| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Oct 2019 01:38:12 -0700
From: syzbot <syzbot+357de617b97752833bd5@...kaller.appspotmail.com>
To: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk
Subject: KASAN: stack-out-of-bounds Read in finish_writeback_work
Hello,
syzbot found the following crash on:
HEAD commit: 05679ca6 xdp: Prevent overflow in devmap_hash cost calcula..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=12d37fcf600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ebb95b9e9f5291dd
dashboard link: https://syzkaller.appspot.com/bug?extid=357de617b97752833bd5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+357de617b97752833bd5@...kaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in finish_writeback_work.isra.0+0x11b/0x120
fs/fs-writeback.c:168
Read of size 8 at addr ffff88806f04f9c8 by task kworker/u4:2/33
CPU: 1 PID: 33 Comm: kworker/u4:2 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: writeback wb_workfn (flush-8:0)
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
finish_writeback_work.isra.0+0x11b/0x120 fs/fs-writeback.c:168
wb_do_writeback fs/fs-writeback.c:2030 [inline]
wb_workfn+0x34f/0x1220 fs/fs-writeback.c:2070
process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
page:ffffea0001bc13c0 refcount:0 mapcount:0 mapping:0000000000000000
index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff01bc0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88806f04f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
ffff88806f04f900: f1 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00
> ffff88806f04f980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3
^
ffff88806f04fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffff88806f04fa80: f1 f1 f1 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Powered by blists - more mailing lists