KASAN: slab-out-of-bounds Write in tomoyo_realpath_from_path
6 views
Skip to first unread message
syzbot
Oct 14, 2020, 9:52:17 PM10/14/20
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: da690031 Merge branch 'i2c/for-current' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10dd32ab900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c06bcf3cc963d91c
dashboard link: https://syzkaller.appspot.com/bug?extid=4dacccc3e2cbb08001d6
compiler: gcc (GCC) 10.1.0-syz 20200507
CC: [jmo...@namei.org linux-...@vger.kernel.org linux-secu...@vger.kernel.org penguin...@I-love.SAKURA.ne.jp se...@hallyn.com take...@nttdata.co.jp]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4daccc...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in tomoyo_realpath_from_path+0x50c/0x620 security/tomoyo/realpath.c:258
Write of size 1 at addr ffff88805f02170d by task syz-executor.1/6925
CPU: 0 PID: 6925 Comm: syz-executor.1 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
tomoyo_realpath_from_path+0x50c/0x620 security/tomoyo/realpath.c:258
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
tomoyo_path_unlink+0x8e/0xd0 security/tomoyo/tomoyo.c:150
security_path_unlink+0xd7/0x150 security/security.c:1100
do_unlinkat+0x375/0x660 fs/namei.c:3893
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45dba7
Code: 00 66 90 b8 58 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:000000000169ecb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045dba7
RDX: 000000000169ecd0 RSI: 000000000169ecd0 RDI: 000000000169ed60
RBP: 000000000000133e R08: 0000000000000000 R09: 0000000000000011
R10: 000000000000000a R11: 0000000000000246 R12: 000000000169fdf0
R13: 0000000002d9aa60 R14: 0000000000000000 R15: 000000000169fdf0
Allocated by task 0:
(stack is not available)
Freed by task 20236:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3422 [inline]
kfree+0x10e/0x2b0 mm/slab.c:3760
skb_free_head net/core/skbuff.c:590 [inline]
skb_release_data+0x6d9/0x910 net/core/skbuff.c:610
skb_release_all net/core/skbuff.c:664 [inline]
__kfree_skb net/core/skbuff.c:678 [inline]
consume_skb net/core/skbuff.c:838 [inline]
consume_skb+0xc2/0x160 net/core/skbuff.c:832
nsim_dev_trap_report drivers/net/netdevsim/dev.c:574 [inline]
nsim_dev_trap_report_work+0x86f/0xbd0 drivers/net/netdevsim/dev.c:599
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
The buggy address belongs to the object at ffff88805f020000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1805 bytes to the right of
4096-byte region [ffff88805f020000, ffff88805f021000)
The buggy address belongs to the page:
page:00000000a930402c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5f020
head:00000000a930402c order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00006e7488 ffffea00025c0808 ffff8880aa040900
raw: 0000000000000000 ffff88805f020000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805f021600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88805f021680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88805f021700: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88805f021780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805f021800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: da690031 Merge branch 'i2c/for-current' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10dd32ab900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c06bcf3cc963d91c
dashboard link: https://syzkaller.appspot.com/bug?extid=4dacccc3e2cbb08001d6
compiler: gcc (GCC) 10.1.0-syz 20200507
CC: [jmo...@namei.org linux-...@vger.kernel.org linux-secu...@vger.kernel.org penguin...@I-love.SAKURA.ne.jp se...@hallyn.com take...@nttdata.co.jp]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4daccc...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in tomoyo_realpath_from_path+0x50c/0x620 security/tomoyo/realpath.c:258
Write of size 1 at addr ffff88805f02170d by task syz-executor.1/6925
CPU: 0 PID: 6925 Comm: syz-executor.1 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
tomoyo_realpath_from_path+0x50c/0x620 security/tomoyo/realpath.c:258
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
tomoyo_path_unlink+0x8e/0xd0 security/tomoyo/tomoyo.c:150
security_path_unlink+0xd7/0x150 security/security.c:1100
do_unlinkat+0x375/0x660 fs/namei.c:3893
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45dba7
Code: 00 66 90 b8 58 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:000000000169ecb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045dba7
RDX: 000000000169ecd0 RSI: 000000000169ecd0 RDI: 000000000169ed60
RBP: 000000000000133e R08: 0000000000000000 R09: 0000000000000011
R10: 000000000000000a R11: 0000000000000246 R12: 000000000169fdf0
R13: 0000000002d9aa60 R14: 0000000000000000 R15: 000000000169fdf0
Allocated by task 0:
(stack is not available)
Freed by task 20236:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3422 [inline]
kfree+0x10e/0x2b0 mm/slab.c:3760
skb_free_head net/core/skbuff.c:590 [inline]
skb_release_data+0x6d9/0x910 net/core/skbuff.c:610
skb_release_all net/core/skbuff.c:664 [inline]
__kfree_skb net/core/skbuff.c:678 [inline]
consume_skb net/core/skbuff.c:838 [inline]
consume_skb+0xc2/0x160 net/core/skbuff.c:832
nsim_dev_trap_report drivers/net/netdevsim/dev.c:574 [inline]
nsim_dev_trap_report_work+0x86f/0xbd0 drivers/net/netdevsim/dev.c:599
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
The buggy address belongs to the object at ffff88805f020000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1805 bytes to the right of
4096-byte region [ffff88805f020000, ffff88805f021000)
The buggy address belongs to the page:
page:00000000a930402c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5f020
head:00000000a930402c order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00006e7488 ffffea00025c0808 ffff8880aa040900
raw: 0000000000000000 ffff88805f020000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805f021600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88805f021680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88805f021700: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88805f021780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805f021800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 8, 2021, 8:48:13 PM1/8/21
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages