KASAN: slab-out-of-bounds Read in linear_transfer
9 views
Skip to first unread message
syzbot
Dec 3, 2019, 9:35:10 PM12/3/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1565d196e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=55e7362a9674c6e2bd5e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ea7aeae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1180d1bce00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+55e736...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48
[inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81
[inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer
sound/core/oss/linear.c:110 [inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer+0x6de/0x940
sound/core/oss/linear.c:88
Read of size 1 at addr ffff88809920dec0 by task syz-executor661/7542
CPU: 1 PID: 7542 Comm: syz-executor661 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
do_convert sound/core/oss/linear.c:48 [inline]
convert sound/core/oss/linear.c:81 [inline]
linear_transfer sound/core/oss/linear.c:110 [inline]
linear_transfer+0x6de/0x940 sound/core/oss/linear.c:88
snd_pcm_plug_read_transfer+0x197/0x2e0 sound/core/oss/pcm_plugin.c:651
snd_pcm_oss_read2+0x1f0/0x3f0 sound/core/oss/pcm_oss.c:1475
snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1532 [inline]
snd_pcm_oss_read+0x53a/0x6a0 sound/core/oss/pcm_oss.c:2753
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447ee9
Code: e8 fc 0f 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 8b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff53d0b7ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000447ee9
RDX: 0000000000001000 RSI: 0000000020000380 RDI: 0000000000000003
RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc2c
R13: 00007ffe2f9f1e0f R14: 00007ff53d0b89c0 R15: 0000000000000000
Allocated by task 7542:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x51/0x80 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x68/0x100 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
snd_pcm_plugin_alloc+0x594/0x760 sound/core/oss/pcm_plugin.c:70
snd_pcm_plug_alloc+0x146/0x2f0 sound/core/oss/pcm_plugin.c:129
snd_pcm_oss_change_params_locked+0x210f/0x3750
sound/core/oss/pcm_oss.c:1039
snd_pcm_oss_change_params+0x7b/0xd0 sound/core/oss/pcm_oss.c:1102
snd_pcm_oss_get_active_substream+0x136/0x190 sound/core/oss/pcm_oss.c:1119
snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1769 [inline]
snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1761 [inline]
snd_pcm_oss_ioctl+0x13df/0x3390 sound/core/oss/pcm_oss.c:2609
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 5341:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
security_context_to_sid_core.isra.0+0x2e4/0x5b0
security/selinux/ss/services.c:1504
security_context_to_sid_force+0x3c/0x50 security/selinux/ss/services.c:1566
selinux_inode_post_setxattr+0x119/0x360 security/selinux/hooks.c:3387
security_inode_post_setxattr+0xd1/0x150 security/security.c:760
__vfs_setxattr_noperm+0x343/0x410 fs/xattr.c:183
vfs_setxattr+0xda/0x100 fs/xattr.c:223
setxattr+0x26f/0x380 fs/xattr.c:450
path_setxattr+0x197/0x1b0 fs/xattr.c:469
__do_sys_lsetxattr fs/xattr.c:491 [inline]
__se_sys_lsetxattr fs/xattr.c:487 [inline]
__x64_sys_lsetxattr+0xc1/0x150 fs/xattr.c:487
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809920de80
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
64-byte region [ffff88809920de80, ffff88809920dec0)
The buggy address belongs to the page:
page:ffffea0002648340 count:1 mapcount:0 mapping:ffff88812c31c340 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00023c8fc8 ffff88812c314348 ffff88812c31c340
raw: 0000000000000000 ffff88809920d000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809920dd80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88809920de00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff88809920de80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88809920df00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88809920df80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1565d196e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=55e7362a9674c6e2bd5e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ea7aeae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1180d1bce00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+55e736...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48
[inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81
[inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer
sound/core/oss/linear.c:110 [inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer+0x6de/0x940
sound/core/oss/linear.c:88
Read of size 1 at addr ffff88809920dec0 by task syz-executor661/7542
CPU: 1 PID: 7542 Comm: syz-executor661 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
do_convert sound/core/oss/linear.c:48 [inline]
convert sound/core/oss/linear.c:81 [inline]
linear_transfer sound/core/oss/linear.c:110 [inline]
linear_transfer+0x6de/0x940 sound/core/oss/linear.c:88
snd_pcm_plug_read_transfer+0x197/0x2e0 sound/core/oss/pcm_plugin.c:651
snd_pcm_oss_read2+0x1f0/0x3f0 sound/core/oss/pcm_oss.c:1475
snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1532 [inline]
snd_pcm_oss_read+0x53a/0x6a0 sound/core/oss/pcm_oss.c:2753
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447ee9
Code: e8 fc 0f 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 8b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff53d0b7ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000447ee9
RDX: 0000000000001000 RSI: 0000000020000380 RDI: 0000000000000003
RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc2c
R13: 00007ffe2f9f1e0f R14: 00007ff53d0b89c0 R15: 0000000000000000
Allocated by task 7542:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x51/0x80 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x68/0x100 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
snd_pcm_plugin_alloc+0x594/0x760 sound/core/oss/pcm_plugin.c:70
snd_pcm_plug_alloc+0x146/0x2f0 sound/core/oss/pcm_plugin.c:129
snd_pcm_oss_change_params_locked+0x210f/0x3750
sound/core/oss/pcm_oss.c:1039
snd_pcm_oss_change_params+0x7b/0xd0 sound/core/oss/pcm_oss.c:1102
snd_pcm_oss_get_active_substream+0x136/0x190 sound/core/oss/pcm_oss.c:1119
snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1769 [inline]
snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1761 [inline]
snd_pcm_oss_ioctl+0x13df/0x3390 sound/core/oss/pcm_oss.c:2609
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 5341:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
security_context_to_sid_core.isra.0+0x2e4/0x5b0
security/selinux/ss/services.c:1504
security_context_to_sid_force+0x3c/0x50 security/selinux/ss/services.c:1566
selinux_inode_post_setxattr+0x119/0x360 security/selinux/hooks.c:3387
security_inode_post_setxattr+0xd1/0x150 security/security.c:760
__vfs_setxattr_noperm+0x343/0x410 fs/xattr.c:183
vfs_setxattr+0xda/0x100 fs/xattr.c:223
setxattr+0x26f/0x380 fs/xattr.c:450
path_setxattr+0x197/0x1b0 fs/xattr.c:469
__do_sys_lsetxattr fs/xattr.c:491 [inline]
__se_sys_lsetxattr fs/xattr.c:487 [inline]
__x64_sys_lsetxattr+0xc1/0x150 fs/xattr.c:487
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809920de80
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
64-byte region [ffff88809920de80, ffff88809920dec0)
The buggy address belongs to the page:
page:ffffea0002648340 count:1 mapcount:0 mapping:ffff88812c31c340 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00023c8fc8 ffff88812c314348 ffff88812c31c340
raw: 0000000000000000 ffff88809920d000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809920dd80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88809920de00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff88809920de80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88809920df00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88809920df80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 3, 2019, 10:44:09 PM12/3/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fbc5fe7a Linux 4.14.157
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14ff859ce00000
kernel config: https://syzkaller.appspot.com/x/.config?x=253d29a660cb0d
dashboard link: https://syzkaller.appspot.com/bug?extid=1a48ee880cb012baefb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffbb74276d4
R13: 00000000004c8fb6 R14: 00000000004e0b70 R15: 0000000000000004
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.0'.
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48
[inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81
[inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer
sound/core/oss/linear.c:110 [inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer+0x5db/0x840
[inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81
[inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer
sound/core/oss/linear.c:110 [inline]
sound/core/oss/linear.c:88
Read of size 1 at addr ffff88807ad89d40 by task syz-executor.1/22646
CPU: 1 PID: 22646 Comm: syz-executor.1 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
do_convert sound/core/oss/linear.c:48 [inline]
convert sound/core/oss/linear.c:81 [inline]
linear_transfer sound/core/oss/linear.c:110 [inline]
linear_transfer+0x5db/0x840 sound/core/oss/linear.c:88
convert sound/core/oss/linear.c:81 [inline]
linear_transfer sound/core/oss/linear.c:110 [inline]
snd_pcm_plug_read_transfer+0x158/0x260 sound/core/oss/pcm_plugin.c:650
snd_pcm_oss_read2+0x1c2/0x370 sound/core/oss/pcm_oss.c:1475
snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1513 [inline]
snd_pcm_oss_read+0x359/0x5d0 sound/core/oss/pcm_oss.c:2753
do_loop_readv_writev fs/read_write.c:695 [inline]
do_loop_readv_writev fs/read_write.c:682 [inline]
do_iter_read+0x3e2/0x5b0 fs/read_write.c:919
vfs_readv+0xd3/0x130 fs/read_write.c:981
do_readv+0x10a/0x2d0 fs/read_write.c:1014
SYSC_readv fs/read_write.c:1101 [inline]
SyS_readv+0x28/0x30 fs/read_write.c:1098
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45a679
RSP: 002b:00007f26dc9b6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
RDX: 0000000000000007 RSI: 0000000020001440 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f26dc9b76d4
R13: 00000000004c89bc R14: 00000000004e0408 R15: 00000000ffffffff
Allocated by task 22646:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x51/0x80 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x4e/0xe0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
snd_pcm_plugin_alloc+0x4da/0x740 sound/core/oss/pcm_plugin.c:70
snd_pcm_plug_alloc+0x13f/0x300 sound/core/oss/pcm_plugin.c:129
snd_pcm_oss_change_params_locked+0x1d6e/0x32f0
sound/core/oss/pcm_oss.c:1039
snd_pcm_oss_change_params+0x63/0xb0 sound/core/oss/pcm_oss.c:1102
snd_pcm_oss_get_active_substream+0x102/0x150 sound/core/oss/pcm_oss.c:1119
snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1769 [inline]
snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1761 [inline]
snd_pcm_oss_ioctl+0xc2e/0x2e50 sound/core/oss/pcm_oss.c:2609
snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1761 [inline]
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 7308:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
simple_xattrs_free include/linux/xattr.h:98 [inline]
shmem_evict_inode+0x103/0x780 mm/shmem.c:1096
evict+0x2e6/0x630 fs/inode.c:554
iput_final fs/inode.c:1516 [inline]
iput fs/inode.c:1543 [inline]
iput+0x471/0x900 fs/inode.c:1528
dentry_unlink_inode+0x286/0x340 fs/dcache.c:387
__dentry_kill+0x32e/0x580 fs/dcache.c:591
dentry_kill fs/dcache.c:632 [inline]
dput.part.0+0x4e3/0x750 fs/dcache.c:847
dput+0x20/0x30 fs/dcache.c:811
SYSC_renameat2 fs/namei.c:4645 [inline]
SyS_renameat2 fs/namei.c:4530 [inline]
SYSC_rename fs/namei.c:4681 [inline]
SyS_rename+0x4a1/0x6d0 fs/namei.c:4679
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88807ad89d00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
64-byte region [ffff88807ad89d00, ffff88807ad89d40)
The buggy address is located 0 bytes to the right of
The buggy address belongs to the page:
page:ffffea0001eb6240 count:1 mapcount:0 mapping:ffff88807ad89000
index:0xffff88807ad89600
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88807ad89000 ffff88807ad89600 0000000100000019
raw: ffffea00027d5c20 ffffea0001f1cda0 ffff8880aa800340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807ad89c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff88807ad89c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff88807ad89d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff88807ad89d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88807ad89e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
syzbot
Dec 3, 2019, 11:29:08 PM12/3/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1701cb7ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12661b7ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1a48ee...@syzkaller.appspotmail.com
CPU: 0 PID: 11073 Comm: syz-executor388 Not tainted 4.14.157-syzkaller #0
snd_pcm_oss_read+0x482/0x5d0 sound/core/oss/pcm_oss.c:2753
__vfs_read+0x105/0x6a0 fs/read_write.c:411
vfs_read+0x137/0x350 fs/read_write.c:447
SYSC_read fs/read_write.c:574 [inline]
SyS_read+0xfd/0x230 fs/read_write.c:567
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44a759
RSP: 002b:00007f52814f0da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a759
RDX: 0000000000000313 RSI: 0000000020000380 RDI: 0000000000000004
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0000000020000300 R14: 00000000004aea98 R15: 0000000000000000
Allocated by task 11073:
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8880a1adfa80
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a1adf000 0000000000000000 0000000100000020
raw: ffffea000280aea0 ffffea00022e11e0 ffff8880aa800340 0000000000000000
ffff8880a1adfa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8880a1adfa80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880a1adfb00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
