lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 11 Jun 2024 00:19:24 -0400
From: Shuangpeng Bai <shuangpengbai@...il.com>
To: agruenba@...hat.com
Cc: gfs2@...ts.linux.dev,
 linux-kernel@...r.kernel.org,
 syzkaller@...glegroups.com
Subject: KASAN: slab-out-of-bounds in gfs2_check_blk_type

Hi Kernel Maintainers,

Our tool found a new kernel bug KASAN: slab-out-of-bounds in gfs2_check_blk_type. Please see the details below.

Kernel commit: v6.9 (Commits on May 12, 2024)
Kernel config: attachment
C/Syz reproducer: attachment

Please let me know for anything I can help.

Best,
Shuangpeng


[   71.590873][ T8079] ==================================================================
[ 71.593005][ T8079] BUG: KASAN: slab-out-of-bounds in gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[   71.595063][ T8079] Read of size 8 at addr ffff888021a377d0 by task a.out/8079
[   71.596905][ T8079]
[   71.597832][ T8079] CPU: 0 PID: 8079 Comm: a.out Not tainted 6.9.0 #8
[   71.600123][ T8079] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   71.603460][ T8079] Call Trace:
[   71.604602][ T8079]  <TASK>
[ 71.605683][ T8079] dump_stack_lvl (lib/dump_stack.c:117) 
[ 71.607296][ T8079] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) 
[ 71.608909][ T8079] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) 
[ 71.610551][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[ 71.612454][ T8079] kasan_report (mm/kasan/report.c:603) 
[ 71.613973][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[ 71.615832][ T8079] gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[ 71.617677][ T8079] ? __pfx_gfs2_check_blk_type (fs/gfs2/rgrp.c:2614) 
[ 71.619723][ T8079] ? gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) 
[ 71.621526][ T8079] ? __gfs2_holder_init (fs/gfs2/glock.c:1272) 
[ 71.623447][ T8079] gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) 
[ 71.626079][ T8079] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389) 
[ 71.628057][ T8079] ? pick_eevdf (kernel/sched/fair.c:909) 
[ 71.629661][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 71.631511][ T8079] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) 
[ 71.633165][ T8079] ? finish_task_switch.isra.0 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/sched/sched.h:1399 kernel/sched/core.c:5163 kernel/sched/core.c:5281) 
[ 71.635270][ T8079] ? __inode_wait_for_writeback (fs/fs-writeback.c:1512) 
[ 71.637336][ T8079] ? __pfx___inode_wait_for_writeback (fs/fs-writeback.c:1512) 
[ 71.639501][ T8079] ? evict (fs/inode.c:672) 
[ 71.640957][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 71.642637][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 71.644575][ T8079] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 71.646161][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 71.648103][ T8079] evict (fs/inode.c:672) 
[ 71.649493][ T8079] iput.part.0 (fs/inode.c:1741 fs/inode.c:1767) 
[ 71.650985][ T8079] ? __pfx_gfs2_drop_inode (fs/gfs2/super.c:1025) 
[ 71.652903][ T8079] iput (fs/inode.c:1769) 
[ 71.654195][ T8079] dentry_unlink_inode (fs/dcache.c:401) 
[ 71.655902][ T8079] __dentry_kill (fs/dcache.c:606) 
[ 71.657456][ T8079] dput (fs/dcache.c:846 fs/dcache.c:833) 
[ 71.658782][ T8079] shrink_dcache_for_umount (./include/linux/list_bl.h:74 fs/dcache.c:1557) 
[ 71.660731][ T8079] generic_shutdown_super (fs/super.c:620) 
[ 71.662500][ T8079] kill_block_super (fs/super.c:1676) 
[ 71.664147][ T8079] gfs2_kill_sb (fs/gfs2/ops_fstype.c:1805) 
[ 71.665748][ T8079] deactivate_locked_super (fs/super.c:433 fs/super.c:474) 
[ 71.667612][ T8079] deactivate_super (fs/super.c:507) 
[ 71.669282][ T8079] cleanup_mnt (fs/namespace.c:144 fs/namespace.c:1268) 
[ 71.670805][ T8079] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 71.672412][ T8079] ? __pfx_task_work_run (kernel/task_work.c:148) 
[ 71.674201][ T8079] ? __put_net (net/core/net_namespace.c:689) 
[ 71.675709][ T8079] do_exit (kernel/exit.c:879) 
[ 71.677175][ T8079] ? __count_memcg_events (mm/memcontrol.c:723 mm/memcontrol.c:962) 
[ 71.679117][ T8079] ? __pfx_do_exit (kernel/exit.c:819) 
[ 71.680723][ T8079] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) 
[ 71.682564][ T8079] ? zap_other_threads (kernel/signal.c:1390) 
[ 71.684339][ T8079] do_group_exit (kernel/exit.c:1008) 
[ 71.685853][ T8079] __x64_sys_exit_group (kernel/exit.c:1036) 
[ 71.687482][ T8079] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 71.689990][ T8079] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   71.691214][ T8079] RIP: 0033:0x7f5ca99d3146
[ 71.692267][ T8079] Code: Unable to access opcode bytes at 0x7f5ca99d311c.

