lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 28 Jun 2018 22:48:51 +0300
From:   Anatoly Trosinenko <anatoly.trosinenko@...il.com>
To:     Jan Kara <jack@...e.com>
Cc:     linux-kernel@...r.kernel.org
Subject: [UDF] BUG: KASAN: slab-out-of-bounds in iput+0x8df/0xa80

Mounting broken UDF image causes KASAN warning on v4.18-rc2.

How to reproduce:
1. Compile v4.18-rc2 kernel with the attached config
2. Unpack and mount the attached FS image as UDF

What happens:
[   24.002776] UDF-fs: warning (device sda): udf_fill_super: No fileset found
[   24.003207] ==================================================================
[   24.003402] BUG: KASAN: slab-out-of-bounds in iput+0x8df/0xa80
[   24.003584] Read of size 8 at addr ffff880067e82100 by task exe/1090
[   24.003684]
[   24.004030] CPU: 0 PID: 1090 Comm: exe Not tainted 4.18.0-rc2 #1
[   24.004146] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[   24.004420] Call Trace:
[   24.004629]  dump_stack+0xae/0x14b
[   24.004736]  ? show_regs_print_info+0x5/0x5
[   24.004815]  ? printk+0x97/0xbe
[   24.004876]  ? kmsg_dump_rewind_nolock+0xf0/0xf0
[   24.004950]  ? __switch_to_asm+0x40/0x70
[   24.005018]  ? iput+0x8df/0xa80
[   24.005076]  print_address_description+0x75/0x3e0
[   24.005157]  ? iput+0x8df/0xa80
[   24.005217]  kasan_report+0x1d8/0x460
[   24.005284]  ? __switch_to_asm+0x40/0x70
[   24.005353]  ? iput+0x8df/0xa80
[   24.005412]  iput+0x8df/0xa80
[   24.005472]  ? __sched_text_start+0x8/0x8
[   24.005540]  ? inode_add_lru+0x280/0x280
[   24.005610]  ? inode_add_lru+0x280/0x280
[   24.005676]  ? kmsg_dump_rewind_nolock+0xf0/0xf0
[   24.005753]  ? submit_bio+0x97/0x480
[   24.005825]  ? submit_bio+0x97/0x480
[   24.005890]  ? bio_alloc_bioset+0x224/0x680
[   24.005964]  ? _udf_warn+0x104/0x190
[   24.006027]  ? apic_timer_interrupt+0xa/0x20
[   24.006107]  udf_sb_free_partitions+0x4e1/0x9b0
[   24.006190]  udf_fill_super+0xe00/0x1ed0
[   24.006265]  ? udf_load_vrs+0xc80/0xc80
[   24.006331]  ? strspn+0x230/0x250
[   24.006394]  ? vsnprintf+0x587/0x1380
[   24.006461]  ? pointer+0x790/0x790
[   24.006522]  ? rcu_note_context_switch+0x4e3/0x500
[   24.006603]  ? udf_load_vrs+0xc80/0xc80
[   24.006669]  ? snprintf+0x8f/0xc0
[   24.006729]  ? vsprintf+0x10/0x10
[   24.006791]  ? udf_load_vrs+0xc80/0xc80
[   24.006861]  ? udf_load_vrs+0xc80/0xc80
[   24.006925]  mount_bdev+0x25e/0x330
[   24.006993]  mount_fs+0x59/0x330
[   24.007059]  vfs_kern_mount.part.8+0xba/0x460
[   24.007136]  ? unlock_mount+0x190/0x190
[   24.007207]  ? __get_fs_type+0x82/0xe0
[   24.007276]  do_mount+0xe13/0x34f0
[   24.007345]  ? copy_mount_string+0x20/0x20
[   24.007417]  ? strndup_user+0x42/0xb0
[   24.007479]  ? save_stack+0x89/0xb0
[   24.007541]  ? __kmalloc_track_caller+0x11a/0x360
[   24.007614]  ? memdup_user+0x23/0x60
[   24.007673]  ? strndup_user+0x42/0xb0
[   24.007733]  ? ksys_mount+0x49/0xd0
[   24.007793]  ? __x64_sys_mount+0xbe/0x170
[   24.007857]  ? do_syscall_64+0x13c/0x520
[   24.007921]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   24.008014]  ? d_move+0xf0/0xf0
[   24.008077]  ? selinux_inode_getattr+0x19f/0x260
[   24.008153]  ? selinux_sctp_assoc_request+0x9e0/0x9e0
[   24.008233]  ? kmem_cache_alloc+0xfa/0x2d0
[   24.008304]  ? _copy_to_user+0x6d/0xb0
[   24.008369]  ? cp_new_stat+0x66a/0x8e0
[   24.008433]  ? inode_get_bytes+0x210/0x210
