[syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7b4b9bf203da Add linux-next specific files for 20250107
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14246bc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=174f0a18580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=168aecb0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c179cc0c7a3c/disk-7b4b9bf2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdea80f2ec16/vmlinux-7b4b9bf2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a277fcaff608/bzImage-7b4b9bf2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a96fcb87dd70/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3fa8cf4c69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd536a0078 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3fa8cf4c69
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f3fa8d685f0 R08: 000055558679c4c0 R09: 000055558679c4c0
R10: 000000000000023b R11: 0000000000000246 R12: 00007ffd536a00a0
R13: 00007ffd536a02c8 R14: 431bde82d7b634db R15: 00007f3fa8d3d03b
 </TASK>

The buggy address belongs to the variable:
 hex_asc_upper+0x11/0x40

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc5fc
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0000317f08 ffffea0000317f08 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8c5fc800: 00 03 f9 f9 02 f9 f9 f9 02 f9 f9 f9 00 02 f9 f9
 ffffffff8c5fc880: 00 04 f9 f9 00 03 f9 f9 07 f9 f9 f9 00 00 04 f9
>ffffffff8c5fc900: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9
                                                             ^
 ffffffff8c5fc980: f9 f9 f9 f9 00 04 f9 f9 02 f9 f9 f9 01 f9 f9 f9
 ffffffff8c5fca00: 00 f9 f9 f9 00 f9 f9 f9 00 04 f9 f9 00 06 f9 f9
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux lib/syz

