KASAN: slab-out-of-bounds Read in hci_event

KASAN: slab-out-of-bounds Read in hci_event_packet
Status: upstream: reported C repro on 2019/01/07 18:31
Reported-by: syzbot+cec7a50c412a2c03f8f5@syzkaller.appspotmail.com
First crash: 515d, last: 15d

Cause bisection: introduced by (bisect log):

commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Feb 19 22:34:00 2017 +0000

Linux 4.10

Fix bisection: failed (bisect log)

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Read in hci_event_packet	C		5	9d08h	400d	0/1	upstream: reported C repro on 2019/05/02 03:07
linux-4.19	KASAN: slab-out-of-bounds Read in hci_event_packet	C		3	22d	143d	0/1	upstream: reported C repro on 2020/01/14 15:52

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2019/03/21 05:37	19m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git bluetooth	OK
2019/03/18 20:02	19m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git bluetooth	OK

Sample crash report:

==================================================================
BUG: KASAN: slab-out-of-bounds in hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4357 [inline]
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x540e/0xaa9d net/bluetooth/hci_event.c:6075
Read of size 6 at addr ffff888028ae9a08 by task kworker/u18:1/9927

CPU: 0 PID: 9927 Comm: kworker/u18:1 Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
 __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x141/0x190 mm/kasan/generic.c:193
 memcpy+0x20/0x60 mm/kasan/common.c:106
 hci_extended_inquiry_result_evt net/bluetooth/hci_event.c:4357 [inline]
 hci_event_packet+0x540e/0xaa9d net/bluetooth/hci_event.c:6075
 hci_rx_work+0x239/0xb30 net/bluetooth/hci_core.c:4686
 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268
 worker_thread+0x96/0xe20 kernel/workqueue.c:2414
 kthread+0x388/0x470 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351

Allocated by task 9933:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
 __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:142
 __alloc_skb+0xef/0x5a0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1083 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:358 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
 vhci_write+0xbd/0x450 drivers/bluetooth/hci_vhci.c:285
 call_write_iter include/linux/fs.h:1907 [inline]
 new_sync_write+0x4a2/0x700 fs/read_write.c:484
 __vfs_write+0xc9/0x100 fs/read_write.c:497
 vfs_write+0x268/0x5d0 fs/read_write.c:559
 ksys_write+0x12d/0x250 fs/read_write.c:612
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 9823:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x109/0x2b0 mm/slab.c:3757
 tomoyo_supervisor+0x34d/0xee0 security/tomoyo/common.c:2149
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_path_permission security/tomoyo/file.c:587 [inline]
 tomoyo_path_permission+0x257/0x360 security/tomoyo/file.c:573
 tomoyo_check_open_permission+0x336/0x370 security/tomoyo/file.c:777
 tomoyo_file_open security/tomoyo/tomoyo.c:319 [inline]
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:314
 security_file_open+0x6e/0x410 security/security.c:1548
 do_dentry_open+0x358/0x1290 fs/open.c:784
 do_open fs/namei.c:3229 [inline]
 path_openat+0x1e59/0x27d0 fs/namei.c:3346
 do_filp_open+0x192/0x260 fs/namei.c:3373
 do_sys_openat2+0x585/0x7d0 fs/open.c:1148
 do_sys_open+0xc3/0x140 fs/open.c:1164
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff888028ae9800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes to the right of
 512-byte region [ffff888028ae9800, ffff888028ae9a00)
The buggy address belongs to the page:
page:ffffea0000a2ba40 refcount:1 mapcount:0 mapping:00000000d1a68903 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00009c5288 ffffea0000aaa9c8 ffff88802c800a80
raw: 0000000000000000 ffff888028ae9000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888028ae9900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888028ae9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888028ae9a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff888028ae9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028ae9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (17):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-qemu-upstream	2020/05/16 15:29	upstream	12bf0b63	37bccd4e	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2020/04/02 17:46	upstream	919dce24	a34e2c33	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/03/18 23:34	upstream	5076190d	0a96a13c	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-selinux-root	2019/01/07 10:16	upstream	574823bf	ee332608	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2019/01/07 09:42	upstream	574823bf	ee332608	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-root	2019/01/07 09:41	upstream	574823bf	ee332608	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2019/01/07 09:41	upstream	574823bf	ee332608	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2020/03/19 01:05	upstream	5076190d	0a96a13c	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-386	2019/01/07 09:42	upstream	574823bf	ee332608	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2020/04/11 19:35	linux-next	11ecafc6	a8c6a3f8	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2019/01/07 09:40	linux-next	a85b6b4f	ee332608	.config	log	report	syz	C	davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/05/21 04:50	upstream	b85051e7	c61086ab	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2020/05/15 05:08	upstream	8c1684bb	2d572622	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/03/04 09:22	upstream	63623fd4	c88c7b75	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux@armlinux.org.uk, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-kasan-gce	2019/07/21 03:20	upstream	abdfd52a	1656845f	.config	log	report
ci-upstream-kasan-gce	2019/06/23 00:58	upstream	abf02e29	34bf9440	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-linux-next-kasan-gce-root	2019/06/27 22:01	linux-next	8087b004	7509bf36	.config	log	report			davem@davemloft.net, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org