lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 27 Dec 2019 12:46:00 +0800
From:   Ming Lei <ming.lei@...hat.com>
To:     syzbot <syzbot+2b9e54155c8c25d8d165@...kaller.appspotmail.com>
Cc:     akpm@...ux-foundation.org, axboe@...nel.dk, dave@...olabs.net,
        hch@....de, hughd@...gle.com, ktkhai@...tuozzo.com,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org, mhocko@...e.com,
        osandov@...com, syzkaller-bugs@...glegroups.com
Subject: Re: INFO: task hung in sync_inodes_sb (3)

On Thu, Dec 26, 2019 at 02:06:01PM -0800, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit 6dc4f100c175dd0511ae8674786e7c9006cdfbfa
> Author: Ming Lei <ming.lei@...hat.com>
> Date:   Fri Feb 15 11:13:19 2019 +0000
> 
>     block: allow bio_for_each_segment_all() to iterate over multi-page bvec
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1674423ee00000
> start commit:   46cf053e Linux 5.5-rc3
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=1574423ee00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1174423ee00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ed9d672709340e35
> dashboard link: https://syzkaller.appspot.com/bug?extid=2b9e54155c8c25d8d165
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=152bdc56e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159c489ee00000
> 
> Reported-by: syzbot+2b9e54155c8c25d8d165@...kaller.appspotmail.com
> Fixes: 6dc4f100c175 ("block: allow bio_for_each_segment_all() to iterate
> over multi-page bvec")

Looks this syzbot test triggers bio truncate(guard_bio_eod()), and the
truncated bytes is bigger than the last bvec, which length is overflowed
by 'bvec->bv_len -= truncated_bytes'.

Finally bio_for_each_segment_all() trigger the issue.

Will figure out one patch to fix it.

Thanks, 
Ming

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