Code starting with the faulting instruction
===========================================
[   71.693702][ T8079] RSP: 002b:00007ffe66c629e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   71.695408][ T8079] RAX: ffffffffffffffda RBX: 00007f5ca9ad88a0 RCX: 00007f5ca99d3146
[   71.697059][ T8079] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   71.698635][ T8079] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80
[   71.700276][ T8079] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f5ca9ad88a0
[   71.702040][ T8079] R13: 0000000000000001 R14: 00007f5ca9ae12e8 R15: 0000000000000000
[   71.703663][ T8079]  </TASK>
[   71.704290][ T8079]
[   71.704752][ T8079] Allocated by task 8079:
[ 71.705650][ T8079] kasan_save_stack (mm/kasan/common.c:48) 
[ 71.706631][ T8079] kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) 
[ 71.707574][ T8079] __kasan_kmalloc (mm/kasan/common.c:391) 
[ 71.708505][ T8079] __kmalloc (./include/linux/kasan.h:211 mm/slub.c:3972 mm/slub.c:3985) 
[ 71.709364][ T8079] read_rindex_entry (./include/linux/slab.h:665 ./include/linux/slab.h:696 fs/gfs2/rgrp.c:766 fs/gfs2/rgrp.c:931) 
[ 71.710394][ T8079] gfs2_ri_update (fs/gfs2/rgrp.c:1002 (discriminator 1)) 
[ 71.711339][ T8079] gfs2_rindex_update (fs/gfs2/rgrp.c:1051) 
[ 71.712483][ T8079] init_inodes (fs/gfs2/ops_fstype.c:913) 
[ 71.713427][ T8079] gfs2_fill_super (fs/gfs2/ops_fstype.c:1264) 
[ 71.714433][ T8079] get_tree_bdev (fs/super.c:1615) 
[ 71.715380][ T8079] gfs2_get_tree (fs/gfs2/ops_fstype.c:1342) 
[ 71.716319][ T8079] vfs_get_tree (fs/super.c:1780) 
[ 71.717229][ T8079] path_mount (fs/namespace.c:3353 fs/namespace.c:3679) 
[ 71.718124][ T8079] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875) 
[ 71.719108][ T8079] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 71.720025][ T8079] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   71.721224][ T8079]
[   71.721838][ T8079] The buggy address belongs to the object at ffff888021a37780
[   71.721838][ T8079]  which belongs to the cache kmalloc-96 of size 96
[   71.724602][ T8079] The buggy address is located 0 bytes to the right of
[   71.724602][ T8079]  allocated 80-byte region [ffff888021a37780, ffff888021a377d0)
[   71.727454][ T8079]
[   71.727931][ T8079] The buggy address belongs to the physical page:
[   71.729233][ T8079] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21a37
[   71.730941][ T8079] ksm flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
[   71.732522][ T8079] page_type: 0xffffffff()
[   71.733415][ T8079] raw: 00fff00000000800 ffff888011c41780 ffffea0000860340 dead000000000003
[   71.735106][ T8079] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   71.736792][ T8079] page dumped because: kasan: bad access detected
[   71.738102][ T8079] page_owner tracks the page as allocated
[   71.739229][ T8079] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 18270934128, free_ts 182673967
[ 71.742812][ T8079] post_alloc_hook (./include/linux/page_owner.h:32 mm/page_alloc.c:1534) 
[ 71.743828][ T8079] get_page_from_freelist (mm/page_alloc.c:1543 mm/page_alloc.c:3317) 
[ 71.744948][ T8079] __alloc_pages (mm/page_alloc.c:4576) 
[ 71.745863][ T8079] allocate_slab (mm/slub.c:2181 mm/slub.c:2343) 
[ 71.746796][ T8079] ___slab_alloc (mm/slub.c:3531) 
[ 71.747698][ T8079] __slab_alloc.constprop.0 (mm/slub.c:3615) 
[ 71.748821][ T8079] kmalloc_trace (mm/slub.c:3668 mm/slub.c:3841 mm/slub.c:3998) 
[ 71.749739][ T8079] call_usermodehelper_setup (kernel/umh.c:364) 
[ 71.750918][ T8079] kobject_uevent_env (lib/kobject_uevent.c:613) 
