Re: KASAN: null-ptr-deref Read in xattr_getsecurity
OK. Patch was sent to linux.git as 1f5781725dcbb026. #syz fix: commoncap: Handle memory allocation failure.
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
On Tue, 10 Apr 2018, Eric W. Biederman wrote: > Tetsuo Handa writes: > > > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 > > From: Tetsuo Handa > > Date: Tue, 10 Apr 2018 15:15:16 +0900 > > Subject: [PATCH] commoncap: Handle memory allocation failure. > > > > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > > memory allocation failed. Return -ENOMEM if memory allocation failed. > > > > [1] > > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 > > Acked-by: "Eric W. Biederman" > > Tetsuo I can pick this up, or do you have preferred path for getting > this change merged? > It can go via my tree if needed, but otherwise: Acked-by: James Morris -- James Morris
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
Eric W. Biederman wrote: > Tetsuo Handa writes: > > > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 > > From: Tetsuo Handa > > Date: Tue, 10 Apr 2018 15:15:16 +0900 > > Subject: [PATCH] commoncap: Handle memory allocation failure. > > > > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > > memory allocation failed. Return -ENOMEM if memory allocation failed. > > > > [1] > > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 > > Acked-by: "Eric W. Biederman" > > Tetsuo I can pick this up, or do you have preferred path for getting > this change merged? I don't have preferred path. You can pick this up. Thanks.
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
On Tue, Apr 10, 2018 at 09:42:50AM -0500, Eric W. Biederman wrote: > Tetsuo Handa writes: > > > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 > > From: Tetsuo Handa > > Date: Tue, 10 Apr 2018 15:15:16 +0900 > > Subject: [PATCH] commoncap: Handle memory allocation failure. > > > > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > > memory allocation failed. Return -ENOMEM if memory allocation failed. > > > > [1] > > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 > > Acked-by: "Eric W. Biederman" > > Tetsuo I can pick this up, or do you have preferred path for getting > this change merged? > > Serge does this fix look ok to you? I am a bit worried that yup, looks good to me. would have replied an hour or two ago but lacked an lkml-acceptable mailer :) thanks, serge > might be a bit brittler but I don't see any issues with this change. > > Eric > > > > Signed-off-by: Tetsuo Handa > > Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities") > > Reported-by: syzbot > > Cc: stable # 4.14+ > > Cc: Serge E. Hallyn > > Cc: Eric W. Biederman > > --- > > security/commoncap.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/security/commoncap.c b/security/commoncap.c > > index 48620c9..1ce701f 100644 > > --- a/security/commoncap.c > > +++ b/security/commoncap.c > > @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const > > char *name, void **buffer, > > magic |= VFS_CAP_FLAGS_EFFECTIVE; > > memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * > > VFS_CAP_U32); > > cap->magic_etc = cpu_to_le32(magic); > > + } else { > > + size = -ENOMEM; > > } > > } > > kfree(tmpbuf); > > -- > > 1.8.3.1
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
On Tue, Apr 10, 2018 at 07:13:23PM +0900, Tetsuo Handa wrote: > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > memory allocation failed. Return -ENOMEM if memory allocation failed. > > [1] > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 > > Signed-off-by: Tetsuo Handa > Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities") > Reported-by: syzbot > Cc: stable # 4.14+ > Cc: Serge E. Hallyn Acked-by: Serge Hallyn thanks! -serge > Cc: Eric W. Biederman > --- > security/commoncap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 48620c9..1ce701f 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char > *name, void **buffer, > magic |= VFS_CAP_FLAGS_EFFECTIVE; > memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * > VFS_CAP_U32); > cap->magic_etc = cpu_to_le32(magic); > + } else { > + size = -ENOMEM; > } > } > kfree(tmpbuf); > -- > 1.8.3.1
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
Tetsuo Handa writes: > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 > From: Tetsuo Handa > Date: Tue, 10 Apr 2018 15:15:16 +0900 > Subject: [PATCH] commoncap: Handle memory allocation failure. > > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when > memory allocation failed. Return -ENOMEM if memory allocation failed. > > [1] > https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 Acked-by: "Eric W. Biederman" Tetsuo I can pick this up, or do you have preferred path for getting this change merged? Serge does this fix look ok to you? I am a bit worried that might be a bit brittler but I don't see any issues with this change. Eric > Signed-off-by: Tetsuo Handa > Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities") > Reported-by: syzbot > Cc: stable # 4.14+ > Cc: Serge E. Hallyn > Cc: Eric W. Biederman > --- > security/commoncap.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 48620c9..1ce701f 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char > *name, void **buffer, > magic |= VFS_CAP_FLAGS_EFFECTIVE; > memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * > VFS_CAP_U32); > cap->magic_etc = cpu_to_le32(magic); > + } else { > + size = -ENOMEM; > } > } > kfree(tmpbuf); > -- > 1.8.3.1
Re: KASAN: null-ptr-deref Read in xattr_getsecurity
>From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Tue, 10 Apr 2018 15:15:16 +0900 Subject: [PATCH] commoncap: Handle memory allocation failure. syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when memory allocation failed. Return -ENOMEM if memory allocation failed. [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 Signed-off-by: Tetsuo Handa Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities") Reported-by: syzbot Cc: stable # 4.14+ Cc: Serge E. Hallyn Cc: Eric W. Biederman --- security/commoncap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/commoncap.c b/security/commoncap.c index 48620c9..1ce701f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, magic |= VFS_CAP_FLAGS_EFFECTIVE; memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); cap->magic_etc = cpu_to_le32(magic); + } else { + size = -ENOMEM; } } kfree(tmpbuf); -- 1.8.3.1
KASAN: null-ptr-deref Read in xattr_getsecurity
Hello, syzbot hit the following crash on upstream commit fd40ffc72e2f74c7db61e400903e7d50a88bc0b0 (Mon Apr 9 18:36:05 2018 +) selinux: fix missing dput() before selinuxfs unmount syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=9369930ca44f29e60e2d So far this crash happened 41 times on upstream. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5421128315043840 Kernel config: https://syzkaller.appspot.com/x/.config?id=-771321277174894814 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9369930ca44f29e60...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. R13: 0098 R14: 006f3ee0 R15: 0002 == BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:345 [inline] BUG: KASAN: null-ptr-deref in xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251 Read of size 20 at addr by task syz-executor5/12111 CPU: 0 PID: 12111 Comm: syz-executor5 Not tainted 4.16.0+ #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report.cold.7+0x13b/0x2f5 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251 vfs_getxattr+0xf2/0x160 fs/xattr.c:333 getxattr+0x139/0x2c0 fs/xattr.c:540 SYSC_fgetxattr fs/xattr.c:598 [inline] SyS_fgetxattr+0x109/0x190 fs/xattr.c:589 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x455259 RSP: 002b:7f20bc46fc68 EFLAGS: 0246 ORIG_RAX: 00c1 RAX: ffda RBX: 7f20bc4706d4 RCX: 00455259 RDX: 2280 RSI: 22c0 RDI: 0014 RBP: 0072bea0 R08: R09: R10: ff27 R11: 0246 R12: 0015 R13: 0098 R14: 006f3ee0 R15: 0002 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.