* KASAN: null-ptr-deref Read in xattr_getsecurity
@ 2018-04-10 8:36 syzbot
2018-04-10 10:13 ` Tetsuo Handa
0 siblings, 1 reply; 8+ messages in thread
From: syzbot @ 2018-04-10 8:36 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Hello,
syzbot hit the following crash on upstream commit
fd40ffc72e2f74c7db61e400903e7d50a88bc0b0 (Mon Apr 9 18:36:05 2018 +0000)
selinux: fix missing dput() before selinuxfs unmount
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=9369930ca44f29e60e2d
So far this crash happened 41 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5421128315043840
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-771321277174894814
compiler: gcc (GCC) 8.0.1 20180301 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
R13: 0000000000000098 R14: 00000000006f3ee0 R15: 0000000000000002
==================================================================
BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:345 [inline]
BUG: KASAN: null-ptr-deref in xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251
Read of size 20 at addr 0000000000000000 by task syz-executor5/12111
CPU: 0 PID: 12111 Comm: syz-executor5 Not tainted 4.16.0+ #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report.cold.7+0x13b/0x2f5 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
memcpy+0x23/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:345 [inline]
xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251
vfs_getxattr+0xf2/0x160 fs/xattr.c:333
getxattr+0x139/0x2c0 fs/xattr.c:540
SYSC_fgetxattr fs/xattr.c:598 [inline]
SyS_fgetxattr+0x109/0x190 fs/xattr.c:589
do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455259
RSP: 002b:00007f20bc46fc68 EFLAGS: 00000246 ORIG_RAX: 00000000000000c1
RAX: ffffffffffffffda RBX: 00007f20bc4706d4 RCX: 0000000000455259
RDX: 0000000020000280 RSI: 00000000200002c0 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffff27 R11: 0000000000000246 R12: 0000000000000015
R13: 0000000000000098 R14: 00000000006f3ee0 R15: 0000000000000002
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 8:36 KASAN: null-ptr-deref Read in xattr_getsecurity syzbot
@ 2018-04-10 10:13 ` Tetsuo Handa
2018-04-10 14:42 ` Eric W. Biederman
2018-04-10 14:45 ` Serge E. Hallyn
0 siblings, 2 replies; 8+ messages in thread
From: Tetsuo Handa @ 2018-04-10 10:13 UTC (permalink / raw)
To: syzbot, Serge E. Hallyn, Eric W. Biederman
Cc: linux-fsdevel, linux-kernel, syzkaller-bugs, viro
>From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 10 Apr 2018 15:15:16 +0900
Subject: [PATCH] commoncap: Handle memory allocation failure.
syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
memory allocation failed. Return -ENOMEM if memory allocation failed.
[1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
Reported-by: syzbot <syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com>
Cc: stable <stable@vger.kernel.org> # 4.14+
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
---
security/commoncap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/commoncap.c b/security/commoncap.c
index 48620c9..1ce701f 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
magic |= VFS_CAP_FLAGS_EFFECTIVE;
memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
cap->magic_etc = cpu_to_le32(magic);
+ } else {
+ size = -ENOMEM;
}
}
kfree(tmpbuf);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 10:13 ` Tetsuo Handa
@ 2018-04-10 14:42 ` Eric W. Biederman
2018-04-10 14:48 ` Serge E. Hallyn
` (2 more replies)
2018-04-10 14:45 ` Serge E. Hallyn
1 sibling, 3 replies; 8+ messages in thread
From: Eric W. Biederman @ 2018-04-10 14:42 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, Serge E. Hallyn, linux-fsdevel, linux-kernel,
syzkaller-bugs, viro, linux-security-module
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
> From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Tue, 10 Apr 2018 15:15:16 +0900
> Subject: [PATCH] commoncap: Handle memory allocation failure.
>
> syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> memory allocation failed. Return -ENOMEM if memory allocation failed.
>
> [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Tetsuo I can pick this up, or do you have preferred path for getting
this change merged?
Serge does this fix look ok to you? I am a bit worried that
might be a bit brittler but I don't see any issues with this change.
Eric
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> Reported-by: syzbot <syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com>
> Cc: stable <stable@vger.kernel.org> # 4.14+
> Cc: Serge E. Hallyn <serge@hallyn.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> ---
> security/commoncap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 48620c9..1ce701f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> magic |= VFS_CAP_FLAGS_EFFECTIVE;
> memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
> cap->magic_etc = cpu_to_le32(magic);
> + } else {
> + size = -ENOMEM;
> }
> }
> kfree(tmpbuf);
> --
> 1.8.3.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 10:13 ` Tetsuo Handa
2018-04-10 14:42 ` Eric W. Biederman
@ 2018-04-10 14:45 ` Serge E. Hallyn
1 sibling, 0 replies; 8+ messages in thread
From: Serge E. Hallyn @ 2018-04-10 14:45 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, Serge E. Hallyn, Eric W. Biederman, linux-fsdevel,
linux-kernel, syzkaller-bugs, viro
On Tue, Apr 10, 2018 at 07:13:23PM +0900, Tetsuo Handa wrote:
> syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> memory allocation failed. Return -ENOMEM if memory allocation failed.
>
> [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> Reported-by: syzbot <syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com>
> Cc: stable <stable@vger.kernel.org> # 4.14+
> Cc: Serge E. Hallyn <serge@hallyn.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
thanks!
-serge
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> ---
> security/commoncap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 48620c9..1ce701f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> magic |= VFS_CAP_FLAGS_EFFECTIVE;
> memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
> cap->magic_etc = cpu_to_le32(magic);
> + } else {
> + size = -ENOMEM;
> }
> }
> kfree(tmpbuf);
> --
> 1.8.3.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 14:42 ` Eric W. Biederman
@ 2018-04-10 14:48 ` Serge E. Hallyn
2018-04-10 21:00 ` Tetsuo Handa
2018-04-10 23:20 ` James Morris
2 siblings, 0 replies; 8+ messages in thread
From: Serge E. Hallyn @ 2018-04-10 14:48 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Tetsuo Handa, syzbot, Serge E. Hallyn, linux-fsdevel,
linux-kernel, syzkaller-bugs, viro, linux-security-module
On Tue, Apr 10, 2018 at 09:42:50AM -0500, Eric W. Biederman wrote:
> Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?
>
> Serge does this fix look ok to you? I am a bit worried that
yup, looks good to me. would have replied an hour or two ago but lacked
an lkml-acceptable mailer :)
thanks,
serge
> might be a bit brittler but I don't see any issues with this change.
>
> Eric
>
>
> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> > Reported-by: syzbot <syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com>
> > Cc: stable <stable@vger.kernel.org> # 4.14+
> > Cc: Serge E. Hallyn <serge@hallyn.com>
> > Cc: Eric W. Biederman <ebiederm@xmission.com>
> > ---
> > security/commoncap.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 48620c9..1ce701f 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> > magic |= VFS_CAP_FLAGS_EFFECTIVE;
> > memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
> > cap->magic_etc = cpu_to_le32(magic);
> > + } else {
> > + size = -ENOMEM;
> > }
> > }
> > kfree(tmpbuf);
> > --
> > 1.8.3.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 14:42 ` Eric W. Biederman
2018-04-10 14:48 ` Serge E. Hallyn
@ 2018-04-10 21:00 ` Tetsuo Handa
2018-04-25 11:01 ` Tetsuo Handa
2018-04-10 23:20 ` James Morris
2 siblings, 1 reply; 8+ messages in thread
From: Tetsuo Handa @ 2018-04-10 21:00 UTC (permalink / raw)
To: ebiederm
Cc: syzbot+9369930ca44f29e60e2d, serge, linux-fsdevel, linux-kernel,
syzkaller-bugs, viro, linux-security-module
Eric W. Biederman wrote:
> Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?
I don't have preferred path. You can pick this up. Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 14:42 ` Eric W. Biederman
2018-04-10 14:48 ` Serge E. Hallyn
2018-04-10 21:00 ` Tetsuo Handa
@ 2018-04-10 23:20 ` James Morris
2 siblings, 0 replies; 8+ messages in thread
From: James Morris @ 2018-04-10 23:20 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Tetsuo Handa, syzbot, Serge E. Hallyn, linux-fsdevel,
linux-kernel, syzkaller-bugs, viro, linux-security-module
On Tue, 10 Apr 2018, Eric W. Biederman wrote:
> Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?
>
It can go via my tree if needed, but otherwise:
Acked-by: James Morris <james.morris@microsoft.com>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: null-ptr-deref Read in xattr_getsecurity
2018-04-10 21:00 ` Tetsuo Handa
@ 2018-04-25 11:01 ` Tetsuo Handa
0 siblings, 0 replies; 8+ messages in thread
From: Tetsuo Handa @ 2018-04-25 11:01 UTC (permalink / raw)
To: syzbot+9369930ca44f29e60e2d, syzkaller-bugs
Cc: ebiederm, serge, linux-fsdevel, linux-kernel, viro,
linux-security-module
OK. Patch was sent to linux.git as 1f5781725dcbb026.
#syz fix: commoncap: Handle memory allocation failure.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-04-25 11:01 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-10 8:36 KASAN: null-ptr-deref Read in xattr_getsecurity syzbot
2018-04-10 10:13 ` Tetsuo Handa
2018-04-10 14:42 ` Eric W. Biederman
2018-04-10 14:48 ` Serge E. Hallyn
2018-04-10 21:00 ` Tetsuo Handa
2018-04-25 11:01 ` Tetsuo Handa
2018-04-10 23:20 ` James Morris
2018-04-10 14:45 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).