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

, num: 18446744071600486944, number
[  408.835872][ T5852] base: 16, num: 18446744071600486960, number
[  408.842226][ T5852] base: 16, num: 18446744071600487504, number
[  408.848337][ T5852] base: 16, num: 18446744071600487520, number
[  408.854579][ T5852] base: 16, num: 18446744071600487968, number
[  408.860703][ T5852] base: 16, num: 18446744071600487984, number
[  408.866804][ T5852] base: 16, num: 18446744071600488672, number
[  408.873033][ T5852] base: 16, num: 18446744071600488688, number
[  408.879276][ T5852] base: 16, num: 18446744071600489376, number
[  408.885405][ T5852] base: 16, num: 18446744071600489392, number
[  408.891529][ T5852] base: 16, num: 18446744071600489760, number
[  408.897617][ T5852] base: 16, num: 18446744071600489776, number
[  408.903772][ T5852] base: 16, num: 18446744071600490208, number
[  408.909902][ T5852] base: 16, num: 18446744071600490224, number
[  408.916010][ T5852] base: 16, num: 18446744071600490624, number
[  408.922155][ T5852] base: 16, num: 18446744071600490640, number
[  408.928317][ T5852] base: 16, num: 18446744071600490992, number
[  408.934422][ T5852] base: 16, num: 18446744071600491008, number
[  408.940543][ T5852] base: 16, num: 18446744071600491520, number
[  408.946599][ T5852] base: 16, num: 18446744071600491536, number
[  408.952724][ T5852] base: 16, num: 18446744071600491888, number
[  408.958821][ T5852] base: 16, num: 18446744071600491904, number
[  408.964988][ T5852] base: 16, num: 18446744071600492464, number
[  408.971110][ T5852] base: 16, num: 18446744071600492480, number
[  408.977172][ T5852] base: 16, num: 18446744071600492880, number
[  408.983291][ T5852] base: 16, num: 18446744071600492896, number
[  408.989409][ T5852] base: 16, num: 18446744071600493248, number
[  408.995637][ T5852] base: 16, num: 18446744071600493264, number
[  409.001743][ T5852] base: 16, num: 18446744071600493680, number
[  409.007918][ T5852] base: 16, num: 18446744071600493696, number
[  409.014059][ T5852] base: 16, num: 18446744071600494064, number
[  409.020180][ T5852] base: 16, num: 18446744071600494080, number
[  409.026260][ T5852] base: 16, num: 18446744071600494848, number
[  409.032401][ T5852] base: 16, num: 18446744071600494864, number
[  409.038486][ T5852] base: 16, num: 18446744071600495376, number
[  409.044619][ T5852] base: 16, num: 18446744071600495392, number
[  409.050859][ T5852] base: 16, num: 18446744071600495632, number
[  409.057027][ T5852] base: 16, num: 18446744071600495648, number
[  409.063245][ T5852] base: 16, num: 18446744071600495808, number
[  409.069461][ T5852] base: 16, num: 18446744071600495824, number
[  409.075525][ T5852] base: 16, num: 18446744071600495872, number
[  409.081645][ T5852] base: 16, num: 18446744071600495888, number
[  409.087725][ T5852] base: 16, num: 18446744071600496608, number
[  409.093839][ T5852] base: 16, num: 18446744071600496624, number
[  409.100036][ T5852] base: 16, num: 18446744071600497808, number
[  409.106103][ T5852] base: 16, num: 18446744071600497824, number
[  409.112215][ T5852] base: 16, num: 18446744071600499200, number
[  409.118295][ T5852] base: 16, num: 18446744071600499216, number
[  409.124454][ T5852] base: 16, num: 18446744071600499424, number
[  409.130582][ T5852] base: 16, num: 18446744071600499440, number
[  409.136647][ T5852] base: 16, num: 18446744071600500848, number
[  409.142963][ T5852] base: 16, num: 18446744071600500864, number
[  409.149304][ T5852] base: 16, num: 18446744071600501168, number
[  409.155381][ T5852] base: 16, num: 18446744071600501184, number
[  409.161528][ T5852] base: 16, num: 18446744071600501648, number
[  409.167613][ T5852] base: 16, num: 18446744071600501664, number
[  409.173761][ T5852] base: 16, num: 18446744071600501840, number
[  409.179890][ T5852] base: 16, num: 18446744071600501856, number
[  409.185987][ T5852] base: 16, num: 18446744071600502256, number
[  409.192231][ T5852] base: 16, num: 18446744071600502256, number
[  409.198318][ T5852] base: 16, num: 18446744071600502272, number
[  409.204454][ T5852] base: 16, num: 18446744071600505440, number
[  409.210585][ T5852] base: 16, num: 18446744071600505456, number
[  409.216681][ T5852] base: 16, num: 18446744071600505920, number
[  409.222793][ T5852] base: 16, num: 18446744071600505936, number
[  409.228878][ T5852] base: 16, num: 18446744071600507808, number
[  409.234998][ T5852] base: 16, num: 18446744071600507824, number
