| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Nov 2017 18:05:52 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: linux-fsdevel@...r.kernel.org
Cc: Jan Kara <jack@...e.cz>, Amir Goldstein <amir73il@...il.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Miklos Szeredi <mszeredi@...hat.com>,
Nikolay Borisov <n.borisov.lkml@...il.com>,
linux-kernel@...r.kernel.org
Subject: [inotify_read] BUG: KASAN: slab-out-of-bounds in
_copy_to_user+0x115/0x1b0
Hello,
FYI this happens in v4.14-rc8 -- it's not necessarily a new bug.
[ 10.399545] Freeing unused kernel memory: 824K
[ 10.403510] Freeing unused kernel memory: 1436K
[ 10.412726] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 10.413605] rodata_test: all tests were successful
[ 10.454893] ==================================================================
[ 10.456507] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x115/0x1b0
[ 10.457976] Read of size 5 at addr ffff880014bdb4ac by task init/1
[ 10.459262]
[ 10.459553] CPU: 1 PID: 1 Comm: init Not tainted 4.14.0-rc8 #14
[ 10.460345] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 10.461459] Call Trace:
[ 10.461860] dump_stack+0x5d/0x81
[ 10.462365] print_address_description+0xa7/0x280
[ 10.463015] ? _copy_to_user+0x115/0x1b0
[ 10.463581] ? _copy_to_user+0x115/0x1b0
[ 10.464155] kasan_report+0xd3/0x150
[ 10.464682] ? _copy_to_user+0x115/0x1b0
[ 10.465247] _copy_to_user+0x115/0x1b0
[ 10.465793] copy_event_to_user+0x102/0x150
[ 10.466465] inotify_read+0x1d9/0x240
[ 10.467003] ? init_wait_entry+0x30/0x30
[ 10.467604] vfs_read+0x157/0x250
[ 10.468101] SyS_read+0x50/0xc0
[ 10.468583] entry_SYSCALL_64_fastpath+0x1e/0xa9
[ 10.469228] RIP: 0033:0x7f0189404d10
[ 10.469751] RSP: 002b:00007ffe90c137e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 10.470773] RAX: ffffffffffffffda RBX: 00007f01891e7720 RCX: 00007f0189404d10
[ 10.471706] RDX: 0000000000002000 RSI: 0000559436fc0d90 RDI: 0000000000000005
[ 10.472634] RBP: 0000000000002041 R08: 0000000000000000 R09: 0000000001000000
[ 10.473560] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f01891e7778
[ 10.474485] R13: 0000000000002030 R14: 0000559436fc0d50 R15: 0000000000001271
[ 10.475408]
[ 10.475698] Allocated by task 151:
[ 10.476210] kasan_kmalloc+0x61/0xf0
[ 10.476799] __kmalloc+0x1ad/0x2e0
[ 10.477347] inotify_handle_event+0x97/0x1a0
[ 10.477954] send_to_group+0xfe/0x160
[ 10.478490] fsnotify+0x158/0x2e0
[ 10.478983] vfs_link+0x29c/0x340
[ 10.479484] SyS_linkat+0x22c/0x300
[ 10.479994] entry_SYSCALL_64_fastpath+0x1e/0xa9
[ 10.480638]
[ 10.480928] Freed by task 1:
[ 10.481376] kasan_slab_free+0xac/0x180
[ 10.481930] kfree+0x105/0x310
[ 10.482403] unpack_to_rootfs+0x255/0x2a1
[ 10.482973] populate_rootfs+0x5d/0x86
[ 10.483517] do_one_initcall+0x3b/0x180
[ 10.484075] do_basic_setup+0xb4/0xd0
[ 10.484617] kernel_init_freeable+0x7b/0xed
[ 10.485222] kernel_init+0xe/0x110
[ 10.485725] ret_from_fork+0x25/0x30
[ 10.486251]
[ 10.486538] The buggy address belongs to the object at ffff880014bdb480
[ 10.486538] which belongs to the cache kmalloc-64 of size 64
[ 10.488137] The buggy address is located 44 bytes inside of
[ 10.488137] 64-byte region [ffff880014bdb480, ffff880014bdb4c0)
Attached the full dmesg and kconfig.
Thanks,
Fengguang
View attachment "dmesg-quantal-kbuild-22:20171107065800:x86_64-randconfig-w0-11070616:4.14.0-rc8:14" of type "text/plain" (107923 bytes)
View attachment ".config" of type "text/plain" (147793 bytes)
Powered by blists - more mailing lists