Re: [syzbot] [squashfs?] KASAN: slab-out-of-bounds Write in squashfs_readahead (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+604424eb051c2f696163@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [squashfs?] KASAN: slab-out-of-bounds Write in squashfs_readahead (2)
Date: Mon, 13 Nov 2023 16:46:07 -0800	[thread overview]
Message-ID: <000000000000b1fd99060a121c78@google.com> (raw)
In-Reply-To: <tencent_66EE4A0C753B774F674A3CED37CA96BA3609@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in squashfs_page_actor_init_special

SQUASHFS error: Unable to read metadata cache entry [6fa]
SQUASHFS error: Unable to read metadata cache entry [6fa]
SQUASHFS error: Unable to read metadata cache entry [6fa]
SQUASHFS error: Unable to read metadata cache entry [6fa]
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 PID: 5484 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-15156-g13d88ac54ddd-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:squashfs_page_actor_init_special+0x20e/0x4c0 fs/squashfs/page_actor.c:128
Code: 00 00 00 49 8d 6c 24 48 48 89 e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 32 02 00 00 c7 45 00 00 00 00 00 4c 89 f8 48 c1 e8 03 <42> 80 3c 30 00 74 08 4c 89 ff e8 93 34 8c ff 49 8b 2f 48 83 c5 20
RSP: 0018:ffffc90004fce4f8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffff888015ad3b80
RDX: ffff888015ad3b80 RSI: 0000000000000000 RDI: ffff888027646840
RBP: ffff888027646848 R08: ffffffff825ea873 R09: 1ffffffff21ba48f
R10: dffffc0000000000 R11: fffffbfff21ba490 R12: ffff888027646800
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000010
FS:  00007f7b9e9ea6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b9dd0662e CR3: 0000000020cfe000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 squashfs_readpage_block+0x62a/0xf60 fs/squashfs/file_direct.c:70
 squashfs_read_folio+0x569/0xed0 fs/squashfs/file.c:479
 filemap_read_folio+0x19c/0x770 mm/filemap.c:2323
 filemap_create_folio mm/filemap.c:2451 [inline]
 filemap_get_pages+0xdf7/0x2080 mm/filemap.c:2504
 filemap_read+0x42b/0x10b0 mm/filemap.c:2593
 __kernel_read+0x425/0x8b0 fs/read_write.c:428
 integrity_kernel_read+0xb0/0xf0 security/integrity/iint.c:221
 ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:485 [inline]
 ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
 ima_calc_file_hash+0xad1/0x1b30 security/integrity/ima/ima_crypto.c:573
 ima_collect_measurement+0x554/0xb30 security/integrity/ima/ima_api.c:290
 process_measurement+0x1373/0x21c0 security/integrity/ima/ima_main.c:359
 ima_file_check+0xf1/0x170 security/integrity/ima/ima_main.c:557
 do_open fs/namei.c:3624 [inline]
 path_openat+0x2893/0x3280 fs/namei.c:3779
 do_filp_open+0x234/0x490 fs/namei.c:3809
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1440
 do_sys_open fs/open.c:1455 [inline]
 __do_sys_open fs/open.c:1463 [inline]
 __se_sys_open fs/open.c:1459 [inline]
 __x64_sys_open+0x225/0x270 fs/open.c:1459
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f7b9dc7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7b9e9ea0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f7b9dd9bf80 RCX: 00007f7b9dc7cae9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f7b9dcc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f7b9dd9bf80 R15: 00007fff0acb6118
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:squashfs_page_actor_init_special+0x20e/0x4c0 fs/squashfs/page_actor.c:128
Code: 00 00 00 49 8d 6c 24 48 48 89 e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 32 02 00 00 c7 45 00 00 00 00 00 4c 89 f8 48 c1 e8 03 <42> 80 3c 30 00 74 08 4c 89 ff e8 93 34 8c ff 49 8b 2f 48 83 c5 20
RSP: 0018:ffffc90004fce4f8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffff888015ad3b80
RDX: ffff888015ad3b80 RSI: 0000000000000000 RDI: ffff888027646840
RBP: ffff888027646848 R08: ffffffff825ea873 R09: 1ffffffff21ba48f
R10: dffffc0000000000 R11: fffffbfff21ba490 R12: ffff888027646800
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000010
FS:  00007f7b9e9ea6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555d54061950 CR3: 0000000020cfe000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 49 8d             	add    %cl,-0x73(%rcx)
   5:	6c                   	insb   (%dx),%es:(%rdi)
   6:	24 48                	and    $0x48,%al
   8:	48 89 e8             	mov    %rbp,%rax
   b:	48 c1 e8 03          	shr    $0x3,%rax
   f:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
  14:	84 c0                	test   %al,%al
  16:	0f 85 32 02 00 00    	jne    0x24e
  1c:	c7 45 00 00 00 00 00 	movl   $0x0,0x0(%rbp)
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 ff             	mov    %r15,%rdi
  34:	e8 93 34 8c ff       	call   0xff8c34cc
  39:	49 8b 2f             	mov    (%r15),%rbp
  3c:	48 83 c5 20          	add    $0x20,%rbp


Tested on:

commit:         13d88ac5 Merge tag 'vfs-6.7.fsid' of git://git.kernel...
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10ed2f97680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=beb32a598fd79db9
dashboard link: https://syzkaller.appspot.com/bug?extid=604424eb051c2f696163
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17f132ff680000

next      parent reply	other threads:[~2023-11-14  0:46 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <tencent_66EE4A0C753B774F674A3CED37CA96BA3609@qq.com>
2023-11-14  0:46 ` syzbot [this message]
     [not found] <tencent_9922EDE6CFC478066DCC2CE56E8095D0E90A@qq.com>
2023-11-15  2:43 ` [syzbot] [squashfs?] KASAN: slab-out-of-bounds Write in squashfs_readahead (2) syzbot
     [not found] <tencent_B296DE36444A84758D766566B63D7937F809@qq.com>
2023-11-14  9:19 ` syzbot
     [not found] <tencent_E64189996EF96EE0CC9AA7DB86C512F2C606@qq.com>
2023-11-14  8:20 ` syzbot
     [not found] <tencent_4E6E9E451B0D4B3A1B7425A7BA7BBB2D3308@qq.com>
2023-11-14  7:01 ` syzbot
     [not found] <tencent_38DDC0DDA319044FEE0D83258C8DF9126207@qq.com>
2023-11-14  4:31 ` syzbot
     [not found] <tencent_C03638974A36004A90741B76A566583DCD09@qq.com>
2023-11-14  3:39 ` syzbot
     [not found] <tencent_D1F5A5B90D9F92385D8CDDB91914CF868D07@qq.com>
2023-11-14  2:24 ` syzbot
     [not found] <tencent_A2204B221B3E258FBA7BBB9A33FD9E401B08@qq.com>
2023-11-14  1:16 ` syzbot
     [not found] <tencent_C5A3BA24589777F76D86C7136A837B496305@qq.com>
2023-11-13 12:48 ` syzbot
     [not found] <tencent_D7CE758776D767783C3B36E297FC37544A09@qq.com>
2023-11-13 11:37 ` syzbot
2023-11-12  5:32 syzbot
2023-11-13 15:27 ` Phillip Lougher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000b1fd99060a121c78@google.com \
    --to=syzbot+604424eb051c2f696163@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.