[   24.008509]  ? kasan_unpoison_shadow+0x30/0x40
[   24.008583]  ? kasan_kmalloc+0xa0/0xd0
[   24.008649]  ? __kmalloc_track_caller+0x11a/0x360
[   24.008726]  ? _copy_from_user+0x75/0xc0
[   24.008794]  ? memdup_user+0x39/0x60
[   24.008860]  ksys_mount+0x7b/0xd0
[   24.008926]  __x64_sys_mount+0xbe/0x170
[   24.008996]  do_syscall_64+0x13c/0x520
[   24.009065]  ? syscall_return_slowpath+0x370/0x370
[   24.009145]  ? __do_page_fault+0xb80/0xb80
[   24.009215]  ? prepare_exit_to_usermode+0x1df/0x280
[   24.009293]  ? perf_trace_sys_enter+0x17e0/0x17e0
[   24.009370]  ? __put_user_4+0x1c/0x30
[   24.009437]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   24.009621] RIP: 0033:0x48d31a
[   24.009692] Code: b8 67 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d
cc 01 00 c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4a cc 01 00 c3 66 0f 1f 84 00 00 00
00 00
[   24.010213] RSP: 002b:00007ffdd66b17e8 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[   24.010368] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a
[   24.010487] RDX: 00007ffdd66b2fa2 RSI: 00007ffdd66b2f9a RDI: 00007ffdd66b2f91
[   24.010605] RBP: 0000000001d668a0 R08: 0000000000000000 R09: 0000000000000000
[   24.010723] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000
[   24.010839] R13: 0000000000000000 R14: 00007ffdd66b1a58 R15: 0000000000000000
[   24.011020]
[   24.011147] Allocated by task 0:
[   24.011209] (stack is not available)
[   24.011277]
[   24.011314] Freed by task 0:
[   24.011359] (stack is not available)
[   24.011413]
[   24.011457] The buggy address belongs to the object at ffff880067e82100
[   24.011457]  which belongs to the cache kmalloc-16 of size 16
[   24.011662] The buggy address is located 0 bytes inside of
[   24.011662]  16-byte region [ffff880067e82100, ffff880067e82110)
[   24.011839] The buggy address belongs to the page:
[   24.012064] page:ffffea00019fa080 count:1 mapcount:0
mapping:ffff88006c001b40 index:0x0
[   24.012318] flags: 0x100000000000100(slab)
[   24.012614] raw: 0100000000000100 dead000000000100 dead000000000200
ffff88006c001b40
[   24.012744] raw: 0000000000000000 0000000080800080 00000001ffffffff
0000000000000000
[   24.012991] page dumped because: kasan: bad access detected
[   24.013105]
[   24.013162] Memory state around the buggy address:
[   24.013453]  ffff880067e82000: fb fb fc fc 00 00 fc fc 00 00 fc fc
00 00 fc fc
[   24.013581]  ffff880067e82080: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   24.013700] >ffff880067e82100: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   24.013851]                    ^
[   24.013912]  ffff880067e82180: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   24.014012]  ffff880067e82200: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   24.014132] ==================================================================
[   24.014250] Disabling lock debugging due to kernel taint
mount: mounting /dev/sda on /mnt failed: Invalid argument
[   24.027931] exe (1090) used greatest stack depth: 19824 bytes left

(Full log attached)

Thanks,
Anatoly

View attachment "serial-log.txt" of type "text/plain" (25537 bytes)

Download attachment "config-v4.18-rc2" of type "application/octet-stream" (115339 bytes)

Download attachment "udf_1mb.img.bz2" of type "application/octet-stream" (1015 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