All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com>
To: aarcange@redhat.com, akpm@linux-foundation.org, hughd@google.com,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	mhocko@suse.com, syzkaller-bugs@googlegroups.com, vbabka@suse.cz,
	viro@zeniv.linux.org.uk, yang.shi@linux.alibaba.com
Subject: KASAN: slab-out-of-bounds Write in mpol_parse_str
Date: Tue, 14 Jan 2020 18:24:11 -0800	[thread overview]
Message-ID: <0000000000006a8b8f059c24672a@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    e69ec487 Merge branch 'for-linus' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=143045c6e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=18698c0c240ba616
dashboard link: https://syzkaller.appspot.com/bug?extid=e64a13c5369a194d67df
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ddc8d1e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15851c85e00000

The bug was bisected to:

commit 626c3920aeb4575f53c96b0d4ad4e651a21cbb66
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Mon Sep 9 00:28:06 2019 +0000

     shmem_parse_one(): switch to use of fs_parse()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1643b3fee00000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=1543b3fee00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1143b3fee00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com
Fixes: 626c3920aeb4 ("shmem_parse_one(): switch to use of fs_parse()")

==================================================================
BUG: KASAN: slab-out-of-bounds in mpol_parse_str+0x87b/0xa50  
mm/mempolicy.c:2922
Write of size 1 at addr ffff8880a4513abf by task syz-executor950/9591

CPU: 0 PID: 9591 Comm: syz-executor950 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x197/0x210 lib/dump_stack.c:118
  print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
  __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
  kasan_report+0x12/0x20 mm/kasan/common.c:639
  __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
  mpol_parse_str+0x87b/0xa50 mm/mempolicy.c:2922
  shmem_parse_one+0x71e/0xa40 mm/shmem.c:3472
  vfs_parse_fs_param+0x2ca/0x540 fs/fs_context.c:145
  vfs_parse_fs_string+0x105/0x170 fs/fs_context.c:188
  shmem_parse_options+0x168/0x250 mm/shmem.c:3522
  parse_monolithic_mount_data+0x69/0x90 fs/fs_context.c:704
  do_new_mount fs/namespace.c:2818 [inline]
  do_mount+0x1310/0x1b50 fs/namespace.c:3142
  __do_sys_mount fs/namespace.c:3351 [inline]
  __se_sys_mount fs/namespace.c:3328 [inline]
  __x64_sys_mount+0x192/0x230 fs/namespace.c:3328
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446a9a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d ae fb ff c3 66 2e 0f  
1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 5a ae fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007fffb59b03c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fffb59b03d0 RCX: 0000000000446a9a
RDX: 00007fffb59b03d0 RSI: 00000000200000c0 RDI: 00007fffb59b03f0
RBP: 0000000000000003 R08: 00007fffb59b0430 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000297 R12: 00007fffb59b0430
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 9564:
  save_stack+0x23/0x90 mm/kasan/common.c:72
  set_track mm/kasan/common.c:80 [inline]
  __kasan_kmalloc mm/kasan/common.c:513 [inline]
  __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
  kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
  __do_kmalloc mm/slab.c:3656 [inline]
  __kmalloc+0x163/0x770 mm/slab.c:3665
  kmalloc include/linux/slab.h:561 [inline]
  tomoyo_add_entry security/tomoyo/common.c:2031 [inline]
  tomoyo_supervisor+0xd3e/0xef0 security/tomoyo/common.c:2103
  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
  tomoyo_path_permission security/tomoyo/file.c:587 [inline]
  tomoyo_path_permission+0x263/0x360 security/tomoyo/file.c:573
  tomoyo_path_perm+0x318/0x430 security/tomoyo/file.c:838
  tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
  security_inode_getattr+0xf2/0x150 security/security.c:1222
  vfs_getattr+0x25/0x70 fs/stat.c:115
  vfs_statx_fd+0x71/0xc0 fs/stat.c:145
  vfs_fstat include/linux/fs.h:3265 [inline]
  __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
  __se_sys_newfstat fs/stat.c:375 [inline]
  __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9564:
  save_stack+0x23/0x90 mm/kasan/common.c:72
  set_track mm/kasan/common.c:80 [inline]
  kasan_set_free_info mm/kasan/common.c:335 [inline]
  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
  __cache_free mm/slab.c:3426 [inline]
  kfree+0x10a/0x2c0 mm/slab.c:3757
  tomoyo_add_entry security/tomoyo/common.c:2045 [inline]
  tomoyo_supervisor+0xc2c/0xef0 security/tomoyo/common.c:2103
  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
  tomoyo_path_permission security/tomoyo/file.c:587 [inline]
  tomoyo_path_permission+0x263/0x360 security/tomoyo/file.c:573
  tomoyo_path_perm+0x318/0x430 security/tomoyo/file.c:838
  tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
  security_inode_getattr+0xf2/0x150 security/security.c:1222
  vfs_getattr+0x25/0x70 fs/stat.c:115
  vfs_statx_fd+0x71/0xc0 fs/stat.c:145
  vfs_fstat include/linux/fs.h:3265 [inline]
  __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
  __se_sys_newfstat fs/stat.c:375 [inline]
  __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a4513a80
  which belongs to the cache kmalloc-32 of size 32
The buggy address is located 31 bytes to the right of
  32-byte region [ffff8880a4513a80, ffff8880a4513aa0)
The buggy address belongs to the page:
page:ffffea00029144c0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0  
index:0xffff8880a4513fc1
raw: 00fffe0000000200 ffffea0002a2e388 ffffea0002581cc8 ffff8880aa4001c0
raw: ffff8880a4513fc1 ffff8880a4513000 0000000100000028 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8880a4513980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
  ffff8880a4513a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
> ffff8880a4513a80: fb fb fb fb fc fc fc fc 00 05 fc fc fc fc fc fc
                                         ^
  ffff8880a4513b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
  ffff8880a4513b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

             reply	other threads:[~2020-01-15  2:24 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-15  2:24 syzbot [this message]
2020-01-15  2:24 ` KASAN: slab-out-of-bounds Write in mpol_parse_str syzbot
2020-01-15  5:54 ` [PATCH] mm/mempolicy.c: Fix out of bounds write in mpol_parse_str() Dan Carpenter
2020-01-15 12:54   ` Vlastimil Babka
2020-01-15 12:57     ` Dmitry Vyukov
2020-01-15 12:57       ` Dmitry Vyukov
2020-01-15 15:03       ` Michal Hocko
2020-01-15 15:14         ` Dmitry Vyukov
2020-01-15 15:14           ` Dmitry Vyukov
2020-01-15 19:05           ` Michal Hocko
2020-01-16  5:41             ` Dmitry Vyukov
2020-01-16  5:41               ` Dmitry Vyukov
2020-01-16  7:39               ` Michal Hocko
2020-01-16 10:13                 ` Dmitry Vyukov
2020-01-16 10:13                   ` Dmitry Vyukov
2020-01-16 11:51                   ` Michal Hocko
2020-01-16 12:41                     ` Dmitry Vyukov
2020-01-16 12:41                       ` Dmitry Vyukov
2020-01-16 14:05                       ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000006a8b8f059c24672a@google.com \
    --to=syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=hughd@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@suse.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vbabka@suse.cz \
    --cc=viro@zeniv.linux.org.uk \
    --cc=yang.shi@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.