0x14c/0x780 fs/orangefs/orangefs-debugfs.c:401
full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88814d695000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes to the right of
allocated 2048-byte region [ffff88814d695000, ffff88814d695800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14d690
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801ac42000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff88801ac42000 dead000000000100 dead000000000122
head: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea000535a401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 18983173250, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2589 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2642
___slab_alloc+0xce2/0x1650 mm/slub.c:3830
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
__slab_alloc_node mm/slub.c:3995 [inline]
slab_alloc_node mm/slub.c:4156 [inline]
__kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
cfctrl_create+0x9b/0x320 net/caif/cfctrl.c:39
cfcnfg_create+0xb2/0x500 net/caif/cfcnfg.c:86
caif_init_net+0x7d/0xe0 net/caif/caif_dev.c:514
ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
__register_pernet_operations net/core/net_namespace.c:1267 [inline]
register_pernet_operations+0x3a1/0x6f0 net/core/net_namespace.c:1343
register_pernet_subsys+0x28/0x40 net/core/net_namespace.c:1384
caif_device_init+0x16/0x50 net/caif/caif_dev.c:567
do_one_initcall+0x128/0x630 init/main.c:1266
page_owner free stack trace missing

Memory state around the buggy address:
ffff88814d695700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88814d695780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88814d695800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88814d695880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88814d695900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux orange/syz

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fc519d...@syzkaller.appspotmail.com
Tested-by: syzbot+fc519d...@syzkaller.appspotmail.com

Tested on:

commit: e6780148 fs/orange: fix a oob in orangefs_debug_write
git tree: https://github.com/ea1davis/linux orange/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=10b3410f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89

dashboard link: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]

The string passed in from userspace is not terminated with a NULL character,
which causes strlen to go out of bounds.

Use kstrndup to replace kstrdup.

[1]

BUG: KASAN: slab-out-of-bounds in strlen+0x93/0xa0 lib/string.c:413
Read of size 1 at addr ffff88814d695800 by task syz-executor153/5822

CPU: 0 UID: 0 PID: 5822 Comm: syz-executor153 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
strlen+0x93/0xa0 lib/string.c:413
kstrdup+0x29/0xb0 mm/util.c:81
debug_string_to_mask+0x82/0x570 fs/orangefs/orangefs-debugfs.c:836
orangefs_debug_write+0x22e/0x780 fs/orangefs/orangefs-debugfs.c:423
full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fc519d...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
Tested-by: syzbot+fc519d...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/orangefs/orangefs-debugfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 1b508f543384..c2637c966e52 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -833,7 +833,9 @@ static void debug_string_to_mask(char *debug_string, void *mask, int type)
{
char *unchecked_keyword;
int i;
- char *strsep_fodder = kstrdup(debug_string, GFP_KERNEL);
+ char *strsep_fodder = kstrndup(debug_string,
+ ORANGEFS_MAX_DEBUG_STRING_LEN,
+ GFP_KERNEL);
char *original_pointer;
int element_count = 0;
struct client_debug_mask *c_mask = NULL;
--
2.47.0

[Al Viro]

On Sun, Dec 22, 2024 at 04:14:13PM +0800, Edward Adam Davis wrote:
> syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]
>
> The string passed in from userspace is not terminated with a NULL character,
> which causes strlen to go out of bounds.
>
> Use kstrndup to replace kstrdup.

Better to replace
if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
silly = count;
count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
}
with
if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
silly = count;
count = ORANGEFS_MAX_DEBUG_STRING_LEN;
}
instead, so that we wouldn't have to deal with lack of NUL anywhere.

[Edward Adam Davis]

Yes, you are right.

[Edward Adam Davis]

syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]

When the count value is greater than ORANGEFS_MAX_DEBUG_STRING_LEN + 1 in
orangefs_debug_write(), it is set to ORANGEFS_MAX_DEBUG_STRING_LEN + 1.
The allocated buf length is ORANGEFS_MAX_DEBUG_STRING_LEN, and the length
of the data copied to the buf is ORANGEFS_MAX_DEBUG_STRING_LEN, which causes
strlen() to be out of bounds.

Update the threshold of count to prevent this issue.

[1]
BUG: KASAN: slab-out-of-bounds in strlen+0x93/0xa0 lib/string.c:413
Read of size 1 at addr ffff88814d695800 by task syz-executor153/5822

CPU: 0 UID: 0 PID: 5822 Comm: syz-executor153 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
strlen+0x93/0xa0 lib/string.c:413
kstrdup+0x29/0xb0 mm/util.c:81
debug_string_to_mask+0x82/0x570 fs/orangefs/orangefs-debugfs.c:836
orangefs_debug_write+0x22e/0x780 fs/orangefs/orangefs-debugfs.c:423
full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fc519d...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f

Signed-off-by: Edward Adam Davis <ead...@qq.com>
---

V1 -> V2: Update the threshold of count

fs/orangefs/orangefs-debugfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 1b508f543384..fa41db088488 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file,
* Thwart users who try to jamb a ridiculous number
* of bytes into the debug file...
*/
- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
+ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
silly = count;
- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
+ count = ORANGEFS_MAX_DEBUG_STRING_LEN;
}

buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
--
2.47.0

[Mike Marshall]

I used Al's suggestion on top of 6.13.0-rc5 and ran
it through xfstests with no problem. Since I doubt xfstests
runs down this code path I also did some other tests.

I made some files with comma separated debug settings and
catted them onto /sys/kernel/debug/orangefs/kernel-debug.

When I caused the file to be longer than
ORANGEFS_MAX_DEBUG_STRING_LEN
I could see that execution flowed down the
code path with Al's suggested changes, and
the proper thing happened.

Anywho... I'll send this up in the merge window unless
someone else (Edward?) plans to...

-Mike