Re: KASAN: null-ptr-deref Read in xattr_getsecurity
OK. Patch was sent to linux.git as 1f5781725dcbb026. #syz fix: commoncap: Handle memory allocation failure.
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
On Tue, 10 Apr 2018, Eric W. Biederman wrote: > Tetsuo Handa writes: > > > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 > > From: Tetsuo Handa > > Date: Tue, 10 Apr 2018 15:15:16 +0900 > > Subject: [PATCH] commoncap: Handle memory allocation failure. > > > > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > > memory allocation failed. Return -ENOMEM if memory allocation failed. > > > > [1] > > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 > > Acked-by: "Eric W. Biederman" > > Tetsuo I can pick this up, or do you have preferred path for getting > this change merged? > It can go via my tree if needed, but otherwise: Acked-by: James Morris -- James Morris
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
Eric W. Biederman wrote: > Tetsuo Handa writes: > > > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 > > From: Tetsuo Handa > > Date: Tue, 10 Apr 2018 15:15:16 +0900 > > Subject: [PATCH] commoncap: Handle memory allocation failure. > > > > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > > memory allocation failed. Return -ENOMEM if memory allocation failed. > > > > [1] > > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 > > Acked-by: "Eric W. Biederman" > > Tetsuo I can pick this up, or do you have preferred path for getting > this change merged? I don't have preferred path. You can pick this up. Thanks.
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
On Tue, Apr 10, 2018 at 09:42:50AM -0500, Eric W. Biederman wrote:
> Tetsuo Handa writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1]
> > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman"
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?
>
> Serge does this fix look ok to you? I am a bit worried that
yup, looks good to me. would have replied an hour or two ago but lacked
an lkml-acceptable mailer :)
thanks,
serge
> might be a bit brittler but I don't see any issues with this change.
>
> Eric
>
>
> > Signed-off-by: Tetsuo Handa
> > Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> > Reported-by: syzbot
> > Cc: stable # 4.14+
> > Cc: Serge E. Hallyn
> > Cc: Eric W. Biederman
> > ---
> > security/commoncap.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 48620c9..1ce701f 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const
> > char *name, void **buffer,
> > magic |= VFS_CAP_FLAGS_EFFECTIVE;
> > memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 *
> > VFS_CAP_U32);
> > cap->magic_etc = cpu_to_le32(magic);
> > + } else {
> > + size = -ENOMEM;
> > }
> > }
> > kfree(tmpbuf);
> > --
> > 1.8.3.1
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
On Tue, Apr 10, 2018 at 07:13:23PM +0900, Tetsuo Handa wrote:
> syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> memory allocation failed. Return -ENOMEM if memory allocation failed.
>
> [1]
> https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Signed-off-by: Tetsuo Handa
> Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> Reported-by: syzbot
> Cc: stable # 4.14+
> Cc: Serge E. Hallyn
Acked-by: Serge Hallyn
thanks!
-serge
> Cc: Eric W. Biederman
> ---
> security/commoncap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 48620c9..1ce701f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char
> *name, void **buffer,
> magic |= VFS_CAP_FLAGS_EFFECTIVE;
> memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 *
> VFS_CAP_U32);
> cap->magic_etc = cpu_to_le32(magic);
> + } else {
> + size = -ENOMEM;
> }
> }
> kfree(tmpbuf);
> --
> 1.8.3.1
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
Tetsuo Handa writes:
> From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa
> Date: Tue, 10 Apr 2018 15:15:16 +0900
> Subject: [PATCH] commoncap: Handle memory allocation failure.
>
> syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> memory allocation failed. Return -ENOMEM if memory allocation failed.
>
> [1]
> https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
Acked-by: "Eric W. Biederman"
Tetsuo I can pick this up, or do you have preferred path for getting
this change merged?
Serge does this fix look ok to you? I am a bit worried that
might be a bit brittler but I don't see any issues with this change.
Eric
> Signed-off-by: Tetsuo Handa
> Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> Reported-by: syzbot
> Cc: stable # 4.14+
> Cc: Serge E. Hallyn
> Cc: Eric W. Biederman
> ---
> security/commoncap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 48620c9..1ce701f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char
> *name, void **buffer,
> magic |= VFS_CAP_FLAGS_EFFECTIVE;
> memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 *
> VFS_CAP_U32);
> cap->magic_etc = cpu_to_le32(magic);
> + } else {
> + size = -ENOMEM;
> }
> }
> kfree(tmpbuf);
> --
> 1.8.3.1
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
>From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa
Date: Tue, 10 Apr 2018 15:15:16 +0900
Subject: [PATCH] commoncap: Handle memory allocation failure.
syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
memory allocation failed. Return -ENOMEM if memory allocation failed.
[1]
https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
Signed-off-by: Tetsuo Handa
Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
Reported-by: syzbot
Cc: stable # 4.14+
Cc: Serge E. Hallyn
Cc: Eric W. Biederman
---
security/commoncap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/commoncap.c b/security/commoncap.c
index 48620c9..1ce701f 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char
*name, void **buffer,
magic |= VFS_CAP_FLAGS_EFFECTIVE;
memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 *
VFS_CAP_U32);
cap->magic_etc = cpu_to_le32(magic);
+ } else {
+ size = -ENOMEM;
}
}
kfree(tmpbuf);
--
1.8.3.1
KASAN: null-ptr-deref Read in xattr_getsecurity
Hello, syzbot hit the following crash on upstream commit fd40ffc72e2f74c7db61e400903e7d50a88bc0b0 (Mon Apr 9 18:36:05 2018 +) selinux: fix missing dput() before selinuxfs unmount syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=9369930ca44f29e60e2d So far this crash happened 41 times on upstream. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5421128315043840 Kernel config: https://syzkaller.appspot.com/x/.config?id=-771321277174894814 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9369930ca44f29e60...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. R13: 0098 R14: 006f3ee0 R15: 0002 == BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:345 [inline] BUG: KASAN: null-ptr-deref in xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251 Read of size 20 at addr by task syz-executor5/12111 CPU: 0 PID: 12111 Comm: syz-executor5 Not tainted 4.16.0+ #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report.cold.7+0x13b/0x2f5 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251 vfs_getxattr+0xf2/0x160 fs/xattr.c:333 getxattr+0x139/0x2c0 fs/xattr.c:540 SYSC_fgetxattr fs/xattr.c:598 [inline] SyS_fgetxattr+0x109/0x190 fs/xattr.c:589 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x455259 RSP: 002b:7f20bc46fc68 EFLAGS: 0246 ORIG_RAX: 00c1 RAX: ffda RBX: 7f20bc4706d4 RCX: 00455259 RDX: 2280 RSI: 22c0 RDI: 0014 RBP: 0072bea0 R08: R09: R10: ff27 R11: 0246 R12: 0015 R13: 0098 R14: 006f3ee0 R15: 0002 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
