Re: KASAN: slab-out-of-bounds Write in pipe_write
From: Eric Biggers
Date: Thu Dec 05 2019 - 02:45:43 EST
Hi David,
On Mon, Dec 02, 2019 at 11:54:00AM -0800, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit a194dfe6e6f6f7205eea850a420f2bc6a1541209
> Author: David Howells <dhowells@xxxxxxxxxx>
> Date: Fri Sep 20 15:32:19 2019 +0000
>
> pipe: Rearrange sequence in pipe_write() to preallocate slot
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16085abce00000
> start commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=15085abce00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=11085abce00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ff560c3de405258c
> dashboard link: https://syzkaller.appspot.com/bug?extid=838eb0878ffd51f27c41
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146a9f86e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1791d82ae00000
>
> Reported-by: syzbot+838eb0878ffd51f27c41@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: a194dfe6e6f6 ("pipe: Rearrange sequence in pipe_write() to
> preallocate slot")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
It looks like the 'mask' variable in pipe_write() is not being updated after the
pipe mutex was dropped in pipe_wait(), to take into account the pipe size
possibly having been changed in the mean time.
BTW, I see that the pipe changes were not in linux-next before being sent to
Linus. Please do this next time so that syzbot can find the obvious bugs before
they reach mainline. It's annoying having my system crash on latest mainline
during normal use, due to a bug easily found in < 1 day by an automated system.
- Eric