lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 13 May 2024 22:50:05 -0400
From: Shuangpeng Bai <shuangpengbai@...il.com>
To: agruenba@...hat.com,
 syzkaller@...glegroups.com
Cc: gfs2@...ts.linux.dev,
 linux-kernel@...r.kernel.org
Subject: KASAN: slab-out-of-bounds in gfs2_invalidate_folio

Hi Kernel Maintainers,

Our tool found a new kernel bug KASAN: slab-out-of-bounds in gfs2_invalidate_folio. Please see the details below.

Kenrel commit: v6.8
Kernel config: attachment
C/Syz reproducer: attachment


Best,
Shuangpeng


Download attachment "repro.c" of type "application/octet-stream" (1111472 bytes)

Download attachment ".config" of type "application/octet-stream" (245929 bytes)



[   94.491083][ T8162] ==================================================================
[ 94.492323][ T8162] BUG: KASAN: slab-out-of-bounds in gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[   94.493520][ T8162] Read of size 8 at addr ffff888154826a20 by task a.out/8162
[   94.494581][ T8162]
[   94.494936][ T8162] CPU: 1 PID: 8162 Comm: a.out Not tainted 6.8.0 #6
[   94.495886][ T8162] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   94.497147][ T8162] Call Trace:
[   94.497621][ T8162]  <TASK>
[ 94.498059][ T8162] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 94.498745][ T8162] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) 
[ 94.499411][ T8162] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) 
[ 94.500066][ T8162] ? gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[ 94.500852][ T8162] kasan_report (mm/kasan/report.c:603) 
[ 94.501469][ T8162] ? gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[ 94.502233][ T8162] gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[ 94.502987][ T8162] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:115 /include/atomic/atomic-arch-fallback.h:2164 /include/atomic/atomic-instrumented.h:1296 /include/asm-generic/qspinlock.h:111 ./include/spinlock.h:187 /include/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 94.503730][ T8162] ? __pfx_gfs2_invalidate_folio (fs/gfs2/aops.c:635) 
[ 94.504521][ T8162] truncate_cleanup_folio (mm/truncate.c:158 mm/truncate.c:178) 
[ 94.505281][ T8162] truncate_inode_pages_range (mm/truncate.c:357 (discriminator 3)) 
[ 94.506110][ T8162] ? __pfx_truncate_inode_pages_range (mm/truncate.c:322) 
[ 94.506984][ T8162] ? __x64_sys_exit_group (kernel/exit.c:1029) 
[ 94.507707][ T8162] ? do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 94.508374][ T8162] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[ 94.509247][ T8162] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) 
[ 94.510071][ T8162] ? debug_object_active_state (lib/debugobjects.c:946) 
[ 94.510953][ T8162] gfs2_evict_inode (fs/gfs2/super.c:1509) 
[ 94.511707][ T8162] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 94.512528][ T8162] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/atomic/atomic-arch-fallback.h:2164 /include/atomic/atomic-instrumented.h:1296 /include/asm-generic/qspinlock.h:111 ./include/spinlock.h:187 /include/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 94.513249][ T8162] ? __inode_wait_for_writeback (fs/fs-writeback.c:1487) 
[ 94.514183][ T8162] ? __pfx___inode_wait_for_writeback (fs/fs-writeback.c:1487) 
[ 94.515126][ T8162] ? __pfx_wake_bit_function (kernel/sched/wait_bit.c:22) 
[ 94.515982][ T8162] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 94.516789][ T8162] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 94.517614][ T8162] ? wb_io_lists_depopulated (fs/fs-writeback.c:100 (discriminator 1)) 
[ 94.518465][ T8162] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 94.519296][ T8162] evict (fs/inode.c:670) 
[ 94.519915][ T8162] iput.part.0 (fs/inode.c:1739 fs/inode.c:1765) 
[ 94.520609][ T8162] ? __pfx_gfs2_drop_inode (fs/gfs2/super.c:1025) 
[ 94.521429][ T8162] iput (fs/inode.c:1767) 
[ 94.522007][ T8162] gfs2_kill_sb (./include/sched.h:1984 fs/gfs2/ops_fstype.c:1770 fs/gfs2/ops_fstype.c:1793) 
[ 94.522720][ T8162] deactivate_locked_super (fs/super.c:433 fs/super.c:474) 
[ 94.523598][ T8162] deactivate_super (fs/super.c:507) 
[ 94.524372][ T8162] cleanup_mnt (fs/namespace.c:144 fs/namespace.c:1268) 
[ 94.525113][ T8162] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 94.525847][ T8162] ? __pfx_task_work_run (kernel/task_work.c:148) 
[ 94.526638][ T8162] ? __put_net (net/core/net_namespace.c:667) 
[ 94.527324][ T8162] do_exit (kernel/exit.c:872) 
[ 94.527984][ T8162] ? __count_memcg_events (mm/memcontrol.c:722 mm/memcontrol.c:961) 
[ 94.528842][ T8162] ? __pfx_do_exit (kernel/exit.c:812) 
[ 94.529564][ T8162] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) 
[ 94.530422][ T8162] ? zap_other_threads (kernel/signal.c:1389) 
[ 94.531215][ T8162] do_group_exit (kernel/exit.c:1001) 
[ 94.531965][ T8162] __x64_sys_exit_group (kernel/exit.c:1029) 
[ 94.532802][ T8162] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 94.533517][ T8162] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[   94.534478][ T8162] RIP: 0033:0x7f162e2ee146
[ 94.535174][ T8162] Code: Unable to access opcode bytes at 0x7f162e2ee11c.

Code starting with the faulting instruction
===========================================
[   94.536235][ T8162] RSP: 002b:00007ffc8b584d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   94.537548][ T8162] RAX: ffffffffffffffda RBX: 00007f162e3f38a0 RCX: 00007f162e2ee146
[   94.538770][ T8162] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   94.539757][ T8162] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80
[   94.540522][ T8162] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f162e3f38a0
[   94.541285][ T8162] R13: 0000000000000001 R14: 00007f162e3fc2e8 R15: 0000000000000000
[   94.542056][ T8162]  </TASK>
[   94.542359][ T8162]
[   94.542595][ T8162] Allocated by task 8162:
[ 94.543016][ T8162] kasan_save_stack (mm/kasan/common.c:48) 
[ 94.543491][ T8162] kasan_save_track (./arch/x86/include/asm/current.h:42 mm/kasan/common.c:60 mm/kasan/common.c:69) 
[ 94.543956][ T8162] __kasan_kmalloc (mm/kasan/common.c:370 mm/kasan/common.c:387) 
[ 94.544467][ T8162] __kmalloc (./include/kasan.h:211 mm/slub.c:3981 mm/slub.c:3994) 
[ 94.544500][ T8162] ifs_alloc.isra.0 (fs/iomap/buffered-io.c:167) 
[ 94.545641][ T8162] iomap_do_writepage (fs/iomap/buffered-io.c:138 fs/iomap/buffered-io.c:1793 fs/iomap/buffered-io.c:1975) 
[ 94.546152][ T8162] write_cache_pages (./include/page-flags.h:785 /include/page-flags.h:806 ./include/mm.h:2059 mm/page-writeback.c:2475) 
[ 94.546645][ T8162] iomap_writepages (fs/iomap/buffered-io.c:1993) 
[ 94.547109][ T8162] gfs2_writepages (fs/gfs2/aops.c:192) 
[ 94.547586][ T8162] do_writepages (mm/page-writeback.c:2553) 
[ 94.548048][ T8162] filemap_fdatawrite_wbc (mm/filemap.c:389 mm/filemap.c:378) 
[ 94.548575][ T8162] __filemap_fdatawrite_range (mm/filemap.c:413) 
[ 94.549125][ T8162] gfs2_log_flush (./include/spinlock.h:351 fs/gfs2/log.c:737 fs/gfs2/log.c:1105) 
[ 94.549606][ T8162] gfs2_fileattr_set (fs/gfs2/file.c:245 fs/gfs2/file.c:310) 
[ 94.550091][ T8162] vfs_fileattr_set (fs/ioctl.c:697) 
[ 94.550573][ T8162] do_vfs_ioctl (fs/ioctl.c:760 fs/ioctl.c:846) 
[ 94.551052][ T8162] __x64_sys_ioctl (fs/ioctl.c:870 fs/ioctl.c:857 fs/ioctl.c:857) 
[ 94.551551][ T8162] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 94.552002][ T8162] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[   94.552597][ T8162]
[   94.552846][ T8162] The buggy address belongs to the object at ffff888154826a00
[   94.552846][ T8162]  which belongs to the cache kmalloc-32 of size 32
[   94.554181][ T8162] The buggy address is located 8 bytes to the right of
[   94.554181][ T8162]  allocated 24-byte region [ffff888154826a00, ffff888154826a18)
[   94.555553][ T8162]
[   94.555790][ T8162] The buggy address belongs to the physical page:
[   94.556405][ T8162] page:ffffea0005520980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:06
[   94.557380][ T8162] flags: 0x57ff00000000800(slab|node=1|zone=2|lastcpupid=0x7ff)
[   94.558116][ T8162] page_type: 0xffffffff()
[   94.558541][ T8162] raw: 057ff00000000800 ffff888011c41500 ffffea0005297580 dead000000000004
[   94.559361][ T8162] raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
[   94.560177][ T8162] page dumped because: kasan: bad access detected
[   94.560789][ T8162] page_owner tracks the page as allocated
[   94.561335][ T8162] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__3
[ 94.563070][ T8162] post_alloc_hook (./include/page_owner.h:31 mm/page_alloc.c:1533) 
[ 94.563544][ T8162] get_page_from_freelist (mm/page_alloc.c:1542 mm/page_alloc.c:3311) 
[ 94.564092][ T8162] __alloc_pages (mm/page_alloc.c:4570) 
[ 94.564590][ T8162] allocate_slab (mm/slub.c:2191 mm/slub.c:2354) 
[ 94.565064][ T8162] ___slab_alloc (mm/slub.c:3541) 
[ 94.565562][ T8162] __slab_alloc.constprop.0 (mm/slub.c:3625) 
[ 94.566102][ T8162] __kmalloc_node_track_caller (mm/slub.c:3678 mm/slub.c:3850 mm/slub.c:3980 mm/slub.c:4001) 
[ 94.566675][ T8162] kstrdup (mm/util.c:63) 
[ 94.567064][ T8162] security_context_to_sid_core (security/sess/services.c:1544) 
[ 94.567637][ T8162] inode_doinit_use_xattr (security/sehooks.c:1392) 
[ 94.568159][ T8162] inode_doinit_with_dentry (security/sehooks.c:1488) 
[ 94.568713][ T8162] selinux_d_instantiate (security/sehooks.c:6343) 
[ 94.569220][ T8162] security_d_instantiate (security/security.c:3896 (discriminator 11)) 
[ 94.569737][ T8162] d_splice_alias (./include/spinlock.h:351 fs/dcache.c:2974) 
[ 94.570192][ T8162] ext4_lookup (fs/ext4/namei.c:1883 fs/ext4/namei.c:1830) 
[ 94.570637][ T8162] path_openat (fs/namei.c:3478 fs/namei.c:3569 fs/namei.c:3799) 
[   94.571095][ T8162] page last free pid 4487 tgid 4487 stack trace:
[ 94.571702][ T8162] free_unref_page_prepare (./include/page_owner.h:24 mm/page_alloc.c:1140 mm/page_alloc.c:2346) 
[ 94.572235][ T8162] free_unref_page_list (mm/page_alloc.c:2532) 
[ 94.572736][ T8162] release_pages (mm/swap.c:961) 
[ 94.573204][ T8162] tlb_batch_pages_flush (mm/mmu_gather.c:99 (discriminator 1)) 
[ 94.573717][ T8162] tlb_finish_mmu (mm/mmu_gather.c:112 mm/mmu_gather.c:395) 
[ 94.574178][ T8162] exit_mmap (mm/mmap.c:3307) 
[ 94.574620][ T8162] __mmput (kernel/fork.c:1344) 
[ 94.575030][ T8162] mmput (kernel/fork.c:1366) 
[ 94.575406][ T8162] begin_new_exec (fs/exec.c:1314) 
[ 94.575890][ T8162] load_elf_binary (fs/binfmt_elf.c:997) 
[ 94.576374][ T8162] bprm_execve (fs/exec.c:1785 fs/exec.c:1825 fs/exec.c:1877 fs/exec.c:1853) 
[ 94.576827][ T8162] do_execveat_common.isra.0 (fs/exec.c:1984) 
[ 94.577379][ T8162] __x64_sys_execve (fs/exec.c:2129) 
[ 94.577858][ T8162] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 94.578304][ T8162] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[   94.578885][ T8162]
[   94.579121][ T8162] Memory state around the buggy address:
[   94.579655][ T8162]  ffff888154826900: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
[   94.580400][ T8162]  ffff888154826980: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc
[   94.581165][ T8162] >ffff888154826a00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   94.581935][ T8162]                                ^
[   94.582428][ T8162]  ffff888154826a80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   94.583194][ T8162]  ffff888154826b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   94.583958][ T8162] ==================================================================
[   94.594413][ T8162] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   94.595479][ T8162] CPU: 1 PID: 8162 Comm: a.out Not tainted 6.8.0 #6
[   94.596503][ T8162] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   94.597818][ T8162] Call Trace:
[   94.598344][ T8162]  <TASK>
[ 94.598807][ T8162] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 94.599531][ T8162] panic (kernel/panic.c:344) 
[ 94.600156][ T8162] ? __pfx_panic (kernel/panic.c:278) 
[ 94.600862][ T8162] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:45) 
[ 94.601729][ T8162] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6906) 
[ 94.602591][ T8162] ? check_panic_on_warn (kernel/panic.c:236) 
[ 94.603393][ T8162] ? gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[ 94.604199][ T8162] check_panic_on_warn (kernel/panic.c:237) 
[ 94.604968][ T8162] end_report (mm/kasan/report.c:226) 
[ 94.605647][ T8162] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) 
[ 94.606342][ T8162] ? gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[ 94.607198][ T8162] gfs2_invalidate_folio (fs/gfs2/aops.c:651) 
[ 94.608041][ T8162] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:115 /include/atomic/atomic-arch-fallback.h:2164 /include/atomic/atomic-instrumented.h:1296 /include/asm-generic/qspinlock.h:111 ./include/spinlock.h:187 /include/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 94.608878][ T8162] ? __pfx_gfs2_invalidate_folio (fs/gfs2/aops.c:635) 
[ 94.609807][ T8162] truncate_cleanup_folio (mm/truncate.c:158 mm/truncate.c:178) 
[ 94.610659][ T8162] truncate_inode_pages_range (mm/truncate.c:357 (discriminator 3)) 
[ 94.611563][ T8162] ? __pfx_truncate_inode_pages_range (mm/truncate.c:322) 
[ 94.612549][ T8162] ? __x64_sys_exit_group (kernel/exit.c:1029) 
[ 94.613364][ T8162] ? do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 94.614114][ T8162] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[ 94.615067][ T8162] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) 
[ 94.615979][ T8162] ? debug_object_active_state (lib/debugobjects.c:946) 
[ 94.616898][ T8162] gfs2_evict_inode (fs/gfs2/super.c:1509) 
[ 94.617708][ T8162] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 94.618567][ T8162] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/atomic/atomic-arch-fallback.h:2164 /include/atomic/atomic-instrumented.h:1296 /include/asm-generic/qspinlock.h:111 ./include/spinlock.h:187 /include/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 94.619353][ T8162] ? __inode_wait_for_writeback (fs/fs-writeback.c:1487) 
[ 94.620305][ T8162] ? __pfx___inode_wait_for_writeback (fs/fs-writeback.c:1487) 
[ 94.621277][ T8162] ? __pfx_wake_bit_function (kernel/sched/wait_bit.c:22) 
[ 94.622149][ T8162] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 94.623011][ T8162] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 94.623873][ T8162] ? wb_io_lists_depopulated (fs/fs-writeback.c:100 (discriminator 1)) 
[ 94.624741][ T8162] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 94.625575][ T8162] evict (fs/inode.c:670) 
[ 94.626200][ T8162] iput.part.0 (fs/inode.c:1739 fs/inode.c:1765) 
[ 94.626907][ T8162] ? __pfx_gfs2_drop_inode (fs/gfs2/super.c:1025) 
[ 94.627735][ T8162] iput (fs/inode.c:1767) 
[ 94.628327][ T8162] gfs2_kill_sb (./include/sched.h:1984 fs/gfs2/ops_fstype.c:1770 fs/gfs2/ops_fstype.c:1793) 
[ 94.629089][ T8162] deactivate_locked_super (fs/super.c:433 fs/super.c:474) 
[ 94.629992][ T8162] deactivate_super (fs/super.c:507) 
[ 94.630760][ T8162] cleanup_mnt (fs/namespace.c:144 fs/namespace.c:1268) 
[ 94.631469][ T8162] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 94.632196][ T8162] ? __pfx_task_work_run (kernel/task_work.c:148) 
[ 94.632935][ T8162] ? __put_net (net/core/net_namespace.c:667) 
[ 94.633612][ T8162] do_exit (kernel/exit.c:872) 
[ 94.634273][ T8162] ? __count_memcg_events (mm/memcontrol.c:722 mm/memcontrol.c:961) 
[ 94.635120][ T8162] ? __pfx_do_exit (kernel/exit.c:812) 
[ 94.635833][ T8162] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) 
[ 94.636701][ T8162] ? zap_other_threads (kernel/signal.c:1389) 
[ 94.637515][ T8162] do_group_exit (kernel/exit.c:1001) 
[ 94.638233][ T8162] __x64_sys_exit_group (kernel/exit.c:1029) 
[ 94.639069][ T8162] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 94.639828][ T8162] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[   94.640782][ T8162] RIP: 0033:0x7f162e2ee146
[ 94.641525][ T8162] Code: Unable to access opcode bytes at 0x7f162e2ee11c.

Code starting with the faulting instruction
===========================================
[   94.642646][ T8162] RSP: 002b:00007ffc8b584d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   94.643938][ T8162] RAX: ffffffffffffffda RBX: 00007f162e3f38a0 RCX: 00007f162e2ee146
[   94.645039][ T8162] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   94.646058][ T8162] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80
[   94.647098][ T8162] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f162e3f38a0
[   94.648138][ T8162] R13: 0000000000000001 R14: 00007f162e3fc2e8 R15: 0000000000000000
[   94.649181][ T8162]  </TASK>
[   94.649730][ T8162] Kernel Offset: disabled
[   94.650152][ T8162] Rebooting in 86400 seconds..

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