bisecting fixing commit since 4fccc2503536a564a4ba31a1d50439854201659f building syzkaller on 2c36e7a75f8689b3da20e1a81a2ee5391f3af6e5 testing commit 4fccc2503536a564a4ba31a1d50439854201659f compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: d7b4d92f705f3d43feba5335a4f7eb8a07138004697f4c6923ecb96f461214a9 run #0: crashed: KASAN: slab-out-of-bounds Write in decode_data run #1: crashed: KASAN: slab-out-of-bounds Write in decode_data run #2: crashed: KASAN: slab-out-of-bounds Write in decode_data run #3: crashed: KASAN: use-after-free Write in decode_data run #4: crashed: KASAN: slab-out-of-bounds Write in decode_data run #5: crashed: KASAN: slab-out-of-bounds Write in decode_data run #6: crashed: KASAN: slab-out-of-bounds Write in decode_data run #7: crashed: KASAN: slab-out-of-bounds Write in decode_data run #8: crashed: KASAN: slab-out-of-bounds Write in decode_data run #9: crashed: KASAN: slab-out-of-bounds Write in decode_data run #10: crashed: KASAN: slab-out-of-bounds Write in decode_data run #11: crashed: KASAN: slab-out-of-bounds Write in decode_data run #12: crashed: KASAN: slab-out-of-bounds Write in decode_data run #13: crashed: KASAN: slab-out-of-bounds Write in decode_data run #14: crashed: KASAN: slab-out-of-bounds Write in decode_data run #15: crashed: KASAN: use-after-free Write in decode_data run #16: crashed: KASAN: slab-out-of-bounds Write in decode_data run #17: crashed: KASAN: slab-out-of-bounds Write in decode_data run #18: crashed: KASAN: slab-out-of-bounds Write in decode_data run #19: crashed: KASAN: slab-out-of-bounds Write in decode_data testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 426ac6922ab5418cf594888151b2f10fae2c3e5c44a398e779b0e9c180a75148 all runs: OK # git bisect start b172b44fcb1771e083aad806fa96f3f60e2ddfac 4fccc2503536a564a4ba31a1d50439854201659f Bisecting: 3991 revisions left to test after this (roughly 12 steps) [3abb2ac9594b3a7a54086e05452dba25a011a78b] ext4: limit entries returned when counting fsmap records testing commit 3abb2ac9594b3a7a54086e05452dba25a011a78b compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 3cf230faac99269e77059a8eb9e03e7d79460c3f4c5b25d594556f15b63dce43 all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good 3abb2ac9594b3a7a54086e05452dba25a011a78b Bisecting: 1995 revisions left to test after this (roughly 11 steps) [c0387536edaf98592dd01d7081cc1d9c3c08e446] vmlinux.lds.h: Create section for protection against instrumentation testing commit c0387536edaf98592dd01d7081cc1d9c3c08e446 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 13e832f152c21edcc671a0ddcb7653b00527bd0f04da3fa20471ddb546675167 all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good c0387536edaf98592dd01d7081cc1d9c3c08e446 Bisecting: 997 revisions left to test after this (roughly 10 steps) [16dd58543be1ff47b0324f0b2d2460e1ec4058a0] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet testing commit 16dd58543be1ff47b0324f0b2d2460e1ec4058a0 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 54a5ecc052b12db8d01e63d7f57d3afb593c7ee1b74c2149b04009617db30bf0 all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good 16dd58543be1ff47b0324f0b2d2460e1ec4058a0 Bisecting: 498 revisions left to test after this (roughly 9 steps) [f7589b0224e46cdc5fe8f03d7aec08e023b491a9] mmc: core: Allow UHS-I voltage switch for SDSC cards if supported testing commit f7589b0224e46cdc5fe8f03d7aec08e023b491a9 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: c2d50df8159a39d5fddf6f3f7ab173b5f9beee930bcd94f17938a1cb8bf4d812 run #0: crashed: KASAN: slab-out-of-bounds Write in decode_data run #1: crashed: KASAN: slab-out-of-bounds Write in decode_data run #2: crashed: KASAN: slab-out-of-bounds Write in decode_data run #3: crashed: KASAN: slab-out-of-bounds Write in decode_data run #4: crashed: KASAN: use-after-free Write in decode_data run #5: crashed: KASAN: slab-out-of-bounds Write in decode_data run #6: crashed: KASAN: slab-out-of-bounds Write in decode_data run #7: crashed: KASAN: slab-out-of-bounds Write in decode_data run #8: crashed: KASAN: slab-out-of-bounds Write in decode_data run #9: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good f7589b0224e46cdc5fe8f03d7aec08e023b491a9 Bisecting: 249 revisions left to test after this (roughly 8 steps) [a89b48fe9308d976d9dcb2112e264d647f7efce4] Linux 4.19.199 testing commit a89b48fe9308d976d9dcb2112e264d647f7efce4 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a66b40e419e6aa2787f6d9d258f44adc638904cfd59c696aef39592bfe81780f all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good a89b48fe9308d976d9dcb2112e264d647f7efce4 Bisecting: 124 revisions left to test after this (roughly 7 steps) [9df311b2e743642c5427ecf563c5050ceb355d1d] bpf: Fix leakage under speculation on mispredicted branches testing commit 9df311b2e743642c5427ecf563c5050ceb355d1d compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 0f61377c0ff3a501e2bb22a7185e2e441b5bb1320274fcc42c4b1f06b2cc95e6 all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good 9df311b2e743642c5427ecf563c5050ceb355d1d Bisecting: 62 revisions left to test after this (roughly 6 steps) [e25e7495d72649cb50b42865356bfe272b3a2a6d] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() testing commit e25e7495d72649cb50b42865356bfe272b3a2a6d compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: f255f9b55daa7f1eaed9ac5a5706cee4354c908f740edf76ff711f334fed19e6 all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good e25e7495d72649cb50b42865356bfe272b3a2a6d Bisecting: 31 revisions left to test after this (roughly 5 steps) [c348d806ed1d3075af52345344243824d72c4945] bpf: Do not use ax register in interpreter on div/mod testing commit c348d806ed1d3075af52345344243824d72c4945 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: fe4248a0006fbacaafd049cfe2ec57b9651c0df3ddcbdc1fe0585c0ea14d6d03 all runs: OK # git bisect bad c348d806ed1d3075af52345344243824d72c4945 Bisecting: 15 revisions left to test after this (roughly 4 steps) [e0eb0f65e681cad35644c7e8dd7ee526c075b9c7] mmc: dw_mmc: Fix hang on data CRC error testing commit e0eb0f65e681cad35644c7e8dd7ee526c075b9c7 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a514b8ec214a1beb06d86a9084272f7c30f8bba201a66e309df57879a0611ec3 all runs: OK # git bisect bad e0eb0f65e681cad35644c7e8dd7ee526c075b9c7 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7cfaec657d4124e4a3d8372849de416da784515d] vhost: Fix the calculation in vhost_overflow() testing commit 7cfaec657d4124e4a3d8372849de416da784515d compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 822dab2726de48b8b19148a659557d303bf4c762a352f49d786037fc4092db55 run #0: crashed: KASAN: slab-out-of-bounds Write in decode_data run #1: crashed: KASAN: slab-out-of-bounds Write in decode_data run #2: crashed: KASAN: slab-out-of-bounds Write in decode_data run #3: crashed: KASAN: slab-out-of-bounds Write in decode_data run #4: crashed: KASAN: use-after-free Write in decode_data run #5: crashed: KASAN: slab-out-of-bounds Write in decode_data run #6: crashed: KASAN: slab-out-of-bounds Write in decode_data run #7: crashed: KASAN: slab-out-of-bounds Write in decode_data run #8: crashed: KASAN: slab-out-of-bounds Write in decode_data run #9: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good 7cfaec657d4124e4a3d8372849de416da784515d Bisecting: 3 revisions left to test after this (roughly 2 steps) [1458ae977ae03d3fdf8573fe4dad034c5afb6d53] ptp_pch: Restore dependency on PCI testing commit 1458ae977ae03d3fdf8573fe4dad034c5afb6d53 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a514b8ec214a1beb06d86a9084272f7c30f8bba201a66e309df57879a0611ec3 all runs: OK # git bisect bad 1458ae977ae03d3fdf8573fe4dad034c5afb6d53 Bisecting: 1 revision left to test after this (roughly 1 step) [b80bc6fba1cb9bc036a633a05994ff87fa9c868e] bnxt: disable napi before canceling DIM testing commit b80bc6fba1cb9bc036a633a05994ff87fa9c868e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 822dab2726de48b8b19148a659557d303bf4c762a352f49d786037fc4092db55 all runs: crashed: KASAN: slab-out-of-bounds Write in decode_data # git bisect good b80bc6fba1cb9bc036a633a05994ff87fa9c868e Bisecting: 0 revisions left to test after this (roughly 0 steps) [4e370cc081a78ee23528311ca58fd98a06768ec7] net: 6pack: fix slab-out-of-bounds in decode_data testing commit 4e370cc081a78ee23528311ca58fd98a06768ec7 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a514b8ec214a1beb06d86a9084272f7c30f8bba201a66e309df57879a0611ec3 all runs: OK # git bisect bad 4e370cc081a78ee23528311ca58fd98a06768ec7 4e370cc081a78ee23528311ca58fd98a06768ec7 is the first bad commit commit 4e370cc081a78ee23528311ca58fd98a06768ec7 Author: Pavel Skripkin Date: Fri Aug 13 18:14:33 2021 +0300 net: 6pack: fix slab-out-of-bounds in decode_data [ Upstream commit 19d1532a187669ce86d5a2696eb7275310070793 ] Syzbot reported slab-out-of bounds write in decode_data(). The problem was in missing validation checks. Syzbot's reproducer generated malicious input, which caused decode_data() to be called a lot in sixpack_decode(). Since rx_count_cooked is only 400 bytes and noone reported before, that 400 bytes is not enough, let's just check if input is malicious and complain about buffer overrun. Fail log: ================================================================== BUG: KASAN: slab-out-of-bounds in drivers/net/hamradio/6pack.c:843 Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7 CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0 ... Workqueue: events_unbound flush_to_ldisc Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137 decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843 decode_data drivers/net/hamradio/6pack.c:965 [inline] sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] Reported-and-tested-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Pavel Skripkin Reviewed-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin drivers/net/hamradio/6pack.c | 6 ++++++ 1 file changed, 6 insertions(+) culprit signature: a514b8ec214a1beb06d86a9084272f7c30f8bba201a66e309df57879a0611ec3 parent signature: 822dab2726de48b8b19148a659557d303bf4c762a352f49d786037fc4092db55 revisions tested: 15, total time: 3h56m22.987217734s (build: 2h36m29.997710054s, test: 1h18m12.687196784s) first good commit: 4e370cc081a78ee23528311ca58fd98a06768ec7 net: 6pack: fix slab-out-of-bounds in decode_data recipients (to): ["dan.carpenter@oracle.com" "davem@davemloft.net" "paskripkin@gmail.com" "sashal@kernel.org" "syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com"] recipients (cc): []