[  409.241127][ T5852] base: 16, num: 18446744071600510096, number
[  409.247186][ T5852] base: 16, num: 18446744071600510112, number
[  409.253324][ T5852] base: 16, num: 18446744071600510656, number
[  409.259452][ T5852] base: 16, num: 18446744071600510672, number
[  409.265514][ T5852] base: 16, num: 18446744071600510896, number
[  409.271723][ T5852] base: 16, num: 18446744071600510912, number
[  409.277808][ T5852] base: 16, num: 18446744071600512928, number
[  409.284117][ T5852] base: 16, num: 18446744071600512944, number
[  409.290273][ T5852] base: 16, num: 18446744071600513312, number
[  409.296436][ T5852] base: 16, num: 18446744071600513328, number
[  409.302662][ T5852] base: 16, num: 18446744071600513744, number
[  409.308767][ T5852] base: 16, num: 18446744071600513760, number
[  409.314901][ T5852] base: 16, num: 18446744071600515424, number
[  409.321130][ T5852] base: 16, num: 18446744071600515440, number
[  409.327200][ T5852] base: 16, num: 18446744071600516384, number
[  409.333306][ T5852] base: 16, num: 18446744071600516400, number
[  409.339550][ T5852] base: 16, num: 18446744071600516704, number
[  409.345678][ T5852] base: 16, num: 18446744071600516720, number
[  409.351814][ T5852] base: 16, num: 18446744071600517280, number
[  409.357899][ T5852] base: 16, num: 18446744071600517296, number
[  409.364045][ T5852] base: 16, num: 18446744071600518432, number
[  409.370242][ T5852] base: 16, num: 18446744071600518448, number
[  409.376345][ T5852] base: 16, num: 18446744071600518560, number
[  409.382491][ T5852] base: 16, num: 18446744071600518576, number
[  409.388747][ T5852] base: 16, num: 18446744071600519280, number
[  409.394895][ T5852] base: 16, num: 18446744071600519296, number
[  409.401012][ T5852] base: 16, num: 18446744071600521264, number
[  409.407071][ T5852] base: 16, num: 18446744071600521280, number
[  409.413181][ T5852] base: 16, num: 18446744071600521520, number
[  409.419285][ T5852] base: 16, num: 18446744071600521536, number
[  409.425513][ T5852] base: 16, num: 18446744071600521872, number
[  409.431658][ T5852] base: 16, num: 18446744071600521888, number
[  409.437927][ T5852] base: 16, num: 18446744071600522432, number
[  409.444084][ T5852] base: 16, num: 18446744071600522448, number
[  409.450212][ T5852] base: 16, num: 18446744071600532560, number
[  409.456353][ T5852] base: 16, num: 18446744071600532576, number
[  409.462554][ T5852] base: 16, num: 18446744071600535344, number
[  409.468642][ T5852] base: 16, num: 18446744071600535360, number
[  409.474798][ T5852] base: 16, num: 18446744071600535920, number
[  409.480974][ T5852] base: 16, num: 18446744071600535936, number
[  409.487247][ T5852] base: 16, num: 18446744071600536480, number
[  409.493407][ T5852] base: 16, num: 18446744071600536496, number
[  409.499543][ T5852] base: 16, num: 18446744071600536928, number
[  409.505786][ T5852] base: 16, num: 18446744071600536944, number
[  409.511917][ T5852] base: 16, num: 18446744071600537536, number
[  409.518002][ T5852] base: 16, num: 18446744071600537552, number
[  409.524135][ T5852] base: 16, num: 18446744071600538096, number
[  409.530291][ T5852] base: 16, num: 18446744071600538112, number
[  409.536354][ T5852] base: 16, num: 18446744071600539200, number
[  409.542457][ T5852] base: 16, num: 18446744071600539216, number
[  409.548539][ T5852] base: 16, num: 18446744071600539760, number
[  409.554688][ T5852] base: 16, num: 18446744071600539776, number
[  409.560818][ T5852] base: 16, num: 18446744071600543040, number
[  409.566965][ T5852] base: 16, num: 18446744071600543056, number
[  409.573129][ T5852] base: 16, num: 18446744071600545200, number
[  409.579340][ T5852] base: 16, num: 18446744071600545216, number
[  409.585432][ T5852] base: 16, num: 18446744071600545680, number
[  409.591582][ T5852] base: 16, num: 18446744071600545696, number
[  409.597668][ T5852] base: 16, num: 18446744071600553392, number
[  409.603999][ T5852] base: 16, num: 18446744071600553408, number
[  409.610168][ T5852] base: 16, num: 18446744071600554496, number
[  409.616289][ T5852] base: 16, num: 18446744071600554512, number
[  409.622502][ T5852] base: 16, num: 18446744071600555136, number
[  409.628606][ T5852] base: 16, num: 18446744071600555152, number
[  409.634739][ T5852] base: 16, num: 18446744071600555696, number
[  409.640860][ T5852] base: 16, num: 18446744071600555712, number
[  409.647089][ T5852] base: 16, num: 18446744071600556752, number