[ 71.752105][ T8079] param_sysfs_builtin_init (kernel/params.c:822 kernel/params.c:856 kernel/params.c:990) 
[ 71.753257][ T8079] do_one_initcall (init/main.c:1245) 
[ 71.754155][ T8079] kernel_init_freeable (init/main.c:1306 init/main.c:1323 init/main.c:1342 init/main.c:1555) 
[ 71.755340][ T8079] kernel_init (init/main.c:1446) 
[ 71.756346][ T8079] ret_from_fork (arch/x86/kernel/process.c:153) 
[ 71.757242][ T8079] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
[   71.758204][ T8079] page last free pid 8 tgid 8 stack trace:
[ 71.759381][ T8079] free_unref_page_prepare (./include/linux/page_owner.h:25 mm/page_alloc.c:1141 mm/page_alloc.c:2347) 
[ 71.760517][ T8079] free_unref_page (mm/page_alloc.c:2487) 
[ 71.761655][ T8079] vfree.part.0 (./include/linux/sched.h:1988 mm/vmalloc.c:3341) 
[ 71.762567][ T8079] delayed_vfree_work (mm/vmalloc.c:3260 (discriminator 1)) 
[ 71.763552][ T8079] process_one_work (kernel/workqueue.c:3272) 
[ 71.764550][ T8079] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) 
[ 71.765490][ T8079] kthread (kernel/kthread.c:388) 
[ 71.766344][ T8079] ret_from_fork (arch/x86/kernel/process.c:153) 
[ 71.767258][ T8079] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
[   71.768206][ T8079]
[   71.768674][ T8079] Memory state around the buggy address:
[   71.769194][ T8079]  ffff888021a37680: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   71.769942][ T8079]  ffff888021a37700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   71.770679][ T8079] >ffff888021a37780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[   71.771410][ T8079]                                                  ^
[   71.772016][ T8079]  ffff888021a37800: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   71.772768][ T8079]  ffff888021a37880: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   71.773516][ T8079] ==================================================================
[   71.778624][ T8079] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   71.780113][ T8079] CPU: 0 PID: 8079 Comm: a.out Not tainted 6.9.0 #8
[   71.781462][ T8079] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   71.783278][ T8079] Call Trace:
[   71.783932][ T8079]  <TASK>
[ 71.784536][ T8079] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) 
[ 71.785477][ T8079] panic (kernel/panic.c:348) 
[ 71.786276][ T8079] ? __pfx_panic (kernel/panic.c:282) 
.787159][ T8079]
1? preeMmessapge ft_schedule_romth suynk+sl0ogdx@...zkallaer/ 0x3at0 Jun
1 04:06:[ 71.789194][ T8079] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927) 
[ 71.790322][ T8079] ? check_panic_on_warn (kernel/panic.c:240) 
[ 71.791312][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[ 71.792378][ T8079] check_panic_on_warn (kernel/panic.c:241) 
[ 71.793372][ T8079] end_report (mm/kasan/report.c:226) 
[ 71.794210][ T8079] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) 
[ 71.795072][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[ 71.796124][ T8079] gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) 
[ 71.797166][ T8079] ? __pfx_gfs2_check_blk_type (fs/gfs2/rgrp.c:2614) 
[ 71.798273][ T8079] ? gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) 
[ 71.799279][ T8079] ? __gfs2_holder_init (fs/gfs2/glock.c:1272) 
[ 71.800333][ T8079] gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) 
[ 71.801313][ T8079] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389) 
[ 71.802342][ T8079] ? pick_eevdf (kernel/sched/fair.c:909) 
