Slab out of bounds in setxattr

From: shankarapailoor
Date: Fri Jun 01 2018 - 16:52:28 EST

Hi Dave et al,

I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN:
slab-out-of-bounds in jfs_xattr.

Attached are my kernel configs and a C reproducer. In the first
setxattr call it appears that length is much larger than the name. In
__jfs_setxattr, I don't see where the length is checked against the
actual value length.

Shankara Pailoor

Attachment: jfskernelconfigs
Description: Binary data

// autogenerated by syzkaller (
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <stdint.h>
#include <string.h>
void loop()
memcpy((void*)0x20000567, "olddir", 7);
syscall(__NR_mkdir, 0x20000567, 0x1c0);
memcpy((void*)0x200001c0, "olddir/oldfile", 15);
syscall(__NR_open, 0x200001c0, 0xc2, 0x80);
memcpy((void*)0x20000240, "olddir/oldfile", 15);
memcpy((void*)0x20000200, "user.", 5);
memcpy((void*)0x20000205, "user.", 5);
memcpy((void*)0x200000c0, "\x77\x6c\x61\x6e\x30\x00\xaf\xe6\x24\xe4\x91\xb6\x97\xce\x15\x18\x5a\xd6\x98\xe4\x94\x13\x31\x39\
x92\x22\xdc\x23\x9f\x7c\xc0\x6e\x95\x8b\xe2\xae\xd6\xf0\x40\xc1\xd4\xc5\x86\x28\x7f\x82\x8d\x85\x12\x78\xa9\xdc\x47", 84);
syscall(__NR_setxattr, 0x20000240, 0x20000200, 0x200000c0, 0xfd50, 0);
memcpy((void*)0x20000180, "olddir/oldfile", 15);
memcpy((void*)0x20000080, "user.", 5);
memcpy((void*)0x20000085, "wlan0", 6);
memcpy((void*)0x20000000, "lo-bdevbdev", 12);
syscall(__NR_setxattr, 0x20000180, 0x20000080, 0x20000000, 0xc, 0);
int main()
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
return 0;