ffff8880a1adfb80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=253d29a660cb0d
dashboard link: https://syzkaller.appspot.com/bug?extid=1a48ee880cb012baefb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1660d1bce00000
dashboard link: https://syzkaller.appspot.com/bug?extid=1a48ee880cb012baefb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12661b7ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1a48ee...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48
[inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81
[inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer
sound/core/oss/linear.c:110 [inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer+0x5db/0x840
sound/core/oss/linear.c:88
Read of size 1 at addr ffff8880a1adfac0 by task syz-executor388/11073
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48
[inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81
[inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer
sound/core/oss/linear.c:110 [inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer+0x5db/0x840
sound/core/oss/linear.c:88
CPU: 0 PID: 11073 Comm: syz-executor388 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
do_convert sound/core/oss/linear.c:48 [inline]
convert sound/core/oss/linear.c:81 [inline]
linear_transfer sound/core/oss/linear.c:110 [inline]
linear_transfer+0x5db/0x840 sound/core/oss/linear.c:88
snd_pcm_plug_read_transfer+0x158/0x260 sound/core/oss/pcm_plugin.c:650
snd_pcm_oss_read2+0x1c2/0x370 sound/core/oss/pcm_oss.c:1475
snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1532 [inline]
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
do_convert sound/core/oss/linear.c:48 [inline]
convert sound/core/oss/linear.c:81 [inline]
linear_transfer sound/core/oss/linear.c:110 [inline]
linear_transfer+0x5db/0x840 sound/core/oss/linear.c:88
snd_pcm_plug_read_transfer+0x158/0x260 sound/core/oss/pcm_plugin.c:650
snd_pcm_oss_read2+0x1c2/0x370 sound/core/oss/pcm_oss.c:1475
snd_pcm_oss_read+0x482/0x5d0 sound/core/oss/pcm_oss.c:2753
__vfs_read+0x105/0x6a0 fs/read_write.c:411
vfs_read+0x137/0x350 fs/read_write.c:447
SYSC_read fs/read_write.c:574 [inline]
SyS_read+0xfd/0x230 fs/read_write.c:567
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44a759
RSP: 002b:00007f52814f0da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a759
RDX: 0000000000000313 RSI: 0000000020000380 RDI: 0000000000000004
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0000000020000300 R14: 00000000004aea98 R15: 0000000000000000
Allocated by task 11073:
(stack is not available)
The buggy address belongs to the object at ffff8880a1adfa80
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
64-byte region [ffff8880a1adfa80, ffff8880a1adfac0)
The buggy address is located 0 bytes to the right of
The buggy address belongs to the page:
page:ffffea000286b7c0 count:1 mapcount:0 mapping:ffff8880a1adf000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a1adf000 0000000000000000 0000000100000020
raw: ffffea000280aea0 ffffea00022e11e0 ffff8880aa800340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a1adf980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8880a1adfa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8880a1adfa80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880a1adfb00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
ffff8880a1adfb80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
syzbot
Jan 3, 2020, 9:05:04 AM1/3/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit c6bebccd3c6293e49a291a3339f1230b3e49630a
Author: Takashi Iwai <ti...@suse.de>
Date: Wed Dec 4 14:48:24 2019 +0000
ALSA: pcm: oss: Avoid potential buffer overflows
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=143796c1e00000
start commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c19e41e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: ALSA: pcm: oss: Avoid potential buffer overflows
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit c6bebccd3c6293e49a291a3339f1230b3e49630a
Author: Takashi Iwai <ti...@suse.de>
Date: Wed Dec 4 14:48:24 2019 +0000
ALSA: pcm: oss: Avoid potential buffer overflows
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=143796c1e00000
start commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=55e7362a9674c6e2bd5e
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11627c82e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=55e7362a9674c6e2bd5e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c19e41e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: ALSA: pcm: oss: Avoid potential buffer overflows
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Jan 10, 2020, 7:14:02 AM1/10/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 2a76606d8a830a02ea3a7aef6f5362ceccb8749f
Author: Takashi Iwai <ti...@suse.de>
Date: Wed Dec 4 14:48:24 2019 +0000
ALSA: pcm: oss: Avoid potential buffer overflows
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117db515e00000
Date: Wed Dec 4 14:48:24 2019 +0000
ALSA: pcm: oss: Avoid potential buffer overflows
start commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=253d29a660cb0d
dashboard link: https://syzkaller.appspot.com/bug?extid=1a48ee880cb012baefb7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15c4781ee00000
dashboard link: https://syzkaller.appspot.com/bug?extid=1a48ee880cb012baefb7
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17d0542ae00000
Reply all
Reply to author
Forward
0 new messages