[ 71.803240][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 71.804316][ T8079] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) 
[ 71.805280][ T8079] ? finish_task_switch.isra.0 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/sched/sched.h:1399 kernel/sched/core.c:5163 kernel/sched/core.c:5281) 
[ 71.806403][ T8079] ? __inode_wait_for_writeback (fs/fs-writeback.c:1512) 
[ 71.807560][ T8079] ? __pfx___inode_wait_for_writeback (fs/fs-writeback.c:1512) 
[ 71.808805][ T8079] ? evict (fs/inode.c:672) 
[ 71.809617][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 71.810623][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 71.811620][ T8079] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 71.812546][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) 
[ 71.813592][ T8079] evict (fs/inode.c:672) 
[ 71.814368][ T8079] iput.part.0 (fs/inode.c:1741 fs/inode.c:1767) 
[ 71.815242][ T8079] ? __pfx_gfs2_drop_inode (fs/gfs2/super.c:1025) 
[ 71.816287][ T8079] iput (fs/inode.c:1769) 
[ 71.817017][ T8079] dentry_unlink_inode (fs/dcache.c:401) 
[ 71.818015][ T8079] __dentry_kill (fs/dcache.c:606) 
[ 71.818920][ T8079] dput (fs/dcache.c:846 fs/dcache.c:833) 
[ 71.819674][ T8079] shrink_dcache_for_umount (./include/linux/list_bl.h:74 fs/dcache.c:1557) 
[ 71.820782][ T8079] generic_shutdown_super (fs/super.c:620) 
[ 71.821828][ T8079] kill_block_super (fs/super.c:1676) 
[ 71.822766][ T8079] gfs2_kill_sb (fs/gfs2/ops_fstype.c:1805) 
[ 71.823658][ T8079] deactivate_locked_super (fs/super.c:433 fs/super.c:474) 
[ 71.824712][ T8079] deactivate_super (fs/super.c:507) 
[ 71.825633][ T8079] cleanup_mnt (fs/namespace.c:144 fs/namespace.c:1268) 
[ 71.826501][ T8079] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[ 71.827407][ T8079] ? __pfx_task_work_run (kernel/task_work.c:148) 
[ 71.828436][ T8079] ? __put_net (net/core/net_namespace.c:689) 
[ 71.829281][ T8079] do_exit (kernel/exit.c:879) 
[ 71.830111][ T8079] ? __count_memcg_events (mm/memcontrol.c:723 mm/memcontrol.c:962) 
[ 71.831169][ T8079] ? __pfx_do_exit (kernel/exit.c:819) 
[ 71.832055][ T8079] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) 
[ 71.833161][ T8079] ? zap_other_threads (kernel/signal.c:1390) 
[ 71.834169][ T8079] do_group_exit (kernel/exit.c:1008) 
[ 71.835077][ T8079] __x64_sys_exit_group (kernel/exit.c:1036) 
[ 71.836064][ T8079] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 71.836965][ T8079] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   71.838114][ T8079] RIP: 0033:0x7f5ca99d3146
[ 71.838990][ T8079] Code: Unable to access opcode bytes at 0x7f5ca99d311c.

Code starting with the faulting instruction
===========================================
[   71.840378][ T8079] RSP: 002b:00007ffe66c629e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   71.841988][ T8079] RAX: ffffffffffffffda RBX: 00007f5ca9ad88a0 RCX: 00007f5ca99d3146
[   71.843542][ T8079] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   71.845086][ T8079] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80
[   71.846664][ T8079] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f5ca9ad88a0
[   71.848199][ T8079] R13: 0000000000000001 R14: 00007f5ca9ae12e8 R15: 0000000000000000
[   71.849736][ T8079]  </TASK>
[   71.850486][ T8079] Kernel Offset: disabled
[   71.851322][ T8079] Rebooting in 86400 seconds..


Download attachment "repro.c" of type "application/octet-stream" (1109419 bytes)

Download attachment ".config" of type "application/octet-stream" (247338 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