lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 02 Oct 2018 03:55:02 -0700
From:   syzbot <syzbot+c1e36d30ee3416289cc0@...kaller.appspotmail.com>
To:     linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        miklos@...redi.hu, syzkaller-bugs@...glegroups.com
Subject: general protection fault in fuse_dev_do_write

Hello,

syzbot found the following crash on:

HEAD commit:    62f3d25900c9 Add linux-next specific files for 20181002
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=147d5eb9400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=77a6dfae97d4b496
dashboard link: https://syzkaller.appspot.com/bug?extid=c1e36d30ee3416289cc0
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c1e36d30ee3416289cc0@...kaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 20304 Comm: syz-executor1 Not tainted 4.19.0-rc6-next-20181002+  
#85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:fuse_retrieve fs/fuse/dev.c:1741 [inline]
RIP: 0010:fuse_notify_retrieve fs/fuse/dev.c:1801 [inline]
RIP: 0010:fuse_notify fs/fuse/dev.c:1834 [inline]
RIP: 0010:fuse_dev_do_write+0x1dc2/0x3810 fs/fuse/dev.c:1913
Code: 00 48 c1 e0 2a 80 3c 02 00 0f 85 dc 17 00 00 49 8b 9d 58 01 00 00 b8  
ff ff 37 00 48 c1 e0 2a 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48  
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82
RSP: 0018:ffff88019bd474b8 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90003e76000
RDX: 0000000000000000 RSI: ffffffff8287fbd3 RDI: 0000000000000004
RBP: ffff88019bd47a50 R08: ffff8801c0552500 R09: ffffed0039ae937e
R10: ffffed0039ae937e R11: ffff8801cd749bf3 R12: 0000000000000000
R13: ffff8801cd749bd0 R14: 0000000000000000 R15: 0000000000000030
FS:  00007f5740db7700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000625208 CR3: 00000001c4109000 CR4: 00000000001406e0
Call Trace:
  fuse_dev_write+0x19a/0x240 fs/fuse/dev.c:1997
  call_write_iter include/linux/fs.h:1844 [inline]
  new_sync_write fs/read_write.c:474 [inline]
  __vfs_write+0x6b8/0x9f0 fs/read_write.c:487
  vfs_write+0x1fc/0x560 fs/read_write.c:549
  ksys_write+0x101/0x260 fs/read_write.c:598
  __do_sys_write fs/read_write.c:610 [inline]
  __se_sys_write fs/read_write.c:607 [inline]
  __x64_sys_write+0x73/0xb0 fs/read_write.c:607
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457579
Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5740db6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
RDX: 0000000000000030 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5740db76d4
R13: 00000000004c50c5 R14: 00000000004d8718 R15: 00000000ffffffff
Modules linked in:
---[ end trace 8b37456f1c1100bc ]---
RIP: 0010:fuse_retrieve fs/fuse/dev.c:1741 [inline]
RIP: 0010:fuse_notify_retrieve fs/fuse/dev.c:1801 [inline]
RIP: 0010:fuse_notify fs/fuse/dev.c:1834 [inline]
RIP: 0010:fuse_dev_do_write+0x1dc2/0x3810 fs/fuse/dev.c:1913
Code: 00 48 c1 e0 2a 80 3c 02 00 0f 85 dc 17 00 00 49 8b 9d 58 01 00 00 b8  
ff ff 37 00 48 c1 e0 2a 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48  
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82
RSP: 0018:ffff88019bd474b8 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90003e76000
RDX: 0000000000000000 RSI: ffffffff8287fbd3 RDI: 0000000000000004
RBP: ffff88019bd47a50 R08: ffff8801c0552500 R09: ffffed0039ae937e
kobject: 'loop5' (0000000025425302): kobject_uevent_env
R10: ffffed0039ae937e R11: ffff8801cd749bf3 R12: 0000000000000000
kobject: 'loop5' (0000000025425302): fill_kobj_path: path  
= '/devices/virtual/block/loop5'
R13: ffff8801cd749bd0 R14: 0000000000000000 R15: 0000000000000030
FS:  00007f5740db7700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
kobject: 'loop3' (000000006439d2fe): kobject_uevent_env
kobject: 'loop3' (000000006439d2fe): fill_kobj_path: path  
= '/devices/virtual/block/loop3'
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kobject: 'loop5' (0000000025425302): kobject_uevent_env
kobject: 'loop5' (0000000025425302): fill_kobj_path: path  
= '/devices/virtual/block/loop5'
CR2: 0000001b2f541000 CR3: 00000001c4109000 CR4: 00000000001406e0


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