[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0000000000006040a805ad584c37@google.com>
Date: Thu, 20 Aug 2020 17:27:13 -0700
From: syzbot <syzbot+6d6e5b894ac34506362f@...kaller.appspotmail.com>
To: bp@...en8.de, gregkh@...uxfoundation.org, hpa@...or.com,
jirislaby@...nel.org, jslaby@...e.com, jslaby@...e.cz,
linux-kernel@...r.kernel.org, mingo@...hat.com, nico@...xnic.net,
syzkaller-bugs@...glegroups.com, tglx@...utronix.de, x86@...nel.org
Subject: KASAN: slab-out-of-bounds Write in vcs_read
Hello,
syzbot found the following issue on:
HEAD commit: 605cbf3d Add linux-next specific files for 20200820
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=163dc80e900000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61d44f28687f508
dashboard link: https://syzkaller.appspot.com/bug?extid=6d6e5b894ac34506362f
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bf6791900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14019672900000
The issue was bisected to:
commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e
Author: Jiri Slaby <jslaby@...e.cz>
Date: Tue Aug 18 08:57:05 2020 +0000
vc_screen: extract vcs_read_buf_header
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1070fe7e900000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1270fe7e900000
console output: https://syzkaller.appspot.com/x/log.txt?x=1470fe7e900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6d6e5b894ac34506362f@...kaller.appspotmail.com
Fixes: b1c32fcfadf5 ("vc_screen: extract vcs_read_buf_header")
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: slab-out-of-bounds in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
BUG: KASAN: slab-out-of-bounds in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
Write of size 2 at addr ffff8880a47ef000 by task syz-executor776/6833
CPU: 0 PID: 6833 Comm: syz-executor776 Not tainted 5.9.0-rc1-next-20200820-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
vfs_read+0x1df/0x5a0 fs/read_write.c:479
ksys_read+0x12d/0x250 fs/read_write.c:607
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440bb9
Code: 26 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffed959bbf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440bb9
RDX: 0000000000002020 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 00007ffed959bc00 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000401fe0
R13: 0000000000402070 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
slab_post_alloc_hook mm/slab.h:517 [inline]
slab_alloc mm/slab.c:3312 [inline]
kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482
kmem_cache_zalloc include/linux/slab.h:656 [inline]
__alloc_file+0x21/0x350 fs/file_table.c:101
alloc_empty_file+0x6d/0x170 fs/file_table.c:151
path_openat+0xe3/0x2730 fs/namei.c:3354
do_filp_open+0x17e/0x3c0 fs/namei.c:3395
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_open fs/open.c:1192 [inline]
__se_sys_open fs/open.c:1188 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1188
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 16:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
rcu_do_batch kernel/rcu/tree.c:2474 [inline]
rcu_core+0x5df/0x11e0 kernel/rcu/tree.c:2709
__do_softirq+0x2de/0xa24 kernel/softirq.c:298
Last call_rcu():
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
__call_rcu kernel/rcu/tree.c:2951 [inline]
call_rcu+0x14f/0x7f0 kernel/rcu/tree.c:3025
task_work_run+0xdd/0x190 kernel/task_work.c:141
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:139 [inline]
exit_to_user_mode_prepare+0x195/0x1c0 kernel/entry/common.c:166
syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Second to last call_rcu():
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
__call_rcu kernel/rcu/tree.c:2951 [inline]
call_rcu+0x14f/0x7f0 kernel/rcu/tree.c:3025
task_work_run+0xdd/0x190 kernel/task_work.c:141
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:139 [inline]
exit_to_user_mode_prepare+0x195/0x1c0 kernel/entry/common.c:166
syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8880a47ef0c0
which belongs to the cache filp of size 488
The buggy address is located 192 bytes to the left of
488-byte region [ffff8880a47ef0c0, ffff8880a47ef2a8)
The buggy address belongs to the page:
page:00000000717406a1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa47ef
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00025060c8 ffffea00027ea248 ffff88821bc47b00
raw: 0000000000000000 ffff8880a47ef0c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a47eef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a47eef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a47ef000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a47ef080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff8880a47ef100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Powered by blists - more mailing lists