From: Eric Biggers <ebiggers@kernel.org>
To: dhowells@redhat.com
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk,
syzbot <syzbot+838eb0878ffd51f27c41@syzkaller.appspotmail.com>
Subject: Re: KASAN: slab-out-of-bounds Write in pipe_write
Date: Wed, 4 Dec 2019 23:45:39 -0800 [thread overview]
Message-ID: <20191205074539.GB3237@sol.localdomain> (raw)
In-Reply-To: <000000000000d6c9870598bdf090@google.com>
Hi David,
On Mon, Dec 02, 2019 at 11:54:00AM -0800, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit a194dfe6e6f6f7205eea850a420f2bc6a1541209
> Author: David Howells <dhowells@redhat.com>
> Date: Fri Sep 20 15:32:19 2019 +0000
>
> pipe: Rearrange sequence in pipe_write() to preallocate slot
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16085abce00000
> start commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=15085abce00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=11085abce00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c
> dashboard link: https://syzkaller.appspot.com/bug?extid=838eb0878ffd51f27c41
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146a9f86e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1791d82ae00000
>
> Reported-by: syzbot+838eb0878ffd51f27c41@syzkaller.appspotmail.com
> Fixes: a194dfe6e6f6 ("pipe: Rearrange sequence in pipe_write() to
> preallocate slot")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
It looks like the 'mask' variable in pipe_write() is not being updated after the
pipe mutex was dropped in pipe_wait(), to take into account the pipe size
possibly having been changed in the mean time.
BTW, I see that the pipe changes were not in linux-next before being sent to
Linus. Please do this next time so that syzbot can find the obvious bugs before
they reach mainline. It's annoying having my system crash on latest mainline
during normal use, due to a bug easily found in < 1 day by an automated system.
- Eric
next prev parent reply other threads:[~2019-12-05 7:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-02 6:45 KASAN: slab-out-of-bounds Write in pipe_write syzbot
2019-12-02 19:54 ` syzbot
2019-12-05 7:45 ` Eric Biggers [this message]
2019-12-05 16:33 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191205074539.GB3237@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+838eb0878ffd51f27c41@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).