KASAN: stack-out-of-bounds Read in vsnprintf
7 views
Skip to first unread message
syzbot
Jul 5, 2018, 12:59:03 AM7/5/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 2bdea157b999 Merge branch 'sctp-fully-support-for-dscp-and..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16510594400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f62553dc846b0692
dashboard link: https://syzkaller.appspot.com/bug?extid=6c2cea0bde1db71846f4
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [linux-...@vger.kernel.org pml...@suse.com
ros...@goodmis.org sergey.se...@gmail.com]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6c2cea...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in vsnprintf+0x18de/0x1b60
lib/vsprintf.c:2267
Read of size 8 at addr ffff880196926508 by task syz-executor3/13702
CPU: 0 PID: 13702 Comm: syz-executor3 Not tainted 4.18.0-rc3+ #45
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
vsnprintf+0x18de/0x1b60 lib/vsprintf.c:2267
vscnprintf+0x2d/0x80 lib/vsprintf.c:2370
vprintk_emit+0x1ab/0xdf0 kernel/printk/printk.c:1853
vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
printk+0xa7/0xcf kernel/printk/printk.c:1981
show_fault_oops arch/x86/mm/fault.c:671 [inline]
no_context.cold.36+0x6a/0x98 arch/x86/mm/fault.c:798
__bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:902
bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:909
__do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1328
do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff8801969269b0 EFLAGS: 00010086
RAX: ffff8801ce90a280 RBX: ffff8801bd7e2080 RCX: 0000000000000000
RDX: 1ffff10039d21450 RSI: 000000007a582700 RDI: ffffffff892a7060
RBP: 1ffff10032d24d36 R08: 1ffff1003457beeb R09: ffffed0039820023
R10: ffffed0039820023 R11: ffff8801cc10011f R12: ffff880100000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801dae2c9c0
The buggy address belongs to the page:
page:ffffea00065a4980 count:0 mapcount:0 mapping:0000000000000000
index:0xffff880196926280
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000
raw: ffff880196926280 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880196926400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff880196926480: 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 00 00 00 00
> ffff880196926500: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8
^
ffff880196926580: f2 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 00 00 00 00 00
ffff880196926600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 2bdea157b999 Merge branch 'sctp-fully-support-for-dscp-and..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16510594400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f62553dc846b0692
dashboard link: https://syzkaller.appspot.com/bug?extid=6c2cea0bde1db71846f4
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [linux-...@vger.kernel.org pml...@suse.com
ros...@goodmis.org sergey.se...@gmail.com]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6c2cea...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in vsnprintf+0x18de/0x1b60
lib/vsprintf.c:2267
Read of size 8 at addr ffff880196926508 by task syz-executor3/13702
CPU: 0 PID: 13702 Comm: syz-executor3 Not tainted 4.18.0-rc3+ #45
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
vsnprintf+0x18de/0x1b60 lib/vsprintf.c:2267
vscnprintf+0x2d/0x80 lib/vsprintf.c:2370
vprintk_emit+0x1ab/0xdf0 kernel/printk/printk.c:1853
vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
printk+0xa7/0xcf kernel/printk/printk.c:1981
show_fault_oops arch/x86/mm/fault.c:671 [inline]
no_context.cold.36+0x6a/0x98 arch/x86/mm/fault.c:798
__bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:902
bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:909
__do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1328
do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff8801969269b0 EFLAGS: 00010086
RAX: ffff8801ce90a280 RBX: ffff8801bd7e2080 RCX: 0000000000000000
RDX: 1ffff10039d21450 RSI: 000000007a582700 RDI: ffffffff892a7060
RBP: 1ffff10032d24d36 R08: 1ffff1003457beeb R09: ffffed0039820023
R10: ffffed0039820023 R11: ffff8801cc10011f R12: ffff880100000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801dae2c9c0
The buggy address belongs to the page:
page:ffffea00065a4980 count:0 mapcount:0 mapping:0000000000000000
index:0xffff880196926280
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000
raw: ffff880196926280 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880196926400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff880196926480: 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 00 00 00 00
> ffff880196926500: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8
^
ffff880196926580: f2 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 00 00 00 00 00
ffff880196926600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Dmitry Vyukov
Jul 5, 2018, 12:15:51 PM7/5/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Actually dup of upstream-reported "KASAN: stack-out-of-bounds Read in
timerqueue_add". But I will dedup them in moderation to not spam
upstream:
#syz dup: BUG: unable to handle kernel paging request in ttwu_do_activate
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000f068140570396740%40google.com.
> For more options, visit https://groups.google.com/d/optout.
timerqueue_add". But I will dedup them in moderation to not spam
upstream:
#syz dup: BUG: unable to handle kernel paging request in ttwu_do_activate
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000f068140570396740%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages