[v6.1] KASAN: slab-out-of-bounds Write in hfs_bnode_read_key
0 views
Skip to first unread message
syzbot
Jun 4, 2023, 4:20:10 PM6/4/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d2869ace6eeb Linux 6.1.31
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d43379280000
kernel config: https://syzkaller.appspot.com/x/.config?x=11263f470b7a4c92
dashboard link: https://syzkaller.appspot.com/bug?extid=4be1354b4526d3f6335d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141857d1280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146a07d1280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b17a7cd87498/disk-d2869ace.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cc8291ae723a/vmlinux-d2869ace.xz
kernel image: https://storage.googleapis.com/syzbot-assets/04943541fc25/Image-d2869ace.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/61498338a849/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4be135...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 64
hfs: unable to locate alternate MDB
hfs: continuing without an alternate MDB
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:367 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x310/0x454 fs/hfs/bnode.c:70
Write of size 256 at addr ffff0000c4d43300 by task syz-executor324/4216
CPU: 0 PID: 4216 Comm: syz-executor324 Not tainted 6.1.31-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
memcpy_from_page include/linux/highmem.h:367 [inline]
hfs_bnode_read fs/hfs/bnode.c:35 [inline]
hfs_bnode_read_key+0x310/0x454 fs/hfs/bnode.c:70
hfs_brec_insert+0x508/0x97c fs/hfs/brec.c:141
hfs_cat_create+0x4f0/0x844 fs/hfs/catalog.c:131
hfs_create+0x70/0xe4 fs/hfs/dir.c:202
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3711
do_filp_open+0x1bc/0x3cc fs/namei.c:3741
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 4216:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfs_find_init+0x88/0x1c8 fs/hfs/bfind.c:21
hfs_cat_create+0x168/0x844 fs/hfs/catalog.c:96
hfs_create+0x70/0xe4 fs/hfs/dir.c:202
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3711
do_filp_open+0x1bc/0x3cc fs/namei.c:3741
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000c4d43300
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
128-byte region [ffff0000c4d43300, ffff0000c4d43380)
The buggy address belongs to the physical page:
page:000000008da5510c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104d43
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc00033ca600 dead000000000004 ffff0000c0002300
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c4d43200: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff0000c4d43280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c4d43300: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc
^
ffff0000c4d43380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c4d43400: 06 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d2869ace6eeb Linux 6.1.31
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d43379280000
kernel config: https://syzkaller.appspot.com/x/.config?x=11263f470b7a4c92
dashboard link: https://syzkaller.appspot.com/bug?extid=4be1354b4526d3f6335d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141857d1280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146a07d1280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b17a7cd87498/disk-d2869ace.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cc8291ae723a/vmlinux-d2869ace.xz
kernel image: https://storage.googleapis.com/syzbot-assets/04943541fc25/Image-d2869ace.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/61498338a849/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4be135...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 64
hfs: unable to locate alternate MDB
hfs: continuing without an alternate MDB
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:367 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x310/0x454 fs/hfs/bnode.c:70
Write of size 256 at addr ffff0000c4d43300 by task syz-executor324/4216
CPU: 0 PID: 4216 Comm: syz-executor324 Not tainted 6.1.31-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
memcpy_from_page include/linux/highmem.h:367 [inline]
hfs_bnode_read fs/hfs/bnode.c:35 [inline]
hfs_bnode_read_key+0x310/0x454 fs/hfs/bnode.c:70
hfs_brec_insert+0x508/0x97c fs/hfs/brec.c:141
hfs_cat_create+0x4f0/0x844 fs/hfs/catalog.c:131
hfs_create+0x70/0xe4 fs/hfs/dir.c:202
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3711
do_filp_open+0x1bc/0x3cc fs/namei.c:3741
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 4216:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
hfs_find_init+0x88/0x1c8 fs/hfs/bfind.c:21
hfs_cat_create+0x168/0x844 fs/hfs/catalog.c:96
hfs_create+0x70/0xe4 fs/hfs/dir.c:202
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3711
do_filp_open+0x1bc/0x3cc fs/namei.c:3741
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000c4d43300
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
128-byte region [ffff0000c4d43300, ffff0000c4d43380)
The buggy address belongs to the physical page:
page:000000008da5510c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104d43
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc00033ca600 dead000000000004 ffff0000c0002300
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c4d43200: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff0000c4d43280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c4d43300: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc
^
ffff0000c4d43380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c4d43400: 06 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages