KASAN: stack-out-of-bounds Read in keyctl_pkey_params_get
6 views
Skip to first unread message
syzbot
Jan 2, 2019, 12:31:03 PM1/2/19
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f12e840c819b Merge branch 'for-linus' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142768d7400000
kernel config: https://syzkaller.appspot.com/x/.config?x=76d28549be7c27cf
dashboard link: https://syzkaller.appspot.com/bug?extid=d26e2253353658caded1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
CC: [dhow...@redhat.com jmo...@namei.org
keyr...@vger.kernel.org linux-...@vger.kernel.org
linux-secu...@vger.kernel.org se...@hallyn.com]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d26e22...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in keyctl_pkey_params_parse
security/keys/keyctl_pkey.c:56 [inline]
BUG: KASAN: stack-out-of-bounds in keyctl_pkey_params_get+0x4c7/0x550
security/keys/keyctl_pkey.c:96
Read of size 1 at addr ffff888089aefc90 by task syz-executor4/11760
CPU: 0 PID: 11760 Comm: syz-executor4 Not tainted 4.20.0+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Error parsing options; rc = [-22]
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
keyctl_pkey_params_parse security/keys/keyctl_pkey.c:56 [inline]
keyctl_pkey_params_get+0x4c7/0x550 security/keys/keyctl_pkey.c:96
keyctl_pkey_query+0xb8/0x2a0 security/keys/keyctl_pkey.c:173
__do_compat_sys_keyctl security/keys/compat.c:147 [inline]
__se_compat_sys_keyctl security/keys/compat.c:59 [inline]
__ia32_compat_sys_keyctl+0x152/0x420 security/keys/compat.c:59
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x333/0xf98 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fee869
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90
90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f5fea0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000120
RAX: ffffffffffffffda RBX: 0000000000000018 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea000226bbc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff02260101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888089aefb80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff888089aefc00: 00 00 00 f2 00 00 00 f2 f2 f2 00 00 00 00 00 00
> ffff888089aefc80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888089aefd00: 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00
ffff888089aefd80: 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
==================================================================
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
ecryptfs_parse_options: You must supply at least one valid auth tok
signature as a mount parameter; see the eCryptfs README
ecryptfs_parse_options: You must supply at least one valid auth tok
signature as a mount parameter; see the eCryptfs README
CPU: 0 PID: 11765 Comm: syz-executor3 Tainted: G B 4.20.0+ #2
Error parsing options; rc = [-22]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
ecryptfs_parse_options: You must supply at least one valid auth tok
signature as a mount parameter; see the eCryptfs README
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0xa/0x15 lib/fault-inject.c:149
Error parsing options; rc = [-22]
__should_failslab+0x121/0x190 mm/failslab.c:32
should_failslab+0x9/0x14 mm/slab_common.c:1603
slab_pre_alloc_hook mm/slab.h:423 [inline]
slab_alloc mm/slab.c:3365 [inline]
kmem_cache_alloc+0x2be/0x710 mm/slab.c:3539
vm_area_alloc+0x7a/0x1d0 kernel/fork.c:336
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: f12e840c819b Merge branch 'for-linus' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142768d7400000
kernel config: https://syzkaller.appspot.com/x/.config?x=76d28549be7c27cf
dashboard link: https://syzkaller.appspot.com/bug?extid=d26e2253353658caded1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
CC: [dhow...@redhat.com jmo...@namei.org
keyr...@vger.kernel.org linux-...@vger.kernel.org
linux-secu...@vger.kernel.org se...@hallyn.com]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d26e22...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in keyctl_pkey_params_parse
security/keys/keyctl_pkey.c:56 [inline]
BUG: KASAN: stack-out-of-bounds in keyctl_pkey_params_get+0x4c7/0x550
security/keys/keyctl_pkey.c:96
Read of size 1 at addr ffff888089aefc90 by task syz-executor4/11760
CPU: 0 PID: 11760 Comm: syz-executor4 Not tainted 4.20.0+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Error parsing options; rc = [-22]
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
keyctl_pkey_params_parse security/keys/keyctl_pkey.c:56 [inline]
keyctl_pkey_params_get+0x4c7/0x550 security/keys/keyctl_pkey.c:96
keyctl_pkey_query+0xb8/0x2a0 security/keys/keyctl_pkey.c:173
__do_compat_sys_keyctl security/keys/compat.c:147 [inline]
__se_compat_sys_keyctl security/keys/compat.c:59 [inline]
__ia32_compat_sys_keyctl+0x152/0x420 security/keys/compat.c:59
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x333/0xf98 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fee869
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90
90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f5fea0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000120
RAX: ffffffffffffffda RBX: 0000000000000018 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea000226bbc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff02260101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888089aefb80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff888089aefc00: 00 00 00 f2 00 00 00 f2 f2 f2 00 00 00 00 00 00
> ffff888089aefc80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888089aefd00: 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00
ffff888089aefd80: 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
==================================================================
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
ecryptfs_parse_options: You must supply at least one valid auth tok
signature as a mount parameter; see the eCryptfs README
ecryptfs_parse_options: You must supply at least one valid auth tok
signature as a mount parameter; see the eCryptfs README
CPU: 0 PID: 11765 Comm: syz-executor3 Tainted: G B 4.20.0+ #2
Error parsing options; rc = [-22]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
ecryptfs_parse_options: You must supply at least one valid auth tok
signature as a mount parameter; see the eCryptfs README
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0xa/0x15 lib/fault-inject.c:149
Error parsing options; rc = [-22]
__should_failslab+0x121/0x190 mm/failslab.c:32
should_failslab+0x9/0x14 mm/slab_common.c:1603
slab_pre_alloc_hook mm/slab.h:423 [inline]
slab_alloc mm/slab.c:3365 [inline]
kmem_cache_alloc+0x2be/0x710 mm/slab.c:3539
vm_area_alloc+0x7a/0x1d0 kernel/fork.c:336
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Dmitry Vyukov
Jan 2, 2019, 1:38:37 PM1/2/19
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation, Eric Biggers
FTR this seems to be what's being discussed here:
https://groups.google.com/d/msg/syzkaller-bugs/STZ2U-ww_1k/y-zf5rmgFQAJ
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/0000000000009a0bc0057e7d0203%40google.com.
> For more options, visit https://groups.google.com/d/optout.
https://groups.google.com/d/msg/syzkaller-bugs/STZ2U-ww_1k/y-zf5rmgFQAJ
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/0000000000009a0bc0057e7d0203%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages