KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
7 views
Skip to first unread message
syzbot
Apr 14, 2020, 11:06:16 AM4/14/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c10b57a5 Linux 4.14.176
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1120513be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=457897b554d08537
dashboard link: https://syzkaller.appspot.com/bug?extid=e0fcda05934eb7d1c5e5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b7da00100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ffabe0100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e0fcda...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_from_user+0xaf/0x100 lib/usercopy.c:12
Write of size 4096 at addr ffff888093062ec0 by task syz-executor760/7129
CPU: 1 PID: 7129 Comm: syz-executor760 Not tainted 4.14.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
_copy_from_user+0xaf/0x100 lib/usercopy.c:12
copy_from_user include/linux/uaccess.h:147 [inline]
snd_rawmidi_kernel_write1+0x2e3/0x680 sound/core/rawmidi.c:1283
snd_rawmidi_write+0x275/0x970 sound/core/rawmidi.c:1348
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x192/0x4e0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44af19
RSP: 002b:00007f47c691fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044af19
RDX: 0000000020000339 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f47c6920700 R11: 0000000000000246 R12: 00000000006dcc2c
R13: 00007ffdafa2281f R14: 00007f47c69209c0 R15: 20c49ba5e353f7cf
Allocated by task 7131:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15b/0x7c0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
snd_rawmidi_output_params+0x176/0x440 sound/core/rawmidi.c:653
snd_rawmidi_ioctl+0x51c/0x620 sound/core/rawmidi.c:764
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xfe0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888093062ec0
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 0 bytes inside of
4096-byte region [ffff888093062ec0, ffff888093063ec0)
The buggy address belongs to the page:
page:ffffea00024c1880 count:1 mapcount:0 mapping:ffff888093062ec0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888093062ec0 0000000000000000 0000000100000001
raw: ffffea000250f2a0 ffff88812fe54a48 ffff88812fe56dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093063580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888093063600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888093063680: 00 00 00 00 00 00 00 00 00 00 00 00 02 fc fc fc
^
ffff888093063700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888093063780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: c10b57a5 Linux 4.14.176
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1120513be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=457897b554d08537
dashboard link: https://syzkaller.appspot.com/bug?extid=e0fcda05934eb7d1c5e5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b7da00100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ffabe0100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e0fcda...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_from_user+0xaf/0x100 lib/usercopy.c:12
Write of size 4096 at addr ffff888093062ec0 by task syz-executor760/7129
CPU: 1 PID: 7129 Comm: syz-executor760 Not tainted 4.14.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
_copy_from_user+0xaf/0x100 lib/usercopy.c:12
copy_from_user include/linux/uaccess.h:147 [inline]
snd_rawmidi_kernel_write1+0x2e3/0x680 sound/core/rawmidi.c:1283
snd_rawmidi_write+0x275/0x970 sound/core/rawmidi.c:1348
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x192/0x4e0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44af19
RSP: 002b:00007f47c691fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044af19
RDX: 0000000020000339 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f47c6920700 R11: 0000000000000246 R12: 00000000006dcc2c
R13: 00007ffdafa2281f R14: 00007f47c69209c0 R15: 20c49ba5e353f7cf
Allocated by task 7131:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15b/0x7c0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
snd_rawmidi_output_params+0x176/0x440 sound/core/rawmidi.c:653
snd_rawmidi_ioctl+0x51c/0x620 sound/core/rawmidi.c:764
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xfe0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888093062ec0
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 0 bytes inside of
4096-byte region [ffff888093062ec0, ffff888093063ec0)
The buggy address belongs to the page:
page:ffffea00024c1880 count:1 mapcount:0 mapping:ffff888093062ec0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888093062ec0 0000000000000000 0000000100000001
raw: ffffea000250f2a0 ffff88812fe54a48 ffff88812fe56dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093063580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888093063600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888093063680: 00 00 00 00 00 00 00 00 00 00 00 00 02 fc fc fc
^
ffff888093063700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888093063780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Jun 13, 2020, 2:43:04 PM6/13/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 8645ac3684a70e4e8a21c7c407c07a1a4316beec
Author: Takashi Iwai <ti...@suse.de>
Date: Thu May 7 11:44:56 2020 +0000
ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1263963e100000
start commit: c10b57a5 Linux 4.14.176
git tree: linux-4.14.y
#syz fix: ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 8645ac3684a70e4e8a21c7c407c07a1a4316beec
Author: Takashi Iwai <ti...@suse.de>
Date: Thu May 7 11:44:56 2020 +0000
ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1263963e100000
start commit: c10b57a5 Linux 4.14.176
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=457897b554d08537
dashboard link: https://syzkaller.appspot.com/bug?extid=e0fcda05934eb7d1c5e5
dashboard link: https://syzkaller.appspot.com/bug?extid=e0fcda05934eb7d1c5e5
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b7da00100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ffabe0100000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ffabe0100000
#syz fix: ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages