KASAN: global-out-of-bounds Read in do_blockdev_direct_IO
7 views
Skip to first unread message
syzbot
Oct 30, 2019, 4:29:09 AM10/30/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1404d3e0e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=8de2e06d1f9cda58c4d5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=131df648e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cf4898e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8de2e0...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1572420328.038:36): avc: denied { map } for
pid=6893 comm="syz-executor752" path="/root/syz-executor752021065"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __read_once_size
include/linux/compiler.h:183 [inline]
BUG: KASAN: global-out-of-bounds in compound_head
include/linux/page-flags.h:147 [inline]
BUG: KASAN: global-out-of-bounds in get_page include/linux/mm.h:833 [inline]
BUG: KASAN: global-out-of-bounds in submit_page_section fs/direct-io.c:890
[inline]
BUG: KASAN: global-out-of-bounds in do_direct_IO fs/direct-io.c:1097
[inline]
BUG: KASAN: global-out-of-bounds in do_blockdev_direct_IO+0x70c1/0x7fd0
fs/direct-io.c:1336
Read of size 8 at addr ffffffff885d3380 by task syz-executor752/6893
CPU: 0 PID: 6893 Comm: syz-executor752 Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
compound_head include/linux/page-flags.h:147 [inline]
get_page include/linux/mm.h:833 [inline]
submit_page_section fs/direct-io.c:890 [inline]
do_direct_IO fs/direct-io.c:1097 [inline]
do_blockdev_direct_IO+0x70c1/0x7fd0 fs/direct-io.c:1336
__blockdev_direct_IO+0xa1/0xca fs/direct-io.c:1422
ext4_direct_IO_write fs/ext4/inode.c:3703 [inline]
ext4_direct_IO+0x70d/0x1890 fs/ext4/inode.c:3833
generic_file_direct_write+0x1e7/0x430 mm/filemap.c:2949
__generic_file_write_iter+0x2bc/0x5b0 mm/filemap.c:3128
ext4_file_write_iter+0x2ac/0xe90 fs/ext4/file.c:268
call_write_iter include/linux/fs.h:1777 [inline]
do_iter_readv_writev+0x418/0x670 fs/read_write.c:675
do_iter_write fs/read_write.c:954 [inline]
do_iter_write+0x154/0x540 fs/read_write.c:935
vfs_iter_write+0x77/0xb0 fs/read_write.c:967
iter_file_splice_write+0x572/0xad0 fs/splice.c:749
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd92/0x1430 fs/splice.c:1382
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440309
RSP: 002b:00007fff13a831c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
__key.65489+0x20/0x40
Memory state around the buggy address:
ffffffff885d3280: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
ffffffff885d3300: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
> ffffffff885d3380: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
^
ffffffff885d3400: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
ffffffff885d3480: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1404d3e0e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=8de2e06d1f9cda58c4d5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=131df648e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cf4898e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8de2e0...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1572420328.038:36): avc: denied { map } for
pid=6893 comm="syz-executor752" path="/root/syz-executor752021065"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __read_once_size
include/linux/compiler.h:183 [inline]
BUG: KASAN: global-out-of-bounds in compound_head
include/linux/page-flags.h:147 [inline]
BUG: KASAN: global-out-of-bounds in get_page include/linux/mm.h:833 [inline]
BUG: KASAN: global-out-of-bounds in submit_page_section fs/direct-io.c:890
[inline]
BUG: KASAN: global-out-of-bounds in do_direct_IO fs/direct-io.c:1097
[inline]
BUG: KASAN: global-out-of-bounds in do_blockdev_direct_IO+0x70c1/0x7fd0
fs/direct-io.c:1336
Read of size 8 at addr ffffffff885d3380 by task syz-executor752/6893
CPU: 0 PID: 6893 Comm: syz-executor752 Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
compound_head include/linux/page-flags.h:147 [inline]
get_page include/linux/mm.h:833 [inline]
submit_page_section fs/direct-io.c:890 [inline]
do_direct_IO fs/direct-io.c:1097 [inline]
do_blockdev_direct_IO+0x70c1/0x7fd0 fs/direct-io.c:1336
__blockdev_direct_IO+0xa1/0xca fs/direct-io.c:1422
ext4_direct_IO_write fs/ext4/inode.c:3703 [inline]
ext4_direct_IO+0x70d/0x1890 fs/ext4/inode.c:3833
generic_file_direct_write+0x1e7/0x430 mm/filemap.c:2949
__generic_file_write_iter+0x2bc/0x5b0 mm/filemap.c:3128
ext4_file_write_iter+0x2ac/0xe90 fs/ext4/file.c:268
call_write_iter include/linux/fs.h:1777 [inline]
do_iter_readv_writev+0x418/0x670 fs/read_write.c:675
do_iter_write fs/read_write.c:954 [inline]
do_iter_write+0x154/0x540 fs/read_write.c:935
vfs_iter_write+0x77/0xb0 fs/read_write.c:967
iter_file_splice_write+0x572/0xad0 fs/splice.c:749
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd92/0x1430 fs/splice.c:1382
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440309
RSP: 002b:00007fff13a831c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
__key.65489+0x20/0x40
Memory state around the buggy address:
ffffffff885d3280: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
ffffffff885d3300: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
> ffffffff885d3380: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
^
ffffffff885d3400: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
ffffffff885d3480: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Nov 22, 2019, 4:53:01 AM11/22/19
to syzkaller...@googlegroups.com
syzbot has bisected this bug to:
commit 5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9
Author: Eric Dumazet <edum...@google.com>
Date: Thu Nov 19 05:03:33 2015 +0000
tcp: fix potential huge kmalloc() calls in TCP_REPAIR
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10f93fbae00000
start commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
final crash: https://syzkaller.appspot.com/x/report.txt?x=12f93fbae00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14f93fbae00000
Fixes: 5d4c9bfbabdb ("tcp: fix potential huge kmalloc() calls in
TCP_REPAIR")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9
Author: Eric Dumazet <edum...@google.com>
Date: Thu Nov 19 05:03:33 2015 +0000
tcp: fix potential huge kmalloc() calls in TCP_REPAIR
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10f93fbae00000
start commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
final crash: https://syzkaller.appspot.com/x/report.txt?x=12f93fbae00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14f93fbae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=8de2e06d1f9cda58c4d5
dashboard link: https://syzkaller.appspot.com/bug?extid=8de2e06d1f9cda58c4d5
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=131df648e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cf4898e00000
Reported-by: syzbot+8de2e0...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cf4898e00000
Fixes: 5d4c9bfbabdb ("tcp: fix potential huge kmalloc() calls in
TCP_REPAIR")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages