| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <0F82FC44-8E11-4504-A49F-9D5AE22860D5@m.fudan.edu.cn> Date: Tue, 24 Dec 2024 20:50:49 +0800 From: Kun Hu <huk23@...udan.edu.cn> To: akpm@...ux-foundation.org Cc: linux-kernel@...r.kernel.org, "jjtan24@...udan.edu.cn" <jjtan24@...udan.edu.cn> Subject: Bug: slab-out-of-bounds Read in ea_get Hello, When using fuzzer tool to fuzz the latest Linux kernel, the following crash was triggered. HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 git tree: upstream Console output: https://drive.google.com/file/d/1KrY5oMTQhPP44RbqZI2T9E-L3Jf2a1a4/view?usp=sharing Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing C reproducer: https://drive.google.com/file/d/1LSM5ni3Cu8eDN9IqS7h8AAJS1VL_JYm6/view?usp=sharing Syzlang reproducer: https://drive.google.com/file/d/1Gu6o11L7OCdlg9IGlNa5imryr093AdKD/view?usp=sharing Similar report: https://lore.kernel.org/lkml/b01f01258a51430bbcc848ae3c73fb5f@qianxin.com/T/ This bug seems to have been reported and fixed in the old kernel, which seems to be a regression issue? If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@...udan.edu.cn> ================================================================== BUG: KASAN: slab-out-of-bounds in hex_dump_to_buffer+0xe0c/0xe20 lib/hexdump.c:193 Read of size 1 at addr ff110000113e3f60 by task syz-executor106/417 CPU: 0 UID: 0 PID: 417 Comm: syz-executor106 Not tainted 6.13.0-rc3 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x5f0 mm/kasan/report.c:489 kasan_report+0x93/0xc0 mm/kasan/report.c:602 hex_dump_to_buffer+0xe0c/0xe20 lib/hexdump.c:193 print_hex_dump+0x172/0x240 lib/hexdump.c:276 ea_get+0x862/0x1340 fs/jfs/xattr.c:565 __jfs_getxattr+0xc2/0x4e0 fs/jfs/xattr.c:811 jfs_xattr_get+0x3d/0x50 fs/jfs/xattr.c:950 __vfs_getxattr+0x13e/0x1a0 fs/xattr.c:423 inode_doinit_use_xattr+0xb5/0x420 security/selinux/hooks.c:1366 inode_doinit_with_dentry+0xd17/0x1290 security/selinux/hooks.c:1491 selinux_d_instantiate+0x27/0x30 security/selinux/hooks.c:6372 security_d_instantiate+0x123/0x180 security/security.c:4070 d_splice_alias+0x90/0xee0 fs/dcache.c:3001 jfs_lookup+0x214/0x340 fs/jfs/namei.c:1474 __lookup_slow+0x25b/0x490 fs/namei.c:1791 lookup_slow fs/namei.c:1808 [inline] walk_component+0x345/0x5b0 fs/namei.c:2112 lookup_last fs/namei.c:2610 [inline] path_lookupat.isra.0+0x180/0x560 fs/namei.c:2634 filename_lookup+0x211/0x470 fs/namei.c:2663 filename_listxattr fs/xattr.c:955 [inline] path_listxattrat+0x11c/0x350 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f99007240bd Code: c3 e8 e7 2c 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe69a98a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f99007240bd RDX: 0000000000000074 RSI: 0000000000000000 RDI: 00000000200000c0 RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000001 R10: 00007ffe69a98900 R11: 0000000000000246 R12: 00007ffe69a98a5c R13: 00007ffe69a98a60 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 417: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4119 [inline] slab_alloc_node mm/slub.c:4168 [inline] kmem_cache_alloc_lru_noprof+0x14e/0x410 mm/slub.c:4187 jfs_alloc_inode+0x27/0x60 fs/jfs/super.c:105 alloc_inode+0x63/0x1f0 fs/inode.c:336 iget_locked+0x25f/0x600 fs/inode.c:1487 jfs_iget+0x1e/0x4e0 fs/jfs/inode.c:29 jfs_lookup+0x27c/0x340 fs/jfs/namei.c:1469 __lookup_slow+0x25b/0x490 fs/namei.c:1791 lookup_slow fs/namei.c:1808 [inline] walk_component+0x345/0x5b0 fs/namei.c:2112 lookup_last fs/namei.c:2610 [inline] path_lookupat.isra.0+0x180/0x560 fs/namei.c:2634 filename_lookup+0x211/0x470 fs/namei.c:2663 filename_listxattr fs/xattr.c:955 [inline] path_listxattrat+0x11c/0x350 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ff110000113e36c0 which belongs to the cache jfs_ip of size 2208 The buggy address is located 0 bytes to the right of allocated 2208-byte region [ff110000113e36c0, ff110000113e3f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113e0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ff1100000428ec80 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800e000e 00000001f5000000 0000000000000000 head: 0100000000000040 ff1100000428ec80 dead000000000122 0000000000000000 head: 0000000000000000 00000000800e000e 00000001f5000000 0000000000000000 head: 0100000000000003 ffd400000044f801 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected —————— Thanks, Kun Hu
Powered by blists - more mailing lists