syzbot


KASAN: slab-out-of-bounds Read in squashfs_get_id

Status: fixed on 2021/03/11 23:45
Subsystems: squashfs
[Documentation on labels]
Reported-by: syzbot+8e28bba73ed1772a6802@syzkaller.appspotmail.com
Fix commit: e812cbbbbbb1 squashfs: avoid out of bounds writes in decompressors
First crash: 1542d, last: 1402d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit e812cbbbbbb15adbbbee176baa1e8bda53059bf0
Author: Phillip Lougher <phillip@squashfs.org.uk>
Date: Tue Feb 9 21:41:50 2021 +0000

  squashfs: avoid out of bounds writes in decompressors

  
Discussions (2)
Title Replies (including bot) Last reply
KASAN: slab-out-of-bounds Read in squashfs_get_id 2 (4) 2021/03/11 15:04
[PATCH] squashfs: Add id_table sanity check to squashfs_get_id 1 (1) 2020/11/03 02:04
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in squashfs_get_id C 58 1396d 1540d 1/1 fixed on 2021/02/19 15:06
linux-4.14 KASAN: slab-out-of-bounds Read in squashfs_get_id C 11 1388d 1542d 1/1 fixed on 2021/02/23 13:44
Last patch testing requests (2)
Created Duration User Patch Repo Result
2020/10/14 06:53 17m foxhlchen@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git d3d45f82 OK
2020/10/07 15:48 9m foxhlchen@gmail.com upstream report log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:38
Read of size 8 at addr ffff888014da0890 by task syz-executor820/8457

CPU: 1 PID: 8457 Comm: syz-executor820 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:38
 squashfs_new_inode fs/squashfs/inode.c:51 [inline]
 squashfs_read_inode+0x1b4/0x1b40 fs/squashfs/inode.c:120
 squashfs_fill_super+0x1140/0x23b0 fs/squashfs/super.c:310
 get_tree_bdev+0x421/0x740 fs/super.c:1344
 vfs_get_tree+0x89/0x2f0 fs/super.c:1549
 do_new_mount fs/namespace.c:2875 [inline]
 path_mount+0x13ad/0x20c0 fs/namespace.c:3205
 do_mount fs/namespace.c:3218 [inline]
 __do_sys_mount fs/namespace.c:3426 [inline]
 __se_sys_mount fs/namespace.c:3403 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3403
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x446d1a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffec71d7408 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffec71d7460 RCX: 0000000000446d1a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffec71d7420
RBP: 00007ffec71d7420 R08: 00007ffec71d7460 R09: 00007ffe00000015
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

Allocated by task 6443:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 lsm_cred_alloc security/security.c:533 [inline]
 security_prepare_creds+0x10e/0x190 security/security.c:1632
 prepare_creds+0x4bd/0x6c0 kernel/cred.c:285
 access_override_creds fs/open.c:353 [inline]
 do_faccessat+0x3d7/0x820 fs/open.c:417
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888014da0870
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 24 bytes to the right of
 8-byte region [ffff888014da0870, ffff888014da0878)
The buggy address belongs to the page:
page:00000000ac3d44c7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14da0
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea00006eb080 0000001700000017 ffff888010041c80
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888014da0780: fa fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00
 ffff888014da0800: fc fc fc fc fa fc fc fc fc 00 fc fc fc fc fb fc
>ffff888014da0880: fc fc fc fa fc fc fc fc fb fc fc fc fc 00 fc fc
                         ^
 ffff888014da0900: fc fc fa fc fc fc fc fa fc fc fc fc 00 fc fc fc
 ffff888014da0980: fc fb fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc
==================================================================

