[syzbot] [orangefs?] KASAN: slab-out-of-bounds Read in orangefs_debug_write

[syzbot] [orangefs?] KASAN: slab-out-of-bounds Read in orangefs_debug_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    59dbb9d81adf Merge tag 'xsa465+xsa466-6.13-tag' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1320cb44580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1327f4f8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1720cb44580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c5dbdd280188/disk-59dbb9d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9a6753a4cd2e/vmlinux-59dbb9d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa643efa107f/bzImage-59dbb9d8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in strlen+0x93/0xa0 lib/string.c:413
Read of size 1 at addr ffff88814d695800 by task syz-executor153/5822

CPU: 0 UID: 0 PID: 5822 Comm: syz-executor153 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 strlen+0x93/0xa0 lib/string.c:413
 kstrdup+0x29/0xb0 mm/util.c:81
 debug_string_to_mask+0x82/0x570 fs/orangefs/orangefs-debugfs.c:836
 orangefs_debug_write+0x22e/0x780 fs/orangefs/orangefs-debugfs.c:423
 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f11f9893a39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc84d45838 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f11f9893a39
RDX: 00000000fffffdef RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f11f99065f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Allocated by task 5822:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 orangefs_debug_write+0x14c/0x780 fs/orangefs/orangefs-debugfs.c:401
 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88814d695000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes to the right of
 allocated 2048-byte region [ffff88814d695000, ffff88814d695800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14d690
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801ac42000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff88801ac42000 dead000000000100 dead000000000122
head: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 057ff00000000003 ffffea000535a401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 18983173250, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 cfctrl_create+0x9b/0x320 net/caif/cfctrl.c:39
 cfcnfg_create+0xb2/0x500 net/caif/cfcnfg.c:86
 caif_init_net+0x7d/0xe0 net/caif/caif_dev.c:514
 ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
 __register_pernet_operations net/core/net_namespace.c:1267 [inline]
 register_pernet_operations+0x3a1/0x6f0 net/core/net_namespace.c:1343
 register_pernet_subsys+0x28/0x40 net/core/net_namespace.c:1384
 caif_device_init+0x16/0x50 net/caif/caif_dev.c:567
 do_one_initcall+0x128/0x630 init/main.c:1266
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88814d695700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88814d695780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88814d695800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88814d695880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88814d695900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [orangefs?] KASAN: slab-out-of-bounds Read in orangefs_debug_write

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux orange/syz

Re: [syzbot] [orangefs?] KASAN: slab-out-of-bounds Read in orangefs_debug_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
Tested-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com

Tested on:

commit:         e6780148 fs/orange: fix a oob in orangefs_debug_write
git tree:       https://github.com/ea1davis/linux orange/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=10b3410f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[PATCH] orangefs: fix a oob in orangefs_debug_write

[Edward Adam Davis]

syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]

The string passed in from userspace is not terminated with a NULL character,
which causes strlen to go out of bounds.

Use kstrndup to replace kstrdup.

[1]
BUG: KASAN: slab-out-of-bounds in strlen+0x93/0xa0 lib/string.c:413
Read of size 1 at addr ffff88814d695800 by task syz-executor153/5822

CPU: 0 UID: 0 PID: 5822 Comm: syz-executor153 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 strlen+0x93/0xa0 lib/string.c:413
 kstrdup+0x29/0xb0 mm/util.c:81
 debug_string_to_mask+0x82/0x570 fs/orangefs/orangefs-debugfs.c:836
 orangefs_debug_write+0x22e/0x780 fs/orangefs/orangefs-debugfs.c:423
 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
Tested-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/orangefs/orangefs-debugfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 1b508f543384..c2637c966e52 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -833,7 +833,9 @@ static void debug_string_to_mask(char *debug_string, void *mask, int type)
 {
 	char *unchecked_keyword;
 	int i;
-	char *strsep_fodder = kstrdup(debug_string, GFP_KERNEL);
+	char *strsep_fodder = kstrndup(debug_string,
+				       ORANGEFS_MAX_DEBUG_STRING_LEN,
+				       GFP_KERNEL);
 	char *original_pointer;
 	int element_count = 0;
 	struct client_debug_mask *c_mask = NULL;
-- 
2.47.0

Re: [PATCH] orangefs: fix a oob in orangefs_debug_write

[Al Viro]

On Sun, Dec 22, 2024 at 04:14:13PM +0800, Edward Adam Davis wrote:
> syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]
> 
> The string passed in from userspace is not terminated with a NULL character,
> which causes strlen to go out of bounds.
> 
> Use kstrndup to replace kstrdup.

