fs: hfsplus: use after free in

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sasha.levin@oracle.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	fabf@skynet.be, saproj@gmail.com,
	Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Dave Jones <davej@redhat.com>,
	Andrey Ryabinin <a.ryabinin@samsung.com>
Subject: fs: hfsplus: use after free in
Date: Fri, 20 Feb 2015 05:14:11 -0500	[thread overview]
Message-ID: <54E708F3.9080404@oracle.com> (raw)

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel, I've stumbled on the following spew:

[ 2014.561050] BUG: KASan: use after free in memcpy+0x21/0x50 at addr ffff880ff138afee
[ 2014.561050] Read of size 4 by task trinity-main/10201
[ 2014.561050] page:ffffea003fc4e280 count:0 mapcount:0 mapping:          (null) index:0x2
[ 2014.561050] flags: 0xcafffff80000000()
[ 2014.561050] page dumped because: kasan: bad access detected
[ 2014.561050] CPU: 23 PID: 10201 Comm: trinity-main Not tainted 3.19.0-next-20150219-sasha-00045-g9130270f #1939
[ 2014.561050]  ffff880ff138afee 000000002e9b0643 ffff8803023cf0f8 ffffffffa2b40d3a
[ 2014.561050]  1ffffd4007f89c57 ffff8803023cf188 ffff8803023cf178 ffffffff987648f4
[ 2014.561050]  ffff8803023c0d52 ffff8803023c0000 0000000000000282 ffff8803023c0ce0
[ 2014.561050] Call Trace:
[ 2014.561050] dump_stack (lib/dump_stack.c:52)
[ 2014.561050] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[ 2014.561050] kasan_report (mm/kasan/report.c:230)
[ 2014.561050] ? memcpy (mm/kasan/kasan.c:283)
[ 2014.561050] __asan_loadN (mm/kasan/kasan.c:477)
[ 2014.561050] ? __might_sleep (kernel/sched/core.c:7356 (discriminator 14))
[ 2014.561050] memcpy (mm/kasan/kasan.c:283)
[ 2014.561050] hfsplus_bnode_read (fs/hfsplus/bnode.c:34)
[ 2014.561050] hfsplus_brec_lenoff (fs/hfsplus/brec.c:26)
[ 2014.561050] ? __lock_is_held (kernel/locking/lockdep.c:3518)
[ 2014.561050] ? hfs_btree_inc_height (fs/hfsplus/brec.c:20)
[ 2014.561050] ? hfsplus_brec_remove (fs/hfsplus/bfind.c:96)
[ 2014.561050] __hfsplus_brec_find (fs/hfsplus/bfind.c:130)
[ 2014.561050] ? hfs_find_1st_rec_by_cnid (fs/hfsplus/bfind.c:115)
[ 2014.561050] ? hfsplus_bnode_find (./arch/x86/include/asm/bitops.h:311 fs/hfsplus/bnode.c:494)
[ 2014.561050] ? _atomic_dec_and_lock (./arch/x86/include/asm/atomic.h:118 lib/dec_and_lock.c:28)
[ 2014.561050] ? hfsplus_bnode_put (fs/hfsplus/bnode.c:483)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? hfsplus_bnode_put (fs/hfsplus/bnode.c:657)
[ 2014.561050] hfsplus_brec_find (fs/hfsplus/bfind.c:196)
[ 2014.561050] ? hfsplus_brec_remove (fs/hfsplus/bfind.c:96)
[ 2014.561050] ? __hfsplus_brec_find (fs/hfsplus/bfind.c:166)
[ 2014.561050] ? kasan_kmalloc (mm/kasan/kasan.c:354)
[ 2014.561050] ? __kmalloc (mm/slub.c:3325)
[ 2014.561050] ? each_symbol_section (kernel/module.c:3810)
[ 2014.561050] hfsplus_brec_read (fs/hfsplus/bfind.c:224)
[ 2014.561050] hfsplus_lookup (fs/hfsplus/dir.c:53)
[ 2014.561050] ? hfsplus_link (fs/hfsplus/dir.c:32)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? __lock_acquire (kernel/locking/lockdep.c:2019 kernel/locking/lockdep.c:3184)
[ 2014.561050] ? __d_alloc (fs/dcache.c:1525)
[ 2014.561050] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051)
[ 2014.561050] ? __slab_alloc (mm/slub.c:2413 (discriminator 2))
[ 2014.561050] ? mark_held_locks (kernel/locking/lockdep.c:2525)
[ 2014.561050] ? lockdep_init_map (kernel/locking/lockdep.c:2986)
[ 2014.561050] ? d_alloc (fs/dcache.c:769 fs/dcache.c:1601)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? d_alloc (fs/dcache.c:1607)
[ 2014.561050] ? vfs_rename (fs/namei.c:1405)
[ 2014.561050] lookup_real (fs/namei.c:1377)
[ 2014.561050] do_last (fs/namei.c:2875 fs/namei.c:2987)
[ 2014.561050] ? complete_walk (fs/namei.c:1775)
[ 2014.561050] ? __slab_alloc (mm/slub.c:2413 (discriminator 2))
[ 2014.561050] ? path_init (fs/namei.c:2921)
[ 2014.561050] ? path_init (fs/namei.c:1953)
[ 2014.561050] ? path_init (fs/namei.c:1933)
[ 2014.561050] ? __mutex_init (kernel/locking/mutex.c:61)
[ 2014.561050] path_openat (fs/namei.c:3236)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? filename_create (fs/namei.c:3215)
[ 2014.561050] ? getname_flags (fs/namei.c:136)
[ 2014.561050] ? set_track (mm/slub.c:530)
[ 2014.561050] ? __slab_alloc (mm/slub.c:2413 (discriminator 2))
[ 2014.561050] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2554 kernel/locking/lockdep.c:2601)
[ 2014.561050] do_filp_open (fs/namei.c:3283)
[ 2014.561050] ? user_path_mountpoint_at (fs/namei.c:3277)
[ 2014.561050] ? __alloc_fd (fs/file.c:501)
[ 2014.561050] do_sys_open (fs/open.c:1013)
[ 2014.561050] ? filp_open (fs/open.c:999)
[ 2014.561050] ? syscall_trace_enter_phase2 (arch/x86/kernel/ptrace.c:1598)
[ 2014.561050] SyS_openat (fs/open.c:1034)
[ 2014.561050] tracesys_phase2 (arch/x86/kernel/entry_64.S:422)
[ 2014.561050] Memory state around the buggy address:
[ 2014.561050]  ffff880ff138ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050]  ffff880ff138af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050] >ffff880ff138af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050]                                                           ^
[ 2014.561050]  ffff880ff138b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050]  ffff880ff138b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Thanks,
Sasha

next             reply	other threads:[~2015-02-20 10:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-20 10:14 Sasha Levin [this message]
2015-06-06 22:45 ` fs: hfsplus: use after free in Sergei Antonov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54E708F3.9080404@oracle.com \
    --to=sasha.levin@oracle.com \
    --cc=a.ryabinin@samsung.com \
    --cc=akpm@linux-foundation.org \
    --cc=davej@redhat.com \
    --cc=fabf@skynet.be \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=saproj@gmail.com \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).