Re: BUG: unable to handle kernel NULL pointer dereference in rb_insert_color

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers3@gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot
	<bot+eb13811afcefe99cfe45081054e7883f569f949d@syzkaller.appspotmail.com>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
	syzkaller-bugs@googlegroups.com, Theodore Ts'o <tytso@mit.edu>
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in rb_insert_color
Date: Tue, 30 Jan 2018 13:43:29 -0800	[thread overview]
Message-ID: <20180130214329.7tsk24bia2xplfc3@gmail.com> (raw)
In-Reply-To: <CACT4Y+Y9SRDEZA5sbOAQ5NAbmMT=ae-uPQ2np4s+Eug9-b-MHw@mail.gmail.com>

On Wed, Dec 20, 2017 at 09:05:39AM +0100, Dmitry Vyukov wrote:
> On Wed, Dec 20, 2017 at 8:59 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > On Wed, Dec 20, 2017 at 08:50:40AM +0100, Dmitry Vyukov wrote:
> >> >
> >> > The line number in lib/rbtree.c seems to be slightly off.  Looking at the
> >> > disassembly:
> >> >
> >> >         ffffffff825b5ea0 <rb_insert_color>:
> >> >         ffffffff825b5ea0:       55                      push   %rbp
> >> >         ffffffff825b5ea1:       48 8b 17                mov    (%rdi),%rdx
> >> >         ffffffff825b5ea4:       48 89 e5                mov    %rsp,%rbp
> >> >         ffffffff825b5ea7:       48 85 d2                test   %rdx,%rdx
> >> >         ffffffff825b5eaa:       0f 84 4c 01 00 00       je     ffffffff825b5ffc <rb_insert_color+0x15c>
> >> >         ffffffff825b5eb0:       48 8b 02                mov    (%rdx),%rax
> >> >         ffffffff825b5eb3:       a8 01                   test   $0x1,%al
> >> >         ffffffff825b5eb5:       75 5e                   jne    ffffffff825b5f15 <rb_insert_color+0x75>
> >> >         ffffffff825b5eb7:       48 8b 48 08             mov    0x8(%rax),%rcx
> >> >
> >> > It crashed on 'mov 0x8(%rax),%rcx' which corresponds to
> >> > 'tmp = gparent->rb_right;' at lib/rbtree.c:131.  So 'parent' was the root node,
> >> > but its color was red, while it is supposed to be black.
> >> >
> >> > No idea how that happened, but it's almost certainly not an ext4 bug.  In fact
> >> > there is another report of this same crash that has a different call trace:
> >> >
> >> >         Call Trace:
> >> >          key_alloc_serial security/keys/key.c:170 [inline]
> >> >          key_alloc+0x54c/0x5b0 security/keys/key.c:319
> >> >          keyring_alloc+0x4d/0xb0 security/keys/keyring.c:503
> >> >          install_process_keyring_to_cred.part.3+0x38/0x80 security/keys/process_keys.c:192
> >> >          install_process_keyring_to_cred security/keys/process_keys.c:634 [inline]
> >> >          install_process_keyring security/keys/process_keys.c:217 [inline]
> >> >          lookup_user_key+0x4ed/0x7c0 security/keys/process_keys.c:574
> >> >          SYSC_add_key security/keys/keyctl.c:114 [inline]
> >> >          SyS_add_key+0xec/0x260 security/keys/keyctl.c:62
> >> >          entry_SYSCALL_64_fastpath+0x1f/0x96
> >>
> >>
> >> My first hypothesis for an non-explainable, non-reproducible
> >> corruption would be a data race. Is there all locking in place?
> >
> > It doesn't seem to be a locking problem.  In the ext4 case the rbtree is
> > associated with a struct file's dir_private_info, which is protected by
> > ->f_pos_lock (taken early in sys_getdents()).
> 
> But this won't prevent somebody else to mess with the struct without
> taking the lock.
> 
> > And in the keyrings case, the
> > rbtree is protected by key_serial_lock.

Invalidating this bug since it hasn't been seen again, and it was reported while
KASAN was accidentally disabled in the syzbot config due to a change to the
kconfig menus in linux-next (so this crash was probably caused by slab
corruption elsewhere).

#syz invalid

next prev parent reply	other threads:[~2018-01-30 21:43 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <94eb2c1170ce36bd770560ad6d3a@google.com>
2017-12-19 21:59 ` BUG: unable to handle kernel NULL pointer dereference in rb_insert_color Eric Biggers
2017-12-20  7:50   ` Dmitry Vyukov
2017-12-20  7:59     ` Eric Biggers
2017-12-20  8:05       ` Dmitry Vyukov
2018-01-30 21:43         ` Eric Biggers [this message]
2019-12-09 13:29   ` ppc64el kernel access of bad area (ext4_htree_store_dirent->rb_insert_color) Rafael David Tinoco
2019-12-09 13:46     ` Dmitry Vyukov
2019-12-10  2:01     ` Theodore Y. Ts'o
2019-12-12 12:25       ` Rafael David Tinoco

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180130214329.7tsk24bia2xplfc3@gmail.com \
    --to=ebiggers3@gmail.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=bot+eb13811afcefe99cfe45081054e7883f569f949d@syzkaller.appspotmail.com \
    --cc=dvyukov@google.com \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.