KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
6 views
Skip to first unread message
syzbot
Sep 11, 2019, 4:57:07 AM9/11/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e2cd24b6 Linux 4.14.143
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15096495600000
kernel config: https://syzkaller.appspot.com/x/.config?x=dcb6107bcdc0039
dashboard link: https://syzkaller.appspot.com/bug?extid=b9e2e1efdc969e74853b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b9e2e1...@syzkaller.appspotmail.com
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff48409e6d4
R13: 00000000004c90ca R14: 00000000004df570 R15: 0000000000000006
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28
[inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
Read of size 4096 at addr ffff88808a120000 by task syz-executor.1/14489
CPU: 0 PID: 14489 Comm: syz-executor.1 Not tainted 4.14.143 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
memcpy_dir crypto/scatterwalk.c:28 [inline]
scatterwalk_copychunks+0x260/0x6b0 crypto/scatterwalk.c:43
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
gcmaes_encrypt.constprop.0+0x1d2/0xb90
arch/x86/crypto/aesni-intel_glue.c:778
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0xef/0x150 arch/x86/crypto/aesni-intel_glue.c:945
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x906/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x434/0xb50 net/tls/tls_sw.c:617
inet_sendpage+0x157/0x580 net/ipv4/af_inet.c:779
kernel_sendpage+0x92/0xf0 net/socket.c:3406
sock_sendpage+0x8b/0xc0 net/socket.c:871
kasan: CONFIG_KASAN_INLINE enabled
pipe_to_sendpage+0x242/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x348/0x780 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
kasan: GPF could be caused by NULL-ptr deref or user memory access
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd92/0x1430 fs/splice.c:1382
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4598e9
RSP: 002b:00007ff706847c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007ff706847c90 RCX: 00000000004598e9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff7068486d4
R13: 00000000004c90ca R14: 00000000004df570 R15: 0000000000000006
Allocated by task 6783:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
general protection fault: 0000 [#1] PREEMPT SMP KASAN
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
Modules linked in:
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
CPU: 1 PID: 14497 Comm: syz-executor.3 Not tainted 4.14.143 #0
getname_flags fs/namei.c:138 [inline]
getname_flags+0xcb/0x580 fs/namei.c:128
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
user_path_at_empty+0x2f/0x50 fs/namei.c:2630
task: ffff8880580f2040 task.stack: ffff88805ba68000
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:86 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:111 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:95 [inline]
RIP: 0010:scatterwalk_copychunks+0x4d6/0x6b0 crypto/scatterwalk.c:55
vfs_lstat include/linux/fs.h:3065 [inline]
SYSC_newlstat+0x95/0x100 fs/stat.c:350
RSP: 0018:ffff88805ba6f648 EFLAGS: 00010202
SyS_newlstat+0x1e/0x30 fs/stat.c:344
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
RAX: dffffc0000000000 RBX: 000000000000401d RCX: ffffc9000a277000
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RDX: 0000000000000002 RSI: ffffffff82d55c09 RDI: ffff88805ce3c3d8
Freed by task 6783:
RBP: ffff88805ba6f6b8 R08: 1ffff1100b2c6800 R09: ffffed100b2c6804
R10: ffffed100b2c6803 R11: ffff88805963401c R12: 000000000000401d
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
R13: 0000000000000000 R14: ffff88805ba6f710 R15: 0000000000001000
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
FS: 00007ff48409e700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
CR2: 00007ffd32336638 CR3: 0000000093c05000 CR4: 00000000001406e0
putname+0xdb/0x120 fs/namei.c:259
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
filename_lookup+0x23a/0x380 fs/namei.c:2385
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
user_path_at_empty+0x43/0x50 fs/namei.c:2630
Call Trace:
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
vfs_lstat include/linux/fs.h:3065 [inline]
SYSC_newlstat+0x95/0x100 fs/stat.c:350
SyS_newlstat+0x1e/0x30 fs/stat.c:344
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
gcmaes_encrypt.constprop.0+0x2e9/0xb90
arch/x86/crypto/aesni-intel_glue.c:802
The buggy address belongs to the object at ffff88808a120500
which belongs to the cache names_cache of size 4096
The buggy address is located 1280 bytes to the left of
4096-byte region [ffff88808a120500, ffff88808a121500)
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
The buggy address belongs to the page:
page:ffffea0002284800 count:1 mapcount:0 mapping:ffff88808a120500 index:0x0
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0xef/0x150 arch/x86/crypto/aesni-intel_glue.c:945
compound_mapcount: 0
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x906/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x434/0xb50 net/tls/tls_sw.c:617
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff88808a120500 0000000000000000 0000000100000001
raw: ffffea0002457ea0 ffffea000242d3a0 ffff8880aa9e0cc0 0000000000000000
page dumped because: kasan: bad access detected
inet_sendpage+0x157/0x580 net/ipv4/af_inet.c:779
Memory state around the buggy address:
kernel_sendpage+0x92/0xf0 net/socket.c:3406
