KASAN: null-ptr-deref Read in filemap_fault

From: Sanan Hasanov
Date: Tue Sep 12 2023 - 19:02:32 EST

Next message: Sanan Hasanov: "KASAN: slab-use-after-free Read in hci_conn_hash_flush"
Previous message: Saravana Kannan: "Re: [PATCH v8 03/16] of: property: Add fw_devlink support for msi-parent"
Next in thread: Matthew Wilcox: "Re: KASAN: null-ptr-deref Read in filemap_fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1QmELMwhyVxAejCYF8VHxvAsExK6GtR8F/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1Qfns0v9ZZO6kge192F5wUzyFRcM0lHYU/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

BUG: KASAN: null-ptr-deref in filemap_fault+0x538/0x2500
Read of size 4 at addr 0000000000000028 by task syz-executor.2/5967

CPU: 5 PID: 5967 Comm: syz-executor.2 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x178/0x260
kasan_report+0xc0/0xf0
kasan_check_range+0x144/0x190
filemap_fault+0x538/0x2500
__do_fault+0x103/0x3d0
do_fault+0x68a/0x11c0
__handle_mm_fault+0x106f/0x2660
handle_mm_fault+0x1ab/0xa90
do_user_addr_fault+0x583/0x12e0
exc_page_fault+0xb6/0x1d0
asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297

RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
</TASK>
==================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 5 PID: 5967 Comm: syz-executor.2 Tainted: G B 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS: 0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
Call Trace:
<TASK>
__do_fault+0x103/0x3d0
do_fault+0x68a/0x11c0
__handle_mm_fault+0x106f/0x2660
handle_mm_fault+0x1ab/0xa90
do_user_addr_fault+0x583/0x12e0
exc_page_fault+0xb6/0x1d0
asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS: 0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: e8 8a be d3 ff call 0xffd3be91
7: 49 8d 5c 24 34 lea 0x34(%r12),%rbx
c: be 04 00 00 00 mov $0x4,%esi
11: 48 89 df mov %rbx,%rdi
14: e8 98 08 23 00 call 0x2308b1
19: 48 89 da mov %rbx,%rdx
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 .byte 0x85
3f: 7b .byte 0x7b

Next message: Sanan Hasanov: "KASAN: slab-use-after-free Read in hci_conn_hash_flush"
Previous message: Saravana Kannan: "Re: [PATCH v8 03/16] of: property: Add fw_devlink support for msi-parent"
Next in thread: Matthew Wilcox: "Re: KASAN: null-ptr-deref Read in filemap_fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]