[  409.653211][ T5852] base: 16, num: 18446744071600556768, number
[  409.659350][ T5852] base: 16, num: 18446744071600557728, number
[  409.665417][ T5852] base: 16, num: 18446744071600557744, number
[  409.671585][ T5852] base: 16, num: 18446744071600558288, number
[  409.677692][ T5852] base: 16, num: 18446744071600558304, number
[  409.683857][ T5852] base: 16, num: 18446744071600577072, number
[  409.691846][ T5852] base: 16, num: 18446744071600577088, number
[  409.698087][ T5852] base: 16, num: 18446744071600577632, number
[  409.705293][ T5852] base: 16, num: 18446744071600577648, number
[  409.711451][ T5852] base: 16, num: 18446744071600577856, number
[  409.717531][ T5852] base: 16, num: 18446744071600577872, number
[  409.723654][ T5852] base: 16, num: 18446744071600579264, number
[  409.729781][ T5852] base: 16, num: 18446744071600579280, number
[  409.735886][ T5852] base: 16, num: 18446744071600579840, number
[  409.742029][ T5852] base: 16, num: 18446744071600579856, number
[  409.748114][ T5852] base: 16, num: 18446744071600580400, number
[  409.754280][ T5852] base: 16, num: 18446744071600580416, number
[  409.760523][ T5852] base: 16, num: 18446744071600580976, number
[  409.766590][ T5852] base: 16, num: 18446744071600580992, number
[  409.772911][ T5852] base: 16, num: 18446744071600580992, number
[  409.779088][ T5852] base: 16, num: 18446744071600582528, number
[  409.785235][ T5852] base: 16, num: 18446744071600582544, number
[  409.791436][ T5852] base: 16, num: 18446744071600582608, number
[  409.797530][ T5852] base: 16, num: 18446744071600582624, number
[  409.803676][ T5852] base: 16, num: 18446744071600583168, number
[  409.809817][ T5852] base: 16, num: 18446744071600583184, number
[  409.815965][ T5852] base: 16, num: 18446744071600583664, number
[  409.822122][ T5852] base: 16, num: 18446744071600583680, number
[  409.828212][ T5852] base: 16, num: 18446744071600584064, number
[  409.834345][ T5852] base: 16, num: 18446744071600584080, number
[  409.840472][ T5852] base: 16, num: 18446744071600587104, number
[  409.846543][ T5852] base: 16, num: 18446744071600587120, number
[  409.852686][ T5852] base: 16, num: 18446744071600590064, number
[  409.858773][ T5852] base: 16, num: 18446744071600590080, number
[  409.864927][ T5852] base: 16, num: 18446744071600590624, number
[  409.871077][ T5852] base: 16, num: 18446744071600590640, number
[  409.877150][ T5852] base: 16, num: 18446744071600598944, number
[  409.883271][ T5852] base: 16, num: 18446744071600598960, number
[  409.889413][ T5852] base: 16, num: 18446744071600600016, number
[  409.895477][ T5852] base: 16, num: 18446744071600600032, number
[  409.901584][ T5852] base: 16, num: 18446744071600600352, number
[  409.907664][ T5852] base: 16, num: 18446744071600600368, number
[  409.913795][ T5852] base: 16, num: 18446744071600601104, number
[  409.919909][ T5852] base: 16, num: 18446744071600601120, number
[  409.925985][ T5852] base: 16, num: 18446744071600601664, number
[  409.932120][ T5852] base: 16, num: 18446744071600601680, number
[  409.938207][ T5852] base: 16, num: 18446744071600602048, number
[  409.944334][ T5852] base: 16, num: 18446744071600602064, number
[  409.950445][ T5852] base: 16, num: 18446744071600603312, number
[  409.956712][ T5852] base: 16, num: 18446744071600603328, number
[  409.962970][ T5852] base: 16, num: 18446744071600605456, number
[  409.969129][ T5852] base: 16, num: 18446744071600605472, number
[  409.975350][ T5852] base: 16, num: 18446744071600606288, number
[  409.981614][ T5852] base: 16, num: 18446744071600606304, number
[  409.987884][ T5852] base: 16, num: 18446744071600606848, number
[  409.994047][ T5852] base: 16, num: 18446744071600606864, number
[  410.000347][ T5852] base: 16, num: 18446744071600607392, number
[  410.006536][ T5852] base: 16, num: 18446744071600607408, number
[  410.012767][ T5852] base: 16, num: 18446744071600607952, number
[  410.019146][ T5852] base: 16, num: 18446744071600607968, number
[  410.025407][ T5852] base: 16, num: 18446744071600608240, number
[  410.031535][ T5852] base: 16, num: 18446744071600608256, number
[  410.037639][ T5852] base: 16, num: 18446744071600608816, number
[  410.043791][ T5852] base: 16, num: 18446744071600608832, number
[  410.049924][ T5852] base: 16, num: 18446744071600609392, number
[  410.056002][ T5852] base: 16, num: 18446744071600609408, number
[  410.062144][ T5852] base: 16, num: 18446744071600610048, number


