KASAN: global-out-of-bounds Read in prepare_error_buf
25 views
Skip to first unread message
syzbot
Apr 22, 2019, 9:27:05 PM4/22/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12901e03200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=9580f005128a8186f67b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9580f0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in strscpy+0x20e/0x2c0 lib/string.c:206
Read of size 8 at addr ffffffff8677b340 by task syz-executor.0/7602
CPU: 1 PID: 7602 Comm: syz-executor.0 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
strscpy+0x20e/0x2c0 lib/string.c:206
prepare_error_buf+0x94/0x1aa0 fs/reiserfs/prints.c:213
__reiserfs_warning+0x9f/0xb0 fs/reiserfs/prints.c:288
reiserfs_getopt fs/reiserfs/super.c:1070 [inline]
reiserfs_parse_options+0xafa/0x1820 fs/reiserfs/super.c:1194
reiserfs_fill_super+0x461/0x2b20 fs/reiserfs/super.c:1946
mount_bdev+0x2c1/0x370 fs/super.c:1134
get_super_block+0x35/0x40 fs/reiserfs/super.c:2605
mount_fs+0x9d/0x2a7 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b69a
RSP: 002b:00007f3d1b95aa88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f3d1b95ab40 RCX: 000000000045b69a
RDX: 00007f3d1b95aae0 RSI: 0000000020000100 RDI: 00007f3d1b95ab00
RBP: 0000000000000000 R08: 00007f3d1b95ab40 R09: 00007f3d1b95aae0
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003
R13: 00000000004c782d R14: 00000000004dd880 R15: 00000000ffffffff
The buggy address belongs to the variable:
__func__.31266+0xa20/0x3a60
Memory state around the buggy address:
ffffffff8677b200: 00 06 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
ffffffff8677b280: 00 00 00 00 06 fa fa fa fa fa fa fa 00 03 fa fa
> ffffffff8677b300: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
^
ffffffff8677b380: 00 03 fa fa fa fa fa fa 00 00 00 01 fa fa fa fa
ffffffff8677b400: 00 03 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa
==================================================================
bond0: Releasing backup interface bond_slave_1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12901e03200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=9580f005128a8186f67b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9580f0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in strscpy+0x20e/0x2c0 lib/string.c:206
Read of size 8 at addr ffffffff8677b340 by task syz-executor.0/7602
CPU: 1 PID: 7602 Comm: syz-executor.0 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
strscpy+0x20e/0x2c0 lib/string.c:206
prepare_error_buf+0x94/0x1aa0 fs/reiserfs/prints.c:213
__reiserfs_warning+0x9f/0xb0 fs/reiserfs/prints.c:288
reiserfs_getopt fs/reiserfs/super.c:1070 [inline]
reiserfs_parse_options+0xafa/0x1820 fs/reiserfs/super.c:1194
reiserfs_fill_super+0x461/0x2b20 fs/reiserfs/super.c:1946
mount_bdev+0x2c1/0x370 fs/super.c:1134
get_super_block+0x35/0x40 fs/reiserfs/super.c:2605
mount_fs+0x9d/0x2a7 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b69a
RSP: 002b:00007f3d1b95aa88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f3d1b95ab40 RCX: 000000000045b69a
RDX: 00007f3d1b95aae0 RSI: 0000000020000100 RDI: 00007f3d1b95ab00
RBP: 0000000000000000 R08: 00007f3d1b95ab40 R09: 00007f3d1b95aae0
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003
R13: 00000000004c782d R14: 00000000004dd880 R15: 00000000ffffffff
The buggy address belongs to the variable:
__func__.31266+0xa20/0x3a60
Memory state around the buggy address:
ffffffff8677b200: 00 06 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
ffffffff8677b280: 00 00 00 00 06 fa fa fa fa fa fa fa 00 03 fa fa
> ffffffff8677b300: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
^
ffffffff8677b380: 00 03 fa fa fa fa fa fa 00 00 00 01 fa fa fa fa
ffffffff8677b400: 00 03 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa
==================================================================
bond0: Releasing backup interface bond_slave_1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 29, 2019, 1:57:03 AM10/29/19
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages