KASAN: global-out-of-bounds Read in strscpy
9 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:45:12 AM4/11/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=131973c3200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=6caf171483bb4d504fdb
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6caf17...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in strscpy+0x20e/0x2c0 lib/string.c:206
Read of size 8 at addr ffffffff8677ad38 by task syz-executor.4/10519
CPU: 0 PID: 10519 Comm: syz-executor.4 Not tainted 4.14.111 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
strscpy+0x20e/0x2c0 lib/string.c:206
prepare_error_buf+0x94/0x1aa0 fs/reiserfs/prints.c:213
__reiserfs_warning+0x9f/0xb0 fs/reiserfs/prints.c:288
reiserfs_getopt fs/reiserfs/super.c:1044 [inline]
reiserfs_parse_options+0xa16/0x1820 fs/reiserfs/super.c:1194
reiserfs_fill_super+0x461/0x2b20 fs/reiserfs/super.c:1946
mount_bdev+0x2c1/0x370 fs/super.c:1134
get_super_block+0x35/0x40 fs/reiserfs/super.c:2605
mount_fs+0x9d/0x2a7 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45ad6a
RSP: 002b:00007f71f4e9ba88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f71f4e9bb40 RCX: 000000000045ad6a
RDX: 00007f71f4e9bae0 RSI: 0000000020000040 RDI: 00007f71f4e9bb00
RBP: 0000000000000009 R08: 00007f71f4e9bb40 R09: 00007f71f4e9bae0
R10: 0000000000000008 R11: 0000000000000206 R12: 0000000000000004
R13: 00000000004c6c84 R14: 00000000004dc660 R15: 00000000ffffffff
The buggy address belongs to the variable:
__func__.31262+0x798/0x3a60
Memory state around the buggy address:
ffffffff8677ac00: fa fa fa fa 00 02 fa fa fa fa fa fa 00 02 fa fa
ffffffff8677ac80: fa fa fa fa 06 fa fa fa fa fa fa fa 07 fa fa fa
> ffffffff8677ad00: fa fa fa fa 00 00 00 02 fa fa fa fa 00 03 fa fa
^
ffffffff8677ad80: fa fa fa fa 00 00 03 fa fa fa fa fa 00 03 fa fa
ffffffff8677ae00: fa fa fa fa 00 03 fa fa fa fa fa fa 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=131973c3200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=6caf171483bb4d504fdb
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6caf17...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in strscpy+0x20e/0x2c0 lib/string.c:206
Read of size 8 at addr ffffffff8677ad38 by task syz-executor.4/10519
CPU: 0 PID: 10519 Comm: syz-executor.4 Not tainted 4.14.111 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
strscpy+0x20e/0x2c0 lib/string.c:206
prepare_error_buf+0x94/0x1aa0 fs/reiserfs/prints.c:213
__reiserfs_warning+0x9f/0xb0 fs/reiserfs/prints.c:288
reiserfs_getopt fs/reiserfs/super.c:1044 [inline]
reiserfs_parse_options+0xa16/0x1820 fs/reiserfs/super.c:1194
reiserfs_fill_super+0x461/0x2b20 fs/reiserfs/super.c:1946
mount_bdev+0x2c1/0x370 fs/super.c:1134
get_super_block+0x35/0x40 fs/reiserfs/super.c:2605
mount_fs+0x9d/0x2a7 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45ad6a
RSP: 002b:00007f71f4e9ba88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f71f4e9bb40 RCX: 000000000045ad6a
RDX: 00007f71f4e9bae0 RSI: 0000000020000040 RDI: 00007f71f4e9bb00
RBP: 0000000000000009 R08: 00007f71f4e9bb40 R09: 00007f71f4e9bae0
R10: 0000000000000008 R11: 0000000000000206 R12: 0000000000000004
R13: 00000000004c6c84 R14: 00000000004dc660 R15: 00000000ffffffff
The buggy address belongs to the variable:
__func__.31262+0x798/0x3a60
Memory state around the buggy address:
ffffffff8677ac00: fa fa fa fa 00 02 fa fa fa fa fa fa 00 02 fa fa
ffffffff8677ac80: fa fa fa fa 06 fa fa fa fa fa fa fa 07 fa fa fa
> ffffffff8677ad00: fa fa fa fa 00 00 00 02 fa fa fa fa 00 03 fa fa
^
ffffffff8677ad80: fa fa fa fa 00 00 03 fa fa fa fa fa 00 03 fa fa
ffffffff8677ae00: fa fa fa fa 00 03 fa fa fa fa fa fa 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 19, 2019, 4:11:05 PM10/19/19
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages