From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933399AbdKGMFb (ORCPT <rfc822;w@1wt.eu>);
        Tue, 7 Nov 2017 07:05:31 -0500
Received: from mail-pg0-f44.google.com ([74.125.83.44]:43822 "EHLO
        mail-pg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752821AbdKGMFa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Nov 2017 07:05:30 -0500
X-Google-Smtp-Source: ABhQp+Q1VThOYa7NyHYbc2hoXRm7NR2zI5tklOJGTcYbMN5ysNUC0s7eHTU4dzPO1rTas2zn0bwQag==
Date: Tue, 7 Nov 2017 21:05:25 +0900
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
        Fengguang Wu <fengguang.wu@intel.com>,
        LKML <linux-kernel@vger.kernel.org>, Petr Mladek <pmladek@suse.com>,
        Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Aleksey Makarov <aleksey.makarov@linaro.org>,
        Ingo Molnar <mingo@kernel.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Alexander Potapenko <glider@google.com>
Subject: Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in
 copyin+0xea/0x170
Message-ID: <20171107120525.GB404@jagdpanzerIV>
References: <20171107093921.ulnjqoaycig5qqoy@wfg-t540p.sh.intel.com>
 <20171107104517.GA470@jagdpanzerIV>
 <CACT4Y+Z_MnNzdkYL1sCjJwfzUfbje1_m1ncfLjFTggg0qNipCg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+Z_MnNzdkYL1sCjJwfzUfbje1_m1ncfLjFTggg0qNipCg@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On (11/07/17 12:09), Dmitry Vyukov wrote:
> > On (11/07/17 17:39), Fengguang Wu wrote:
[..]
> > devkmsg_write() does
> >
> >         buf = kmalloc(len+1, GFP_KERNEL);
> >         ...
> >         kfree(buf);
> >
> > kasan reports that this kfree() is actually happening in unpack_to_rootfs(),
> > before we do copy_from_iter_full().
> 
> 
> Please ignore the free stack. For slab-out-of-bound bugs the object is
> not actually freed and KASAN prints the free stack where it was freed
> before it was re-allocated as new object.

ah, ok.

> Can that len+1 overflow? Is it checked?

hm, I don't think it overflows there.

	__kernel_write()
	 __vfs_write()
	  new_sync_write()

__kernel_write() makes sure that if count > MAX_RW_COUNT then
count = MAX_RW_COUNT.

	-ss