Re: BUG: unable to handle kernel paging request in squashfs_decompress

From: Randy Dunlap
Date: Mon Dec 21 2020 - 21:21:22 EST


[adding squashfs...]

On 12/16/20 2:22 AM, Palash Oswal wrote:
> Syzkaller hit 'BUG: unable to handle kernel paging request in
> squashfs_decompress' bug.
>
> Head Commit : 841fca5a32cc tag: v5.10.1
> git tree : stable
>
> kernel config : Attached config.txt
>
> console output :
> BUG: unable to handle page fault for address: ffffc9000014b000
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 3c00067 P4D 3c00067 PUD 3dce067 PMD 3dcf067 PTE 0
> Oops: 0002 [#1] SMP PTI
> CPU: 0 PID: 318 Comm: syz-executor186 Not tainted 5.10.1 #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014
> RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55
> Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2
> 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4
> c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
> RSP: 0018:ffffc9000089f840 EFLAGS: 00010246
> RAX: ffffc9000014affe RBX: 0000000000001000 RCX: 0000000000000ffe
> RDX: 0000000000001000 RSI: ffff888005a34002 RDI: ffffc9000014b000
> RBP: ffffc9000089f8b8 R08: 0000000000007368 R09: ffff888005ca1240
> R10: ffffffff8157e760 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffc9000014affe R14: 0000000000000000 R15: 000000000000236a
> FS: 00000000019f7380(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc9000014b000 CR3: 0000000005ada006 CR4: 0000000000370ef0
> Call Trace:
> squashfs_decompress+0x62/0x90 fs/squashfs/decompressor_single.c:70
> squashfs_read_data+0x111/0x710 fs/squashfs/block.c:214
> squashfs_cache_get+0x198/0x460 fs/squashfs/cache.c:110
> squashfs_read_metadata+0xeb/0x1b0 fs/squashfs/cache.c:344
> squashfs_xattr_lookup+0x76/0xd0 fs/squashfs/xattr_id.c:38
> squashfs_read_inode+0x63d/0xae0 fs/squashfs/inode.c:395
> squashfs_iget+0xa8/0xf0 fs/squashfs/inode.c:85
> squashfs_lookup+0x42d/0x500 fs/squashfs/namei.c:212
> lookup_open fs/namei.c:3083 [inline]
> open_last_lookups fs/namei.c:3178 [inline]
> path_openat+0x6ee/0x14a0 fs/namei.c:3366
> do_filp_open+0xa7/0x190 fs/namei.c:3396
> do_sys_openat2+0xcc/0x1e0 fs/open.c:1168
> do_sys_open fs/open.c:1184 [inline]
> __do_sys_openat fs/open.c:1200 [inline]
> __se_sys_openat fs/open.c:1195 [inline]
> __x64_sys_openat+0x80/0xe0 fs/open.c:1195
> do_syscall_64+0x38/0x90 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x4489fd
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fffea7e1498 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 0000000000400530 RCX: 00000000004489fd
> RDX: 0000000000080000 RSI: 0000000020000040 RDI: 0000000000000005
> RBP: 0000000000403e50 R08: 0000000000000000 R09: 0000000000400530
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403ef0
> R13: 0000000000000000 R14: 00000000004bf018 R15: 0000000000400530
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> CR2: ffffc9000014b000
> ---[ end trace ef664778b3add560 ]---
> RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55
> Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2
> 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4
> c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
> RSP: 0018:ffffc9000089f840 EFLAGS: 00010246
> RAX: ffffc9000014affe RBX: 0000000000001000 RCX: 0000000000000ffe
> RDX: 0000000000001000 RSI: ffff888005a34002 RDI: ffffc9000014b000
> RBP: ffffc9000089f8b8 R08: 0000000000007368 R09: ffff888005ca1240
> R10: ffffffff8157e760 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffc9000014affe R14: 0000000000000000 R15: 000000000000236a
> FS: 00000000019f7380(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc9000014b000 CR3: 0000000005ada006 CR4: 0000000000370ef0
>
>
> c reproducer : Attached reproduer.c
>
> syzkaller reproducer :
> # {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1
> Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false
> NetInjection:false NetDevices:false NetReset:false Cgroups:false
> BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false
> VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false
> HandleSegv:false Repro:false Trace:false}
> r0 = syz_mount_image$squashfs(&(0x7f0000000000)='squashfs\x00',
> &(0x7f0000000100)='./file0\x00', 0x7fffffff, 0x1,
> &(0x7f0000000200)=[{&(0x7f0000010000)="6873717307000000911d675f004000000100000003000e00e0000200040000001201000000000000f801000000000000ac01000000000000e0010000000000007f000000000000001f0100000000000076010000000000009a010000000000001a73797a6b616c6c6572203a200020438c01200000009820002838001100009e001d0200ed0100000100911d675f40012b0100644c002a7d00032d6e001a040f000300ff277c005901006d08264c00000e2f746d702f73797a2d696d61676567656e3431393737363339322f66696c6530b5000129750102c40b7d00294d00074d0009297d000529f5010a2da402e6177e04bc002add00065d0160de0328232cdc006d0dff410000291f000100c027ed0007dc04651f545d1a085c001100004800130100a100034d00204c00090200040066696c65304000015002b2013104d404f7050200088003032e636f6c647e590201f9069e4001ec080131d60005273100322a3100331100000b00136000a1001fdc0011000069010000000000001a001200c1007edd0020dd0040dd009edd00d6de001201bc001100007e0100000000000008805cf90100535f0100a2010000000000001b001e00000600786174747231060000c401274d0032274d00321100000d001200c100024d00244c00110000b40100000000000001",
> 0x1e9}], 0x0, &(0x7f0000010200)=ANY=[])
> openat(r0, &(0x7f0000000040)='./file1\x00', 0x80000, 0x0)
>
> I haven't seen this entry on the syzkaller dashboard yet; syzbot
> tracker - https://groups.google.com/g/syzkaller-bugs/c/WrjySbEAF3s .
>
> Palash


--
~Randy