Better to replace
        if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
		silly = count;
		count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
	}
with
        if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
		silly = count;
		count = ORANGEFS_MAX_DEBUG_STRING_LEN;
	}
instead, so that we wouldn't have to deal with lack of NUL anywhere.

Re: [PATCH] orangefs: fix a oob in orangefs_debug_write

[Edward Adam Davis]

On Sun, 22 Dec 2024 10:35:22 +0000, Al Viro wrote:
> > syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]
> >
> > The string passed in from userspace is not terminated with a NULL character,
> > which causes strlen to go out of bounds.
> >
> > Use kstrndup to replace kstrdup.
> 
> Better to replace
>         if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
> 		silly = count;
> 		count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
> 	}
> with
>         if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
> 		silly = count;
> 		count = ORANGEFS_MAX_DEBUG_STRING_LEN;
> 	}
> instead, so that we wouldn't have to deal with lack of NUL anywhere.
Yes, you are right.

[PATCH V2] orangefs: fix a oob in orangefs_debug_write

[Edward Adam Davis]

syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]

When the count value is greater than ORANGEFS_MAX_DEBUG_STRING_LEN + 1 in
orangefs_debug_write(), it is set to ORANGEFS_MAX_DEBUG_STRING_LEN + 1.
The allocated buf length is ORANGEFS_MAX_DEBUG_STRING_LEN, and the length
of the data copied to the buf is ORANGEFS_MAX_DEBUG_STRING_LEN, which causes
strlen() to be out of bounds.

Update the threshold of count to prevent this issue.

[1]
BUG: KASAN: slab-out-of-bounds in strlen+0x93/0xa0 lib/string.c:413
Read of size 1 at addr ffff88814d695800 by task syz-executor153/5822

CPU: 0 UID: 0 PID: 5822 Comm: syz-executor153 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 strlen+0x93/0xa0 lib/string.c:413
 kstrdup+0x29/0xb0 mm/util.c:81
 debug_string_to_mask+0x82/0x570 fs/orangefs/orangefs-debugfs.c:836
 orangefs_debug_write+0x22e/0x780 fs/orangefs/orangefs-debugfs.c:423
 full_proxy_write+0xfb/0x1b0 fs/debugfs/file.c:356
 vfs_write+0x24c/0x1150 fs/read_write.c:677
 ksys_write+0x12b/0x250 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fc519d7875f2d9186c1f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Update the threshold of count

 fs/orangefs/orangefs-debugfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 1b508f543384..fa41db088488 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file,
 	 * Thwart users who try to jamb a ridiculous number
 	 * of bytes into the debug file...
 	 */
-	if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
+	if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
 		silly = count;
-		count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
+		count = ORANGEFS_MAX_DEBUG_STRING_LEN;
 	}
 
 	buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
-- 
2.47.0

Re: [PATCH] orangefs: fix a oob in orangefs_debug_write

[Mike Marshall]

I used Al's suggestion on top of 6.13.0-rc5 and ran
it through xfstests with no problem. Since I doubt xfstests
runs down this code path I also did some other tests.

I made some files with comma separated debug settings and
catted them onto /sys/kernel/debug/orangefs/kernel-debug.

When I caused the file to be longer than
ORANGEFS_MAX_DEBUG_STRING_LEN
I could see that execution flowed down the
code path with Al's suggested changes, and
the proper thing happened.

Anywho... I'll send this up in the merge window unless
someone else (Edward?) plans to...

-Mike

On Sun, Dec 22, 2024 at 5:35 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Sun, Dec 22, 2024 at 04:14:13PM +0800, Edward Adam Davis wrote:
> > syzbot report a slab-out-of-bounds Read in orangefs_debug_write. [1]
> >
> > The string passed in from userspace is not terminated with a NULL character,
> > which causes strlen to go out of bounds.
> >
> > Use kstrndup to replace kstrdup.
>
> Better to replace
>         if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
>                 silly = count;
>                 count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
>         }
> with
>         if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
>                 silly = count;
>                 count = ORANGEFS_MAX_DEBUG_STRING_LEN;
>         }
> instead, so that we wouldn't have to deal with lack of NUL anywhere.