Crashes (77):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/08 08:46 upstream cd796ed33450 51a9082e .config console log report syz C ci-upstream-kasan-gce-root
2020/12/05 10:18 upstream e87297fa080a 20366b87 .config console log report syz C ci-upstream-kasan-gce-root
2020/12/03 16:03 upstream 34816d20f173 e6b0d314 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/11/07 10:44 upstream bf3e76289cd2 64069d48 .config console log report syz C ci-upstream-kasan-gce-root
2020/11/06 10:49 upstream 521b619acdc8 64069d48 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/11/06 05:49 upstream 521b619acdc8 64069d48 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/11/06 03:11 upstream 521b619acdc8 64069d48 .config console log report syz C ci-upstream-kasan-gce-root
2020/10/13 01:58 upstream bbf5c979011a d32b0bbf .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/10/09 02:17 upstream 3d006ee42dde 92390980 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/10/03 16:38 upstream d3d45f8220d6 2653fa43 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/10/02 06:47 upstream fcadab740480 9602ddf4 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/09/25 10:13 upstream 171d4ff79f96 54289b08 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/09/21 14:57 upstream ba4f184e126b 9e1fa68e .config console log report syz C ci-upstream-kasan-gce-root
2020/11/30 01:05 linux-next 6174f05255e6 a0092f9d .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/11/27 16:49 linux-next 6147c83fd749 5018c946 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/02/06 22:33 upstream 1e0d27fce010 0655e081 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/06 08:35 upstream 1e0d27fce010 23a562df .config console log report info ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/06 06:07 upstream 1e0d27fce010 23a562df .config console log report info ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/01 08:03 upstream 1048ba83fb1c fc9fd31e .config console log report info ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/31 21:14 upstream 6642d600b541 fc9fd31e .config console log report info ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/31 10:04 upstream 8c947645151c fc9fd31e .config console log report info ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/29 03:32 upstream e5ff2cb9cf67 7df34f59 .config console log report info ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/22 01:03 upstream 9791581c049c d4f4eca5 .config console log report info ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/21 08:30 upstream 75439bc439e0 d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/08 23:04 linux-next aa2b88209686 2bd9619f .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/14 07:21 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/11 23:17 upstream 7c53f6b671f4 2c1f2513 .config console log report info ci-upstream-kasan-gce-root
2021/01/11 19:16 upstream 7c53f6b671f4 2c1f2513 .config console log report info ci-upstream-kasan-gce-root
2020/12/15 23:58 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/06 13:26 upstream 33256ce19411 f12ba0c5 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/03 17:46 upstream 34816d20f173 e6b0d314 .config console log report info ci-upstream-kasan-gce-root
2020/11/28 08:25 upstream 99c710c46dfc 486f93ef .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/26 16:29 upstream fa02fcd94b0c 1d2b823e .config console log report info ci-upstream-kasan-gce-root
2020/11/26 04:15 upstream fa02fcd94b0c 2f1cec62 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/24 15:00 upstream d5beb3140f91 1ab681a4 .config console log report info ci-upstream-kasan-gce-root
2020/11/24 08:14 upstream d5beb3140f91 1ab681a4 .config console log report info ci-upstream-kasan-gce-root
2020/11/23 05:37 upstream a349e4c65960 0d27f508 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/11/23 05:36 upstream a349e4c65960 0d27f508 .config console log report info ci-upstream-kasan-gce-smack-root
2020/11/06 00:37 upstream 521b619acdc8 64069d48 .config console log report info ci-qemu-upstream
2020/10/14 17:57 upstream b5fc7a89e58b fc7735a2 .config console log report info ci-upstream-kasan-gce-smack-root
2020/10/12 16:37 upstream bbf5c979011a d32b0bbf .config console log report info ci-upstream-kasan-gce-smack-root
2020/10/01 22:10 upstream fcadab740480 9602ddf4 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/30 15:10 upstream 02de58b24d2e 8516f6d3 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/28 16:54 upstream a1b8638ba132 6bfdbe89 .config console log report info ci-upstream-kasan-gce-root
2020/09/27 04:10 upstream eeddbe6841cd 2d5ea0cb .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/27 03:26 upstream eeddbe6841cd 2d5ea0cb .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/27 01:13 upstream a1bffa48745a 5dd8aee8 .config console log report info ci-qemu-upstream
2020/09/26 04:30 upstream 171d4ff79f96 4a006f63 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/25 13:22 upstream 171d4ff79f96 4a006f63 .config console log report info ci-qemu-upstream
2020/09/24 19:12 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/24 08:21 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/24 08:21 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/24 08:19 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-root
2020/09/24 08:15 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/24 08:14 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/24 08:10 upstream c9c9e6a49f89 54289b08 .config console log report info ci-qemu-upstream
2020/09/23 23:44 upstream 805c6d3c1921 287cd75a .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/21 14:41 upstream ba4f184e126b 9e1fa68e .config console log report info ci-upstream-kasan-gce-root
2020/10/20 12:22 upstream 270315b8235e ff4a3345 .config console log report info ci-qemu-upstream-386
2020/10/05 15:06 upstream 549738f15da0 1880b4a9 .config console log report info ci-qemu-upstream-386
2020/10/04 01:08 upstream 22fbc037cd32 1a3f9408 .config console log report info ci-qemu-upstream-386
2020/09/28 22:10 upstream a4d63c3732f1 1b88c6d5 .config console log report info ci-qemu-upstream-386
2021/01/15 15:26 linux-next b3a3cbdec55b 65a7a854 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/18 03:59 linux-next 90cc8cf2d1ab 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/03 23:45 linux-next 0eedceafd3a6 e6b0d314 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/11/26 02:58 linux-next 62918e6fd7b5 2f1cec62 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/10/19 06:10 linux-next b2926c108f9f fea47c01 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/27 13:12 linux-next d1d2220c7f39 5dd8aee8 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/24 08:15 linux-next dcf2427baa64 54289b08 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/22 08:07 linux-next b10b8ad86211 9e1fa68e .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.