ffff88808a11ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808a11ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sock_sendpage+0x8b/0xc0 net/socket.c:871
> ffff88808a120000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
pipe_to_sendpage+0x242/0x340 fs/splice.c:451
ffff88808a120080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808a120100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x348/0x780 fs/splice.c:626
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: e2cd24b6 Linux 4.14.143
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15096495600000
kernel config: https://syzkaller.appspot.com/x/.config?x=dcb6107bcdc0039
dashboard link: https://syzkaller.appspot.com/bug?extid=b9e2e1efdc969e74853b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b9e2e1...@syzkaller.appspotmail.com
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff48409e6d4
R13: 00000000004c90ca R14: 00000000004df570 R15: 0000000000000006
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28
[inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
Read of size 4096 at addr ffff88808a120000 by task syz-executor.1/14489
CPU: 0 PID: 14489 Comm: syz-executor.1 Not tainted 4.14.143 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
memcpy_dir crypto/scatterwalk.c:28 [inline]
scatterwalk_copychunks+0x260/0x6b0 crypto/scatterwalk.c:43
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
gcmaes_encrypt.constprop.0+0x1d2/0xb90
arch/x86/crypto/aesni-intel_glue.c:778
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0xef/0x150 arch/x86/crypto/aesni-intel_glue.c:945
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x906/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x434/0xb50 net/tls/tls_sw.c:617
inet_sendpage+0x157/0x580 net/ipv4/af_inet.c:779
kernel_sendpage+0x92/0xf0 net/socket.c:3406
sock_sendpage+0x8b/0xc0 net/socket.c:871
kasan: CONFIG_KASAN_INLINE enabled
pipe_to_sendpage+0x242/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x348/0x780 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
kasan: GPF could be caused by NULL-ptr deref or user memory access
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd92/0x1430 fs/splice.c:1382
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4598e9
RSP: 002b:00007ff706847c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007ff706847c90 RCX: 00000000004598e9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff7068486d4
R13: 00000000004c90ca R14: 00000000004df570 R15: 0000000000000006
Allocated by task 6783:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
general protection fault: 0000 [#1] PREEMPT SMP KASAN
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
Modules linked in:
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
CPU: 1 PID: 14497 Comm: syz-executor.3 Not tainted 4.14.143 #0
getname_flags fs/namei.c:138 [inline]
getname_flags+0xcb/0x580 fs/namei.c:128
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
user_path_at_empty+0x2f/0x50 fs/namei.c:2630
task: ffff8880580f2040 task.stack: ffff88805ba68000
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:86 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:111 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:95 [inline]
RIP: 0010:scatterwalk_copychunks+0x4d6/0x6b0 crypto/scatterwalk.c:55
vfs_lstat include/linux/fs.h:3065 [inline]
SYSC_newlstat+0x95/0x100 fs/stat.c:350
RSP: 0018:ffff88805ba6f648 EFLAGS: 00010202
SyS_newlstat+0x1e/0x30 fs/stat.c:344
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
RAX: dffffc0000000000 RBX: 000000000000401d RCX: ffffc9000a277000
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RDX: 0000000000000002 RSI: ffffffff82d55c09 RDI: ffff88805ce3c3d8
Freed by task 6783:
RBP: ffff88805ba6f6b8 R08: 1ffff1100b2c6800 R09: ffffed100b2c6804
R10: ffffed100b2c6803 R11: ffff88805963401c R12: 000000000000401d
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
R13: 0000000000000000 R14: ffff88805ba6f710 R15: 0000000000001000
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
FS: 00007ff48409e700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
CR2: 00007ffd32336638 CR3: 0000000093c05000 CR4: 00000000001406e0
putname+0xdb/0x120 fs/namei.c:259
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
filename_lookup+0x23a/0x380 fs/namei.c:2385
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
user_path_at_empty+0x43/0x50 fs/namei.c:2630
Call Trace:
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
vfs_lstat include/linux/fs.h:3065 [inline]
SYSC_newlstat+0x95/0x100 fs/stat.c:350
SyS_newlstat+0x1e/0x30 fs/stat.c:344
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
gcmaes_encrypt.constprop.0+0x2e9/0xb90
arch/x86/crypto/aesni-intel_glue.c:802
The buggy address belongs to the object at ffff88808a120500
which belongs to the cache names_cache of size 4096
The buggy address is located 1280 bytes to the left of
4096-byte region [ffff88808a120500, ffff88808a121500)
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
The buggy address belongs to the page:
page:ffffea0002284800 count:1 mapcount:0 mapping:ffff88808a120500 index:0x0
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0xef/0x150 arch/x86/crypto/aesni-intel_glue.c:945
compound_mapcount: 0
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x906/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x434/0xb50 net/tls/tls_sw.c:617
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff88808a120500 0000000000000000 0000000100000001
raw: ffffea0002457ea0 ffffea000242d3a0 ffff8880aa9e0cc0 0000000000000000
