From: Jean Delvare <jdelvare@suse.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Daniel Kurtz <djkurtz@chromium.org>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot <syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com>
Subject: Re: [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done()
Date: Mon, 23 Mar 2020 18:51:20 +0100 [thread overview]
Message-ID: <20200323185120.1a5cd734@endymion> (raw)
In-Reply-To: <20200323093733.GA26299@kadam>
On Mon, 23 Mar 2020 12:37:33 +0300, Dan Carpenter wrote:
> On Sun, Mar 22, 2020 at 11:11:06PM +0100, Jean Delvare wrote:
> > Definitely not correct. The first byte of the block data array MUST be
> > the size of the block read. Even if the code above does not do the
> > right thing, removing the line will not help.
> >
>
> Yeah. I misread the code.
>
> > Is it possible that kasan got this wrong due to the convoluted logic?
> > It's late and I'll check again tomorrow morning but the code looks OK
> > to me.
>
> KASan doesn't work like that. It works at runtime and doesn't care
> about the logic.
>
> https://syzkaller.appspot.com/bug?id=426fc8b1c1b63fb0af524d839dfcf452f2d858e2
>
> At the bottom of the report it shows that we're in a field of f9
> poisoned data so it's not priv->len which is wrong. (My patch was way
> off).
>
> mm/kasan/kasan.h:#define KASAN_VMALLOC_INVALID 0xF9 /* unallocated space in vmapped page */
>
> The logic looks okay to me too. So possibly this was a race condition
> or even memory corruption in an unrelated part of the kernel.
I checked out the exact kernel version this report was generated for,
and the faulty line is:
592: priv->data[priv->count++] = inb(SMBBLKDAT(priv));
This would suggest the problem is with priv->count growing beyond the
end of the array, however the fact that we land in a memory spot full
of 0xF9 kind of excludes this possibility (the data before the spot
would contain different data if it was the case).
The other option is that priv->count wasn't initialized at the time
it is used. However I can't see how this could happen, given that the
priv structure is kzalloc'd.
So, to be honest I can't really see how priv->count can get wrong. So
I would be tempted to lend towards the theory that the i2c-i801 driver
was a collateral victim of a memory corruption happening somewhere else
in the kernel. Wouldn't Kasan catch this too? Is it possible to access
the other Kasan reports from the same test run?
--
Jean Delvare
SUSE L3 Support
prev parent reply other threads:[~2020-03-23 17:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 6:34 KASAN: vmalloc-out-of-bounds Write in i801_isr syzbot
2020-01-14 7:34 ` [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done() Dan Carpenter
2020-02-22 12:45 ` Wolfram Sang
2020-03-20 14:57 ` Wolfram Sang
2020-03-22 18:08 ` Jean Delvare
2020-03-22 21:10 ` Andy Shevchenko
2020-03-22 21:12 ` Wolfram Sang
2020-03-22 22:11 ` Jean Delvare
2020-03-23 9:37 ` Dan Carpenter
2020-03-23 17:51 ` Jean Delvare [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200323185120.1a5cd734@endymion \
--to=jdelvare@suse.de \
--cc=dan.carpenter@oracle.com \
--cc=djkurtz@chromium.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).