From: Jean Delvare <jdelvare@suse.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Daniel Kurtz <djkurtz@chromium.org>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot <syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com>
Subject: Re: [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done()
Date: Mon, 23 Mar 2020 18:51:20 +0100 [thread overview]
Message-ID: <20200323185120.1a5cd734@endymion> (raw)
In-Reply-To: <20200323093733.GA26299@kadam>
On Mon, 23 Mar 2020 12:37:33 +0300, Dan Carpenter wrote:
> On Sun, Mar 22, 2020 at 11:11:06PM +0100, Jean Delvare wrote:
> > Definitely not correct. The first byte of the block data array MUST be
> > the size of the block read. Even if the code above does not do the
> > right thing, removing the line will not help.
> >
>
> Yeah. I misread the code.
>
> > Is it possible that kasan got this wrong due to the convoluted logic?
> > It's late and I'll check again tomorrow morning but the code looks OK
> > to me.
>
> KASan doesn't work like that. It works at runtime and doesn't care
> about the logic.
>
> https://syzkaller.appspot.com/bug?id=426fc8b1c1b63fb0af524d839dfcf452f2d858e2
>
> At the bottom of the report it shows that we're in a field of f9
> poisoned data so it's not priv->len which is wrong. (My patch was way
> off).
>
> mm/kasan/kasan.h:#define KASAN_VMALLOC_INVALID 0xF9 /* unallocated space in vmapped page */
>
> The logic looks okay to me too. So possibly this was a race condition
> or even memory corruption in an unrelated part of the kernel.
I checked out the exact kernel version this report was generated for,
and the faulty line is:
592: priv->data[priv->count++] = inb(SMBBLKDAT(priv));
This would suggest the problem is with priv->count growing beyond the
end of the array, however the fact that we land in a memory spot full
of 0xF9 kind of excludes this possibility (the data before the spot
would contain different data if it was the case).
The other option is that priv->count wasn't initialized at the time
it is used. However I can't see how this could happen, given that the
priv structure is kzalloc'd.
So, to be honest I can't really see how priv->count can get wrong. So
I would be tempted to lend towards the theory that the i2c-i801 driver
was a collateral victim of a memory corruption happening somewhere else
in the kernel. Wouldn't Kasan catch this too? Is it possible to access
the other Kasan reports from the same test run?
--
Jean Delvare
SUSE L3 Support
prev parent reply other threads:[~2020-03-23 17:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 6:34 KASAN: vmalloc-out-of-bounds Write in i801_isr syzbot
2020-01-14 7:34 ` [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done() Dan Carpenter
2020-02-22 12:45 ` Wolfram Sang
2020-03-20 14:57 ` Wolfram Sang
2020-03-22 18:08 ` Jean Delvare
2020-03-22 21:10 ` Andy Shevchenko
2020-03-22 21:12 ` Wolfram Sang
2020-03-22 22:11 ` Jean Delvare
2020-03-23 9:37 ` Dan Carpenter
2020-03-23 17:51 ` Jean Delvare [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200323185120.1a5cd734@endymion \
--to=jdelvare@suse.de \
--cc=dan.carpenter@oracle.com \
--cc=djkurtz@chromium.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.