page dumped because: kasan: bad access detected
inet_sendpage+0x157/0x580 net/ipv4/af_inet.c:779
Memory state around the buggy address:
kernel_sendpage+0x92/0xf0 net/socket.c:3406
ffff88808a11ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808a11ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sock_sendpage+0x8b/0xc0 net/socket.c:871
> ffff88808a120000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
pipe_to_sendpage+0x242/0x340 fs/splice.c:451
ffff88808a120080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808a120100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x348/0x780 fs/splice.c:626
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 25, 2019, 2:27:08 PM9/25/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=140a854d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177465e3600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b9e2e1...@syzkaller.appspotmail.com
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60
R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000
CPU: 1 PID: 6826 Comm: syz-executor020 Not tainted 4.14.146 #0
RSP: 002b:00007ffcccb335f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007ffcccb33610 RCX: 0000000000440679
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60
R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3568:
alloc_inode+0x64/0x180 fs/inode.c:209
new_inode_pseudo+0x19/0xf0 fs/inode.c:891
new_inode+0x1f/0x40 fs/inode.c:920
shmem_get_inode+0x75/0x750 mm/shmem.c:2172
shmem_mknod+0x5a/0x1d0 mm/shmem.c:3030
shmem_create+0x2b/0x40 mm/shmem.c:3090
lookup_open+0x11a6/0x1860 fs/namei.c:3240
do_last fs/namei.c:3331 [inline]
path_openat+0xfca/0x3f70 fs/namei.c:3566
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_sys_open+0x2c5/0x430 fs/open.c:1084
SYSC_open fs/open.c:1102 [inline]
SyS_open+0x2d/0x40 fs/open.c:1097
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff88808bacd000
which belongs to the cache shmem_inode_cache of size 1200
The buggy address is located 0 bytes inside of
1200-byte region [ffff88808bacd000, ffff88808bacd4b0)
index:0xffff88808bacdffd
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88808bacd000 ffff88808bacdffd 0000000100000003
raw: ffffea00022e9120 ffffea00022d6ea0 ffff8880aa9e03c0 0000000000000000
ffff88808bacd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88808bacd480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
^
ffff88808bacd500: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
ffff88808bacd580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=140a854d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=b9e2e1efdc969e74853b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f1e94d600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177465e3600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b9e2e1...@syzkaller.appspotmail.com
RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60
R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28
[inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
Read of size 4096 at addr ffff88808bacd000 by task syz-executor020/6826
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28
[inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
CPU: 1 PID: 6826 Comm: syz-executor020 Not tainted 4.14.146 #0
pipe_to_sendpage+0x242/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x348/0x780 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x348/0x780 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd92/0x1430 fs/splice.c:1382
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440679
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd92/0x1430 fs/splice.c:1382
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007ffcccb335f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007ffcccb33610 RCX: 0000000000440679
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60
R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3568:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
shmem_alloc_inode+0x1c/0x50 mm/shmem.c:3882
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
alloc_inode+0x64/0x180 fs/inode.c:209
new_inode_pseudo+0x19/0xf0 fs/inode.c:891
new_inode+0x1f/0x40 fs/inode.c:920
shmem_get_inode+0x75/0x750 mm/shmem.c:2172
shmem_mknod+0x5a/0x1d0 mm/shmem.c:3030
shmem_create+0x2b/0x40 mm/shmem.c:3090
lookup_open+0x11a6/0x1860 fs/namei.c:3240
do_last fs/namei.c:3331 [inline]
path_openat+0xfca/0x3f70 fs/namei.c:3566
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_sys_open+0x2c5/0x430 fs/open.c:1084
SYSC_open fs/open.c:1102 [inline]
SyS_open+0x2d/0x40 fs/open.c:1097
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff88808bacd000
which belongs to the cache shmem_inode_cache of size 1200
The buggy address is located 0 bytes inside of
1200-byte region [ffff88808bacd000, ffff88808bacd4b0)
The buggy address belongs to the page:
page:ffffea00022eb340 count:1 mapcount:0 mapping:ffff88808bacd000
index:0xffff88808bacdffd
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88808bacd000 ffff88808bacdffd 0000000100000003
raw: ffffea00022e9120 ffffea00022d6ea0 ffff8880aa9e03c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808bacd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808bacd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88808bacd480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
^
ffff88808bacd500: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
ffff88808bacd580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Reply all
Reply to author
Forward
0 new messages