| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJg=8jz0X=CKR1POvF41oEumrq1z=MVWPdF2ECbzV6-rhht8-g@mail.gmail.com> Date: Thu, 18 Apr 2024 11:03:30 -0700 From: Marius Fleischer <fleischermarius@...il.com> To: Leah Rumancik <leah.rumancik@...il.com>, "Darrick J. Wong" <djwong@...nel.org>, linux-xfs@...r.kernel.org, linux-kernel@...r.kernel.org Cc: harrisonmichaelgreen@...il.com, syzkaller@...glegroups.com Subject: KASAN: null-ptr-deref Write in xlog_cil_commit Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: KASAN: null-ptr-deref Write in xlog_cil_commit affected file: fs/xfs/xfs_log_cil.c kernel version: 5.15.156 kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd git tree: upstream kernel config: attached crash reproducer: attached ====================================================== Crash log: BUG: KASAN: null-ptr-deref in memset include/linux/fortify-string.h:175 [inline] BUG: KASAN: null-ptr-deref in xlog_cil_alloc_shadow_bufs fs/xfs/xfs_log_cil.c:225 [inline] BUG: KASAN: null-ptr-deref in xlog_cil_commit+0x3bc/0x2840 fs/xfs/xfs_log_cil.c:1264 Write of size 88 at addr 0000000000000000 by task syz-executor.7/12467 CPU: 0 PID: 12467 Comm: syz-executor.7 Not tainted 5.15.156 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:438 [inline] kasan_report.cold+0x66/0xdf mm/kasan/report.c:451 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x140/0x190 mm/kasan/generic.c:189 memset+0x20/0x40 mm/kasan/shadow.c:44 memset include/linux/fortify-string.h:175 [inline] xlog_cil_alloc_shadow_bufs fs/xfs/xfs_log_cil.c:225 [inline] xlog_cil_commit+0x3bc/0x2840 fs/xfs/xfs_log_cil.c:1264 __xfs_trans_commit+0x69d/0xe90 fs/xfs/xfs_trans.c:881 xfs_setattr_nonsize+0x372/0xd10 fs/xfs/xfs_iops.c:745 xfs_vn_setattr+0x1f4/0x250 fs/xfs/xfs_iops.c:1029 notify_change+0xbe9/0x1200 fs/attr.c:505 vfs_utimes+0x3fe/0x7f0 fs/utimes.c:65 do_utimes_path+0xfd/0x1a0 fs/utimes.c:98 do_utimes+0x31/0xf0 fs/utimes.c:144 do_futimesat+0x147/0x1b0 fs/utimes.c:198 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f68dfdd0d2d Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f68de340028 EFLAGS: 00000246 ORIG_RAX: 00000000000000eb RAX: ffffffffffffffda RBX: 00007f68dff0df80 RCX: 00007f68dfdd0d2d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000 RBP: 00007f68de3400a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000b R14: 00007f68dff0df80 R15: 00007f68de320000 </TASK> ====================================================== We took a very brief look at the code. Is it possible that there is a check missing for the return value of kvmalloc at fs/xfs/xfs_log_cil.c:224? lv = kvmalloc(buf_size, GFP_KERNEL); memset(lv, 0, xlog_cil_iovec_space(niovecs)); Kind regards, Marius Content of type "text/html" skipped Download attachment "config" of type "application/octet-stream" (227013 bytes) View attachment "repro.c" of type "text/x-csrc" (216496 bytes) Download attachment "repro.syz" of type "application/octet-stream" (59177 bytes)
Powered by blists - more mailing lists