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2029080981=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 6dbc6a9bc
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6dbc6a9bc76e06852841ed5c5bdbb78409b17f53 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250110-142744'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6dbc6a9bc76e06852841ed5c5bdbb78409b17f53\"
/usr/bin/ld: /tmp/ccMSRdBJ.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=145eca18580000


Tested on:

commit:         f333279e printf: base is too large ?
git tree:       https://github.com/ea1davis/linux lib/syz
kernel config:  https://syzkaller.appspot.com/x/.config?x=e01787b160d01f1
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux lib/syz

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux lib/syz

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com

Tested on:

commit:         ff395cea printf: part no is too large
git tree:       https://github.com/ea1davis/linux lib/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=10149bc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e01787b160d01f1
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com

Tested on:

commit:         1eb96728 printf: part no is too large
git tree:       https://github.com/ea1davis/linux lib/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=1046fef8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e01787b160d01f1
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[PATCH] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 block/genhd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..8d539a4a3b37 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
-		if (!bdev_nr_sectors(part))
+		int partno = bdev_partno(part);
+
+		if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
 			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
 			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
-- 
2.47.0

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

syzbot has bisected this issue to:

commit 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Dec 19 21:52:53 2024 +0000

    vsnprintf: collapse the number format state into one single state

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16342a18580000
start commit:   7b4b9bf203da Add linux-next specific files for 20250107
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=15342a18580000
console output: https://syzkaller.appspot.com/x/log.txt?x=11342a18580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=174f0a18580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=168aecb0580000

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Fixes: 8d4826cc8a8a ("vsnprintf: collapse the number format state into one single state")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [PATCH] block: no show partitions if partno corrupted

[Hannes Reinecke]

On 1/14/25 03:28, Edward Adam Davis wrote:
> syzbot reported a global-out-of-bounds in number. [1]
> 
> Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
> array.
> 
> To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.
> 
> [1]
> BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
> Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832
> 
> CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Call Trace:
>   <TASK>
>   __dump_stack lib/dump_stack.c:94 [inline]
>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
>   print_address_description mm/kasan/report.c:378 [inline]
>   print_report+0x169/0x550 mm/kasan/report.c:489
>   kasan_report+0x143/0x180 mm/kasan/report.c:602
>   number+0x3be/0xf40 lib/vsprintf.c:494
>   pointer+0x764/0x1210 lib/vsprintf.c:2484
>   vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
>   seq_vprintf fs/seq_file.c:391 [inline]
>   seq_printf+0x172/0x270 fs/seq_file.c:406
>   show_partition+0x29f/0x3f0 block/genhd.c:905
>   seq_read_iter+0x969/0xd70 fs/seq_file.c:272
>   proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
>   copy_splice_read+0x63a/0xb40 fs/splice.c:365
>   do_splice_read fs/splice.c:985 [inline]
>   splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
>   do_splice_direct_actor fs/splice.c:1207 [inline]
>   do_splice_direct+0x289/0x3e0 fs/splice.c:1233
>   do_sendfile+0x564/0x8a0 fs/read_write.c:1363
>   __do_sys_sendfile64 fs/read_write.c:1424 [inline]
>   __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
> Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   block/genhd.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..8d539a4a3b37 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>   
>   	rcu_read_lock();
>   	xa_for_each(&sgp->part_tbl, idx, part) {
> -		if (!bdev_nr_sectors(part))
> +		int partno = bdev_partno(part);
> +
> +		if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
>   			continue;
>   		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>   			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
Maybe a warning is in order; when we are hitting this issue it means
that linux has a limitation on causing it to ignore the (otherwise 
valid) partition entry.

Otherwise looks good.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

[PATCH V2] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Add a warning

 block/genhd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..8d539a4a3b37 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
-		if (!bdev_nr_sectors(part))
+		int partno = bdev_partno(part);
+
+		if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
 			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
 			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
-- 
2.47.0

Re: [PATCH V2] block: no show partitions if partno corrupted

[Jens Axboe]

On 1/14/25 1:51 AM, Edward Adam Davis wrote:
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..8d539a4a3b37 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>  
>  	rcu_read_lock();
>  	xa_for_each(&sgp->part_tbl, idx, part) {
> -		if (!bdev_nr_sectors(part))
> +		int partno = bdev_partno(part);
> +
> +		if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
>  			continue;
>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>  			   MAJOR(part->bd_dev), MINOR(part->bd_dev),

This should be a WARN_ON_ONCE(), and please put warn-on's on a separate
line.

-- 
Jens Axboe

[PATCH V3] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Add a warning
V2 -> V3: replace to WARN_ON_ONCE on a separate line

 block/genhd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..3a9c36ad6bbd 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
+		int partno = bdev_partno(part);
+
+		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
 		if (!bdev_nr_sectors(part))
 			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
-- 
2.47.0

Re: [PATCH V3] block: no show partitions if partno corrupted

[Jens Axboe]

On 1/14/25 7:58 AM, Edward Adam Davis wrote:
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..3a9c36ad6bbd 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>  
>  	rcu_read_lock();
>  	xa_for_each(&sgp->part_tbl, idx, part) {
> +		int partno = bdev_partno(part);
> +
> +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>  		if (!bdev_nr_sectors(part))
>  			continue;
>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",

Surely you still want to continue for that condition?

-- 
Jens Axboe

Re: [PATCH V3] block: no show partitions if partno corrupted

[Edward Adam Davis]

On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
> > diff --git a/block/genhd.c b/block/genhd.c
> > index 9130e163e191..3a9c36ad6bbd 100644
> > --- a/block/genhd.c
> > +++ b/block/genhd.c
> > @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
> >
> >  	rcu_read_lock();
> >  	xa_for_each(&sgp->part_tbl, idx, part) {
> > +		int partno = bdev_partno(part);
> > +
> > +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
> >  		if (!bdev_nr_sectors(part))
> >  			continue;
> >  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
> 
> Surely you still want to continue for that condition?
No.
But like following, ok?
diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..142b13620f0c 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
 
        rcu_read_lock();
        xa_for_each(&sgp->part_tbl, idx, part) {
-               if (!bdev_nr_sectors(part))
+               int partno = bdev_partno(part);
+
+               WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
+               if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
                        continue;
                seq_printf(seqf, "%4d  %7d %10llu %pg\n",
                           MAJOR(part->bd_dev), MINOR(part->bd_dev),

Re: [PATCH V3] block: no show partitions if partno corrupted

[Jens Axboe]

On 1/14/25 8:15 AM, Edward Adam Davis wrote:
> On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
>>> diff --git a/block/genhd.c b/block/genhd.c
>>> index 9130e163e191..3a9c36ad6bbd 100644
>>> --- a/block/genhd.c
>>> +++ b/block/genhd.c
>>> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>>>
>>>  	rcu_read_lock();
>>>  	xa_for_each(&sgp->part_tbl, idx, part) {
>>> +		int partno = bdev_partno(part);
>>> +
>>> +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>>>  		if (!bdev_nr_sectors(part))
>>>  			continue;
>>>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>>
>> Surely you still want to continue for that condition?
> No.

No?

