WARNING: bad usercopy in filldir
6 views
Skip to first unread message
syzbot
Apr 3, 2018, 11:02:03 PM4/3/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
159f02977b2feb18a4bece5e586c838a6d26d44b (Mon Apr 2 15:14:03 2018 +0000)
Merge branch 'net-mvneta-improve-suspend-resume'
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=901de478f3999952a882
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6246070468214784
Kernel config:
https://syzkaller.appspot.com/x/.config?id=9204191589653459864
compiler: gcc (GCC) 7.1.1 20170620
CC: [james...@arm.com kees...@chromium.org keun-...@darkmatter.ae
lab...@redhat.com linux-...@vger.kernel.org linu...@kvack.org
mark.r...@arm.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+901de4...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
------------[ cut here ]------------
Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
from SLAB object 'dentry(129:syz4)' (offset 160, size 10)!
WARNING: CPU: 0 PID: 4482 at mm/usercopy.c:81 usercopy_warn+0xdb/0x100
mm/usercopy.c:76
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4482 Comm: syz-executor4 Not tainted 4.16.0-rc7+ #292
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x1f4/0x2b0 lib/bug.c:186
fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:usercopy_warn+0xdb/0x100 mm/usercopy.c:76
RSP: 0018:ffff8801a3ad7a78 EFLAGS: 00010282
RAX: dffffc0000000008 RBX: ffffffff880c989c RCX: ffffffff815b423e
RDX: 0000000000000000 RSI: 1ffff1003475aeff RDI: 1ffff1003475aed4
RBP: ffff8801a3ad7ad0 R08: 1ffff1003475ae96 R09: 0000000000000000
R10: 00000000000001ee R11: 0000000000000000 R12: ffff8801d7170340
R13: ffffffff87520940 R14: 00000000000000a0 R15: 000000000000000a
__check_heap_object+0x89/0xc0 mm/slab.c:4427
check_heap_object mm/usercopy.c:236 [inline]
__check_object_size+0x272/0x530 mm/usercopy.c:259
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_to_user include/linux/uaccess.h:154 [inline]
filldir+0x196/0x320 fs/readdir.c:196
dir_emit include/linux/fs.h:3367 [inline]
dcache_readdir+0x393/0x5e0 fs/libfs.c:198
iterate_dir+0x1ca/0x530 fs/readdir.c:51
SYSC_getdents fs/readdir.c:231 [inline]
SyS_getdents+0x225/0x450 fs/readdir.c:212
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4537db
RSP: 002b:0000000000a3d980 EFLAGS: 00000202 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 0000000001d18970 RCX: 00000000004537db
RDX: 0000000000008000 RSI: 0000000001d18970 RDI: 0000000000000013
RBP: 0000000001d18970 R08: 0000000000000001 R09: 0000000001d17940
R10: 0000000000000000 R11: 0000000000000202 R12: ffffffffffffffd4
R13: 0000000000000016 R14: 0000000000000ffd R15: 000000000009ae54
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
159f02977b2feb18a4bece5e586c838a6d26d44b (Mon Apr 2 15:14:03 2018 +0000)
Merge branch 'net-mvneta-improve-suspend-resume'
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=901de478f3999952a882
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6246070468214784
Kernel config:
https://syzkaller.appspot.com/x/.config?id=9204191589653459864
compiler: gcc (GCC) 7.1.1 20170620
CC: [james...@arm.com kees...@chromium.org keun-...@darkmatter.ae
lab...@redhat.com linux-...@vger.kernel.org linu...@kvack.org
mark.r...@arm.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+901de4...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
------------[ cut here ]------------
Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
from SLAB object 'dentry(129:syz4)' (offset 160, size 10)!
WARNING: CPU: 0 PID: 4482 at mm/usercopy.c:81 usercopy_warn+0xdb/0x100
mm/usercopy.c:76
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4482 Comm: syz-executor4 Not tainted 4.16.0-rc7+ #292
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x1f4/0x2b0 lib/bug.c:186
fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:usercopy_warn+0xdb/0x100 mm/usercopy.c:76
RSP: 0018:ffff8801a3ad7a78 EFLAGS: 00010282
RAX: dffffc0000000008 RBX: ffffffff880c989c RCX: ffffffff815b423e
RDX: 0000000000000000 RSI: 1ffff1003475aeff RDI: 1ffff1003475aed4
RBP: ffff8801a3ad7ad0 R08: 1ffff1003475ae96 R09: 0000000000000000
R10: 00000000000001ee R11: 0000000000000000 R12: ffff8801d7170340
R13: ffffffff87520940 R14: 00000000000000a0 R15: 000000000000000a
__check_heap_object+0x89/0xc0 mm/slab.c:4427
check_heap_object mm/usercopy.c:236 [inline]
__check_object_size+0x272/0x530 mm/usercopy.c:259
check_object_size include/linux/thread_info.h:112 [inline]
check_copy_size include/linux/thread_info.h:143 [inline]
copy_to_user include/linux/uaccess.h:154 [inline]
filldir+0x196/0x320 fs/readdir.c:196
dir_emit include/linux/fs.h:3367 [inline]
dcache_readdir+0x393/0x5e0 fs/libfs.c:198
iterate_dir+0x1ca/0x530 fs/readdir.c:51
SYSC_getdents fs/readdir.c:231 [inline]
SyS_getdents+0x225/0x450 fs/readdir.c:212
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4537db
RSP: 002b:0000000000a3d980 EFLAGS: 00000202 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 0000000001d18970 RCX: 00000000004537db
RDX: 0000000000008000 RSI: 0000000001d18970 RDI: 0000000000000013
RBP: 0000000001d18970 R08: 0000000000000001 R09: 0000000001d17940
R10: 0000000000000000 R11: 0000000000000202 R12: ffffffffffffffd4
R13: 0000000000000016 R14: 0000000000000ffd R15: 000000000009ae54
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot
Feb 22, 2019, 5:34:44 AM2/22/19
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages