Re: perf: fuzzer KASAN: global-out-of-bounds in match_token

From: Vince Weaver
Date: Thu Nov 17 2016 - 17:12:03 EST


On Thu, 17 Nov 2016, Vince Weaver wrote:
> >
> > [ 911.507365] ==================================================================
> > [ 911.514824] BUG: KASAN: global-out-of-bounds in match_token+0x268/0x310 at addr ffffffffb14ad058
> > [ 911.523912] Read of size 8 by task perf_fuzzer/20662
> > [ 911.528945] Address belongs to variable if_tokens+0x78/0xa0
> > [ 911.534619] CPU: 7 PID: 20662 Comm: perf_fuzzer Tainted: G L 4.9.0-rc5+ #12
> > [ 911.534620] Hardware name: LENOVO 10FY0017US/SKYBAY, BIOS FWKT53A 06/06/2016
> > [ 911.534622] ffff8801efd2f970 ffffffffb0f17c88 ffff8801efd2fa08 ffffffffb14ad058
> > [ 911.534624] ffff8801efd2f9f8 ffffffffb0d0a9f3 1ffff1003dfa5f38 ffff8801efd2fc38
> > [ 911.534627] ffff8801f12ca100 0000000000000297 ffff8801efd2fc38 ffff8801efd2fa38

OK, this one is easily reproducible and from what I can tell it is caused
by calling

ioctl(PERF_EVENT_IOC_SET_FILTER)
where the filter trying to be set is
(((to&733)&&common_type&605)||common_flags<386922879890793102)
the ioctl itself fails due to EINVAL

I'll see if I can come up with a working small test case.

Vince