All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+bfdd4a2f07be52351350@syzkaller.appspotmail.com>
To: casey@schaufler-ca.com, jmorris@namei.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, serge@hallyn.com,
	syzkaller-bugs@googlegroups.com
Subject: KASAN: slab-out-of-bounds Read in vsscanf
Date: Thu, 26 Mar 2020 18:20:14 -0700	[thread overview]
Message-ID: <0000000000004fa25e05a1cbe763@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    1b649e0b Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11044405e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
dashboard link: https://syzkaller.appspot.com/bug?extid=bfdd4a2f07be52351350
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13819303e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13eaed4be00000

Bisection is inconclusive: the bug happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=150e6ac5e00000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=170e6ac5e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=130e6ac5e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bfdd4a2f07be52351350@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
Read of size 1 at addr ffff888093622f42 by task syz-executor055/7117

CPU: 1 PID: 7117 Comm: syz-executor055 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x25/0x50 mm/kasan/common.c:641
 vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
 sscanf+0x6c/0x90 lib/vsprintf.c:3481
 smk_set_cipso+0x1ac/0x6a0 security/smack/smackfs.c:881
 __vfs_write+0xa7/0x710 fs/read_write.c:494
 vfs_write+0x271/0x570 fs/read_write.c:558
 ksys_write+0x115/0x220 fs/read_write.c:611
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4401b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd20456888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9
RDX: 0000000000000001 RSI: 00000000200005c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401a40
R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7117:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc_track_caller+0x249/0x320 mm/slab.c:3671
 memdup_user_nul+0x26/0xf0 mm/util.c:259
 smk_set_cipso+0xff/0x6a0 security/smack/smackfs.c:859
 __vfs_write+0xa7/0x710 fs/read_write.c:494
 vfs_write+0x271/0x570 fs/read_write.c:558
 ksys_write+0x115/0x220 fs/read_write.c:611
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 1:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 tomoyo_path_perm+0x59b/0x740 security/tomoyo/file.c:842
 security_inode_getattr+0xc0/0x140 security/security.c:1254
 vfs_getattr+0x27/0x6e0 fs/stat.c:117
 vfs_statx fs/stat.c:201 [inline]
 vfs_lstat include/linux/fs.h:3277 [inline]
 __do_sys_newlstat fs/stat.c:364 [inline]
 __se_sys_newlstat+0x85/0x140 fs/stat.c:358
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888093622f40
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 2 bytes inside of
 32-byte region [ffff888093622f40, ffff888093622f60)
The buggy address belongs to the page:
page:ffffea00024d8880 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888093622fc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000271b988 ffffea00028ae488 ffff8880aa4001c0
raw: ffff888093622fc1 ffff888093622000 0000000100000039 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888093622e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff888093622e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
>ffff888093622f00: fb fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc
                                           ^
 ffff888093622f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888093623000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

             reply	other threads:[~2020-03-27  1:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-27  1:20 syzbot [this message]
     [not found] <20200327082738.9012-1-hdanton@sina.com>
2020-03-27 16:16 ` KASAN: slab-out-of-bounds Read in vsscanf Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000004fa25e05a1cbe763@google.com \
    --to=syzbot+bfdd4a2f07be52351350@syzkaller.appspotmail.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.