BUG: slab-out-of-bounds in bio_alloc_bioset

From: Baozeng Ding
Date: Tue May 24 2016 - 11:28:33 EST

Next message: Tejun Heo: "Re: bpf: use-after-free in array_map_alloc"
Previous message: Emil Velikov: "Re: [PATCH 16/54] MAINTAINERS: Add file patterns for drm device tree bindings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,
I've got the following report (slab-out-of-bounds in bio_alloc_bioset) while running
syzkaller.The kernel version is 4.6.0-rc7+. (I can reproduce it with syzkaller).Thanks.

BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff8800187a9030
Read of size 4096 by task syz-executor/27197
page:ffffea000061ea40 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 27197 Comm: syz-executor Not tainted 4.6.0-rc7+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
0000000000000001 ffff8800323270b8 ffffffff82809d71 ffff880032327148
ffff8800187a9030 ffff8800187a9030 ffff8800323275b0 ffff880032327138
ffffffff815c504b ffff88001f004e00 ffff88001a5d7140 0000000000000286
Call Trace:
[< inline >] __dump_stack /lib/dump_stack.c:15
[<ffffffff82809d71>] dump_stack+0xb3/0x112 /lib/dump_stack.c:51
[< inline >] print_address_description /mm/kasan/report.c:190
[<ffffffff815c504b>] kasan_report_error+0x4fb/0x530 /mm/kasan/report.c:275
[<ffffffff815beab7>] ? ___slab_alloc+0x167/0x500 /mm/slub.c:2449
[< inline >] ? spin_unlock /include/linux/spinlock.h:347
[<ffffffff815bde58>] ? deactivate_slab+0x408/0x710 /mm/slub.c:2001
[<ffffffff815c53b4>] kasan_report+0x34/0x40 /mm/kasan/report.c:297
[<ffffffff815c45bd>] ? memcpy+0x1d/0x40 /mm/kasan/kasan.c:318
[< inline >] check_memory_region /mm/kasan/kasan.c:285
[<ffffffff815c3ff4>] __asan_loadN+0x124/0x1a0 /mm/kasan/kasan.c:678
[<ffffffff815c45bd>] memcpy+0x1d/0x40 /mm/kasan/kasan.c:318
[<ffffffff8284a951>] copy_from_iter+0x581/0x960 /lib/iov_iter.c:416
[< inline >] ? kasan_poison_shadow /mm/kasan/kasan.c:52
[<ffffffff815c43c6>] ? kasan_unpoison_shadow+0x36/0x50 /mm/kasan/kasan.c:57
[<ffffffff8284dd60>] copy_page_from_iter+0x510/0xa50 /lib/iov_iter.c:467
[<ffffffff8275f6fa>] ? bio_alloc_bioset+0x3ca/0x7a0 /block/bio.c:512
[<ffffffff8284d850>] ? iov_iter_fault_in_readable+0x220/0x220 /lib/iov_iter.c:313
[<ffffffff8275bd9c>] ? bio_add_pc_page+0x3fc/0x900 /block/bio.c:798
[< inline >] bio_copy_from_iter /block/bio.c:1029
[<ffffffff82762568>] bio_copy_user_iov+0xac8/0xe10 /block/bio.c:1230
[<ffffffff82761aa0>] ? bio_uncopy_user+0x650/0x650 /block/bio.c:1057
[<ffffffff82847534>] ? iov_iter_advance+0x154/0x540 /lib/iov_iter.c:511
[< inline >] bio_set_flag /include/linux/bio.h:305
[< inline >] __blk_rq_map_user_iov /block/blk-map.c:59
[<ffffffff82793ccb>] blk_rq_map_user_iov+0x23b/0xa80 /block/blk-map.c:125
[<ffffffff82793a90>] ? blk_rq_append_bio+0x170/0x170 /block/blk-map.c:15
[<ffffffff815beab7>] ? ___slab_alloc+0x167/0x500 /mm/slub.c:2449
[<ffffffff812b45f0>] ? debug_check_no_locks_freed+0x290/0x290 /kernel/locking/lockdep.c:4212
[< inline >] ? kmalloc /include/linux/slab.h:483
[< inline >] ? kzalloc /include/linux/slab.h:622
[< inline >] ? sg_build_sgat /drivers/scsi/sg.c:1817
[<ffffffff8354481b>] ? sg_build_indirect.isra.18+0x8b/0x530 /drivers/scsi/sg.c:1843
[<ffffffff82848534>] ? import_single_range+0x1d4/0x2b0 /lib/iov_iter.c:869
[<ffffffff82794610>] blk_rq_map_user+0x100/0x170 /block/blk-map.c:154
[<ffffffff82794510>] ? blk_rq_map_user_iov+0xa80/0xa80 /block/blk-map.c:227
[<ffffffff815af514>] ? alloc_pages_current+0x104/0x340 /mm/mempolicy.c:2095
[< inline >] sg_start_req /drivers/scsi/sg.c:1767
[<ffffffff83547152>] sg_common_write.isra.19+0x1042/0x16d0 /drivers/scsi/sg.c:783
[<ffffffff83546110>] ? sg_open+0x13a0/0x13a0 /drivers/scsi/sg.c:2145
[<ffffffff8353f030>] ? sg_add_request+0x30/0x2d0 /drivers/scsi/sg.c:2058
[<ffffffff812b407d>] ? trace_hardirqs_on+0xd/0x10 /kernel/locking/lockdep.c:2734
[<ffffffff8353f0fb>] ? sg_add_request+0xfb/0x2d0 /drivers/scsi/sg.c:2088
[< inline >] ? finish_lock_switch /kernel/sched/sched.h:1122
[<ffffffff8123200e>] ? finish_task_switch+0x14e/0x5f0 /kernel/sched/core.c:2626
[<ffffffff8354aeb6>] sg_write+0x606/0xa30 /drivers/scsi/sg.c:686
[<ffffffff8354a8b0>] ? sg_ioctl+0x2990/0x2990 /drivers/scsi/sg.c:1090
[< inline >] ? rcu_read_unlock /include/linux/rcupdate.h:922
[<ffffffff812a86cd>] ? cpuacct_charge+0x1bd/0x340 /kernel/sched/cpuacct.c:245
[<ffffffff812b45f0>] ? debug_check_no_locks_freed+0x290/0x290 /kernel/locking/lockdep.c:4212
[< inline >] ? idle_balance /kernel/sched/fair.c:7505
[<ffffffff8127c750>] ? pick_next_task_fair+0x310/0x2390 /kernel/sched/fair.c:5556
[< inline >] ? rcu_read_unlock /include/linux/rcupdate.h:922
[< inline >] ? idle_balance /kernel/sched/fair.c:7511
[<ffffffff8127c86e>] ? pick_next_task_fair+0x42e/0x2390 /kernel/sched/fair.c:5556
[<ffffffff812b45f0>] ? debug_check_no_locks_freed+0x290/0x290 /kernel/locking/lockdep.c:4212
[<ffffffff8160eac3>] __vfs_write+0x113/0x4b0 /fs/read_write.c:529
[<ffffffff8354a8b0>] ? sg_ioctl+0x2990/0x2990 /drivers/scsi/sg.c:1090
[<ffffffff8160e9b0>] ? do_iter_readv_writev+0x2b0/0x2b0 /fs/read_write.c:707
[<ffffffff812b407d>] ? trace_hardirqs_on+0xd/0x10 /kernel/locking/lockdep.c:2734
[< inline >] ? pipe_lock_nested /fs/pipe.c:65
[< inline >] ? pipe_lock /fs/pipe.c:73
[<ffffffff816295a8>] ? pipe_wait+0x148/0x1a0 /fs/pipe.c:121
[<ffffffff85b443b0>] ? mutex_lock_interruptible_nested+0x980/0x980 ??:?
[< inline >] ? arch_local_irq_restore /./arch/x86/include/asm/paravirt.h:791
[< inline >] ? __raw_spin_unlock_irqrestore /include/linux/spinlock_api_smp.h:162
[<ffffffff85b4ac76>] ? _raw_spin_unlock_irqrestore+0x36/0x60 /kernel/locking/spinlock.c:191
[< inline >] ? spin_unlock_irqrestore /include/linux/spinlock.h:362
[<ffffffff812975cd>] ? finish_wait+0xfd/0x180 /kernel/sched/wait.c:253
[<ffffffff8160ef47>] __kernel_write+0xe7/0x320 /fs/read_write.c:551
[<ffffffff81227630>] ? __might_sleep+0x90/0x1a0 /kernel/sched/core.c:7426
[<ffffffff816ae2b9>] write_pipe_buf+0x159/0x1e0 /fs/splice.c:1071
[<ffffffff816ae160>] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339
[<ffffffff816aedf0>] ? splice_from_pipe_next+0x2f0/0x3c0 /fs/splice.c:818
[< inline >] splice_from_pipe_feed /fs/splice.c:773
[<ffffffff816af114>] __splice_from_pipe+0x254/0x710 /fs/splice.c:898
[<ffffffff816ae160>] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339
[<ffffffff816b29e7>] splice_from_pipe+0xf7/0x140 /fs/splice.c:933
[<ffffffff816ae160>] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339
[<ffffffff816b28f0>] ? splice_shrink_spd+0x60/0x60 /fs/splice.c:299
[<ffffffff82548b29>] ? security_file_permission+0x89/0x1e0 /security/security.c:733
[<ffffffff816b2ac0>] default_file_splice_write+0x40/0x90 /fs/splice.c:1083
[< inline >] do_splice_from /fs/splice.c:1125
[< inline >] do_splice /fs/splice.c:1404
[< inline >] SYSC_splice /fs/splice.c:1707
[<ffffffff816b36aa>] SyS_splice+0x7fa/0x1670 /fs/splice.c:1690
[< inline >] ? SYSC_futex /kernel/futex.c:3237
[<ffffffff8135988f>] ? SyS_futex+0x13f/0x2b0 /kernel/futex.c:3205
[<ffffffff816b2a80>] ? generic_splice_sendpage+0x50/0x50 /fs/splice.c:1107
[<ffffffff816b2eb0>] ? compat_SyS_vmsplice+0x250/0x250 /fs/splice.c:1658
[<ffffffff8100301b>] ? trace_hardirqs_on_thunk+0x1b/0x1d /arch/x86/entry/thunk_64.S:42
[<ffffffff85b4b340>] entry_SYSCALL_64_fastpath+0x23/0xc1 /arch/x86/entry/entry_64.S:207
Memory state around the buggy address:
ffff8800187a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8800187a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8800187aa000: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
^
ffff8800187aa080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8800187aa100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================

Best Regards,
Baozeng Ding

Next message: Tejun Heo: "Re: bpf: use-after-free in array_map_alloc"
Previous message: Emil Velikov: "Re: [PATCH 16/54] MAINTAINERS: Add file patterns for drm device tree bindings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]