lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 31 Mar 2018 13:47:06 -0700
From:   syzbot <syzbot+730517f1d3fbe54a17c7@...kaller.appspotmail.com>
To:     adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        tytso@....edu
Subject: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry

Hello,

syzbot hit the following crash on upstream commit
9dd2326890d89a5179967c947dab2bab34d7ddee (Fri Mar 30 17:29:47 2018 +0000)
Merge tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=730517f1d3fbe54a17c7

So far this crash happened 3 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4574925402669056
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5021234647531520
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6042946969272320
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2760467897697295172
compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+730517f1d3fbe54a17c7@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

sshd (4443) used greatest stack depth: 17016 bytes left
sshd (4452) used greatest stack depth: 16888 bytes left
==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2de/0x320  
fs/ext4/dir.c:69
Read of size 2 at addr ffff8801d96e1000 by task syzkaller995640/4459

CPU: 0 PID: 4459 Comm: syzkaller995640 Not tainted 4.16.0-rc7+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report+0x23c/0x360 mm/kasan/report.c:412
  __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
  __ext4_check_dir_entry+0x2de/0x320 fs/ext4/dir.c:69
  ext4_readdir+0xd00/0x3600 fs/ext4/dir.c:237
  iterate_dir+0x1ca/0x530 fs/readdir.c:51
  SYSC_getdents64 fs/readdir.c:314 [inline]
  SyS_getdents64+0x221/0x420 fs/readdir.c:295
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd69
RSP: 002b:00007ffd16083d48 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69
RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690
R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801d96e1040
  which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 64 bytes to the left of
  232-byte region [ffff8801d96e1040, ffff8801d96e1128)
The buggy address belongs to the page:
page:ffffea000765b840 count:1 mapcount:0 mapping:ffff8801d96e1040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d96e1040 0000000000000000 000000010000000c
raw: ffffea0007655460 ffff8801d9425c48 ffff8801d9423cc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801d96e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8801d96e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801d96e1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                    ^
  ffff8801d96e1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801d96e1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

Powered by blists - more mailing lists