From: syzbot <syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com>
To: aarcange@redhat.com, akpm@linux-foundation.org, hughd@google.com,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
mhocko@suse.com, syzkaller-bugs@googlegroups.com, vbabka@suse.cz,
viro@zeniv.linux.org.uk, yang.shi@linux.alibaba.com
Subject: KASAN: slab-out-of-bounds Write in mpol_parse_str
Date: Tue, 14 Jan 2020 18:24:11 -0800 [thread overview]
Message-ID: <0000000000006a8b8f059c24672a@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: e69ec487 Merge branch 'for-linus' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=143045c6e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=18698c0c240ba616
dashboard link: https://syzkaller.appspot.com/bug?extid=e64a13c5369a194d67df
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ddc8d1e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15851c85e00000
The bug was bisected to:
commit 626c3920aeb4575f53c96b0d4ad4e651a21cbb66
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon Sep 9 00:28:06 2019 +0000
shmem_parse_one(): switch to use of fs_parse()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1643b3fee00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=1543b3fee00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1143b3fee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com
Fixes: 626c3920aeb4 ("shmem_parse_one(): switch to use of fs_parse()")
==================================================================
BUG: KASAN: slab-out-of-bounds in mpol_parse_str+0x87b/0xa50
mm/mempolicy.c:2922
Write of size 1 at addr ffff8880a4513abf by task syz-executor950/9591
CPU: 0 PID: 9591 Comm: syz-executor950 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
__asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
mpol_parse_str+0x87b/0xa50 mm/mempolicy.c:2922
shmem_parse_one+0x71e/0xa40 mm/shmem.c:3472
vfs_parse_fs_param+0x2ca/0x540 fs/fs_context.c:145
vfs_parse_fs_string+0x105/0x170 fs/fs_context.c:188
shmem_parse_options+0x168/0x250 mm/shmem.c:3522
parse_monolithic_mount_data+0x69/0x90 fs/fs_context.c:704
do_new_mount fs/namespace.c:2818 [inline]
do_mount+0x1310/0x1b50 fs/namespace.c:3142
__do_sys_mount fs/namespace.c:3351 [inline]
__se_sys_mount fs/namespace.c:3328 [inline]
__x64_sys_mount+0x192/0x230 fs/namespace.c:3328
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446a9a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d ae fb ff c3 66 2e 0f
1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5a ae fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007fffb59b03c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fffb59b03d0 RCX: 0000000000446a9a
RDX: 00007fffb59b03d0 RSI: 00000000200000c0 RDI: 00007fffb59b03f0
RBP: 0000000000000003 R08: 00007fffb59b0430 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000297 R12: 00007fffb59b0430
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 9564:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x163/0x770 mm/slab.c:3665
kmalloc include/linux/slab.h:561 [inline]
tomoyo_add_entry security/tomoyo/common.c:2031 [inline]
tomoyo_supervisor+0xd3e/0xef0 security/tomoyo/common.c:2103
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_permission+0x263/0x360 security/tomoyo/file.c:573
tomoyo_path_perm+0x318/0x430 security/tomoyo/file.c:838
tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
security_inode_getattr+0xf2/0x150 security/security.c:1222
vfs_getattr+0x25/0x70 fs/stat.c:115
vfs_statx_fd+0x71/0xc0 fs/stat.c:145
vfs_fstat include/linux/fs.h:3265 [inline]
__do_sys_newfstat+0x9b/0x120 fs/stat.c:378
__se_sys_newfstat fs/stat.c:375 [inline]
__x64_sys_newfstat+0x54/0x80 fs/stat.c:375
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9564:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:335 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
tomoyo_add_entry security/tomoyo/common.c:2045 [inline]
tomoyo_supervisor+0xc2c/0xef0 security/tomoyo/common.c:2103
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_permission+0x263/0x360 security/tomoyo/file.c:573
tomoyo_path_perm+0x318/0x430 security/tomoyo/file.c:838
tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
security_inode_getattr+0xf2/0x150 security/security.c:1222
vfs_getattr+0x25/0x70 fs/stat.c:115
vfs_statx_fd+0x71/0xc0 fs/stat.c:145
vfs_fstat include/linux/fs.h:3265 [inline]
__do_sys_newfstat+0x9b/0x120 fs/stat.c:378
__se_sys_newfstat fs/stat.c:375 [inline]
__x64_sys_newfstat+0x54/0x80 fs/stat.c:375
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a4513a80
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 31 bytes to the right of
32-byte region [ffff8880a4513a80, ffff8880a4513aa0)
The buggy address belongs to the page:
page:ffffea00029144c0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0
index:0xffff8880a4513fc1
raw: 00fffe0000000200 ffffea0002a2e388 ffffea0002581cc8 ffff8880aa4001c0
raw: ffff8880a4513fc1 ffff8880a4513000 0000000100000028 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4513980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880a4513a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
> ffff8880a4513a80: fb fb fb fb fc fc fc fc 00 05 fc fc fc fc fc fc
^
ffff8880a4513b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880a4513b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2020-01-15 2:24 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-15 2:24 syzbot [this message]
2020-01-15 2:24 ` KASAN: slab-out-of-bounds Write in mpol_parse_str syzbot
2020-01-15 5:54 ` [PATCH] mm/mempolicy.c: Fix out of bounds write in mpol_parse_str() Dan Carpenter
2020-01-15 12:54 ` Vlastimil Babka
2020-01-15 12:57 ` Dmitry Vyukov
2020-01-15 12:57 ` Dmitry Vyukov
2020-01-15 15:03 ` Michal Hocko
2020-01-15 15:14 ` Dmitry Vyukov
2020-01-15 15:14 ` Dmitry Vyukov
2020-01-15 19:05 ` Michal Hocko
2020-01-16 5:41 ` Dmitry Vyukov
2020-01-16 5:41 ` Dmitry Vyukov
2020-01-16 7:39 ` Michal Hocko
2020-01-16 10:13 ` Dmitry Vyukov
2020-01-16 10:13 ` Dmitry Vyukov
2020-01-16 11:51 ` Michal Hocko
2020-01-16 12:41 ` Dmitry Vyukov
2020-01-16 12:41 ` Dmitry Vyukov
2020-01-16 14:05 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000006a8b8f059c24672a@google.com \
--to=syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=yang.shi@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.