lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJg=8jz0X=CKR1POvF41oEumrq1z=MVWPdF2ECbzV6-rhht8-g@mail.gmail.com>
Date: Thu, 18 Apr 2024 11:03:30 -0700
From: Marius Fleischer <fleischermarius@...il.com>
To: Leah Rumancik <leah.rumancik@...il.com>, "Darrick J. Wong" <djwong@...nel.org>, 
	linux-xfs@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: harrisonmichaelgreen@...il.com, syzkaller@...glegroups.com
Subject: KASAN: null-ptr-deref Write in xlog_cil_commit

Hi,


We would like to report the following bug which has been found by our
modified version of syzkaller.

======================================================

description: KASAN: null-ptr-deref Write in xlog_cil_commit

affected file: fs/xfs/xfs_log_cil.c

kernel version: 5.15.156

kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd

git tree: upstream

kernel config: attached

crash reproducer: attached

======================================================

Crash log:

BUG: KASAN: null-ptr-deref in memset include/linux/fortify-string.h:175
[inline]

BUG: KASAN: null-ptr-deref in xlog_cil_alloc_shadow_bufs
fs/xfs/xfs_log_cil.c:225 [inline]

BUG: KASAN: null-ptr-deref in xlog_cil_commit+0x3bc/0x2840
fs/xfs/xfs_log_cil.c:1264

Write of size 88 at addr 0000000000000000 by task syz-executor.7/12467

CPU: 0 PID: 12467 Comm: syz-executor.7 Not tainted 5.15.156 #1

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1
04/01/2014

Call Trace:

 <TASK>

 __dump_stack lib/dump_stack.c:88 [inline]

 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106

 __kasan_report mm/kasan/report.c:438 [inline]

 kasan_report.cold+0x66/0xdf mm/kasan/report.c:451

 check_region_inline mm/kasan/generic.c:183 [inline]

 kasan_check_range+0x140/0x190 mm/kasan/generic.c:189

 memset+0x20/0x40 mm/kasan/shadow.c:44

 memset include/linux/fortify-string.h:175 [inline]

 xlog_cil_alloc_shadow_bufs fs/xfs/xfs_log_cil.c:225 [inline]

 xlog_cil_commit+0x3bc/0x2840 fs/xfs/xfs_log_cil.c:1264

 __xfs_trans_commit+0x69d/0xe90 fs/xfs/xfs_trans.c:881

 xfs_setattr_nonsize+0x372/0xd10 fs/xfs/xfs_iops.c:745

 xfs_vn_setattr+0x1f4/0x250 fs/xfs/xfs_iops.c:1029

 notify_change+0xbe9/0x1200 fs/attr.c:505

 vfs_utimes+0x3fe/0x7f0 fs/utimes.c:65

 do_utimes_path+0xfd/0x1a0 fs/utimes.c:98

 do_utimes+0x31/0xf0 fs/utimes.c:144

 do_futimesat+0x147/0x1b0 fs/utimes.c:198

 do_syscall_x64 arch/x86/entry/common.c:50 [inline]

 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80

 entry_SYSCALL_64_after_hwframe+0x66/0xd0

RIP: 0033:0x7f68dfdd0d2d

Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f68de340028 EFLAGS: 00000246 ORIG_RAX: 00000000000000eb

RAX: ffffffffffffffda RBX: 00007f68dff0df80 RCX: 00007f68dfdd0d2d

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000

RBP: 00007f68de3400a0 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001

R13: 000000000000000b R14: 00007f68dff0df80 R15: 00007f68de320000

 </TASK>

======================================================

We took a very brief look at the code. Is it possible that there is a check
missing for the return value of kvmalloc at fs/xfs/xfs_log_cil.c:224?

lv = kvmalloc(buf_size, GFP_KERNEL);
memset(lv, 0, xlog_cil_iovec_space(niovecs));

Kind regards,

Marius

Content of type "text/html" skipped

Download attachment "config" of type "application/octet-stream" (227013 bytes)

View attachment "repro.c" of type "text/x-csrc" (216496 bytes)

Download attachment "repro.syz" of type "application/octet-stream" (59177 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