lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 Mar 2018 13:47:06 -0700 From: syzbot <syzbot+730517f1d3fbe54a17c7@...kaller.appspotmail.com> To: adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, tytso@....edu Subject: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry Hello, syzbot hit the following crash on upstream commit 9dd2326890d89a5179967c947dab2bab34d7ddee (Fri Mar 30 17:29:47 2018 +0000) Merge tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=730517f1d3fbe54a17c7 So far this crash happened 3 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4574925402669056 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5021234647531520 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6042946969272320 Kernel config: https://syzkaller.appspot.com/x/.config?id=-2760467897697295172 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+730517f1d3fbe54a17c7@...kaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. sshd (4443) used greatest stack depth: 17016 bytes left sshd (4452) used greatest stack depth: 16888 bytes left ================================================================== BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2de/0x320 fs/ext4/dir.c:69 Read of size 2 at addr ffff8801d96e1000 by task syzkaller995640/4459 CPU: 0 PID: 4459 Comm: syzkaller995640 Not tainted 4.16.0-rc7+ #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431 __ext4_check_dir_entry+0x2de/0x320 fs/ext4/dir.c:69 ext4_readdir+0xd00/0x3600 fs/ext4/dir.c:237 iterate_dir+0x1ca/0x530 fs/readdir.c:51 SYSC_getdents64 fs/readdir.c:314 [inline] SyS_getdents64+0x221/0x420 fs/readdir.c:295 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x43fd69 RSP: 002b:00007ffd16083d48 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69 RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690 R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801d96e1040 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 64 bytes to the left of 232-byte region [ffff8801d96e1040, ffff8801d96e1128) The buggy address belongs to the page: page:ffffea000765b840 count:1 mapcount:0 mapping:ffff8801d96e1040 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801d96e1040 0000000000000000 000000010000000c raw: ffffea0007655460 ffff8801d9425c48 ffff8801d9423cc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d96e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d96e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff8801d96e1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d96e1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d96e1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkaller@...glegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
Powered by blists - more mailing lists