lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191205074539.GB3237@sol.localdomain>
Date:   Wed, 4 Dec 2019 23:45:39 -0800
From:   Eric Biggers <ebiggers@...nel.org>
To:     dhowells@...hat.com
Cc:     linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk,
        syzbot <syzbot+838eb0878ffd51f27c41@...kaller.appspotmail.com>
Subject: Re: KASAN: slab-out-of-bounds Write in pipe_write

Hi David,

On Mon, Dec 02, 2019 at 11:54:00AM -0800, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit a194dfe6e6f6f7205eea850a420f2bc6a1541209
> Author: David Howells <dhowells@...hat.com>
> Date:   Fri Sep 20 15:32:19 2019 +0000
> 
>     pipe: Rearrange sequence in pipe_write() to preallocate slot
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16085abce00000
> start commit:   b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=15085abce00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=11085abce00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c
> dashboard link: https://syzkaller.appspot.com/bug?extid=838eb0878ffd51f27c41
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=146a9f86e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1791d82ae00000
> 
> Reported-by: syzbot+838eb0878ffd51f27c41@...kaller.appspotmail.com
> Fixes: a194dfe6e6f6 ("pipe: Rearrange sequence in pipe_write() to
> preallocate slot")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> 

It looks like the 'mask' variable in pipe_write() is not being updated after the
pipe mutex was dropped in pipe_wait(), to take into account the pipe size
possibly having been changed in the mean time.

BTW, I see that the pipe changes were not in linux-next before being sent to
Linus.  Please do this next time so that syzbot can find the obvious bugs before
they reach mainline.  It's annoying having my system crash on latest mainline
during normal use, due to a bug easily found in < 1 day by an automated system.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