> But like following, ok?
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..142b13620f0c 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
>  
>         rcu_read_lock();
>         xa_for_each(&sgp->part_tbl, idx, part) {
> -               if (!bdev_nr_sectors(part))
> +               int partno = bdev_partno(part);
> +
> +               WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
> +               if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
>                         continue;
>                 seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>                            MAJOR(part->bd_dev), MINOR(part->bd_dev),

That's just silly...

	xa_for_each(&sgp->part_tbl, idx, part) {
		int partno = bdev_partno(part);

		if (!bdev_nr_sectors(part))
			continue;
		if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
			continue;

		...
	}

-- 
Jens Axboe

[PATCH V4] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Add a warning
V2 -> V3: replace to WARN_ON_ONCE on a separate line
V3 -> V4: add continue

 block/genhd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..a9a1d5a429aa 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,8 +890,12 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
+		int partno = bdev_partno(part);
+
 		if (!bdev_nr_sectors(part))
 			continue;
+		if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
+			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
 			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
 			   bdev_nr_sectors(part) >> 1, part);
-- 
2.47.0

Re: [PATCH V3] block: no show partitions if partno corrupted

[Edward Adam Davis]

On Tue, 14 Jan 2025 08:25:13 -0700, Jens Axboe wrote:
>> On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
>>>> diff --git a/block/genhd.c b/block/genhd.c
>>>> index 9130e163e191..3a9c36ad6bbd 100644
>>>> --- a/block/genhd.c
>>>> +++ b/block/genhd.c
>>>> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>>>>
>>>>  	rcu_read_lock();
>>>>  	xa_for_each(&sgp->part_tbl, idx, part) {
>>>> +		int partno = bdev_partno(part);
>>>> +
>>>> +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>>>>  		if (!bdev_nr_sectors(part))
>>>>  			continue;
>>>>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>>>
>>> Surely you still want to continue for that condition?
>> No.
>
>No?
>
>> But like following, ok?
>> diff --git a/block/genhd.c b/block/genhd.c
>> index 9130e163e191..142b13620f0c 100644
>> --- a/block/genhd.c
>> +++ b/block/genhd.c
>> @@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
>>
>>         rcu_read_lock();
>>         xa_for_each(&sgp->part_tbl, idx, part) {
>> -               if (!bdev_nr_sectors(part))
>> +               int partno = bdev_partno(part);
>> +
>> +               WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>> +               if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
>>                         continue;
>>                 seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>>                            MAJOR(part->bd_dev), MINOR(part->bd_dev),
>
>That's just silly...
I checked WARN_ON_ONCE(), and when the condition is met, the subsequent
WARN_ON_ONCE() will still return true, so adding it will not affect the
judgment of the condition.
It just issues a warning the first time the condition is met, and it will
still return true if the condition is true.
>
>	xa_for_each(&sgp->part_tbl, idx, part) {
>		int partno = bdev_partno(part);
>
>		if (!bdev_nr_sectors(part))
>			continue;
>		if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
>			continue;
>
>		...
>	}

Edward

Re: [PATCH V2] block: no show partitions if partno corrupted

[Christoph Hellwig]

On Tue, Jan 14, 2025 at 07:16:31AM -0700, Jens Axboe wrote:
> On 1/14/25 1:51 AM, Edward Adam Davis wrote:
> > diff --git a/block/genhd.c b/block/genhd.c
> > index 9130e163e191..8d539a4a3b37 100644
> > --- a/block/genhd.c
> > +++ b/block/genhd.c
> > @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
> >  
> >  	rcu_read_lock();
> >  	xa_for_each(&sgp->part_tbl, idx, part) {
> > -		if (!bdev_nr_sectors(part))
> > +		int partno = bdev_partno(part);
> > +
> > +		if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
> >  			continue;
> >  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
> >  			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
> 
> This should be a WARN_ON_ONCE(), and please put warn-on's on a separate
> line.

Ummm...

DISK_MAX_PARTS is 256.

bdev_partno reads form bdev->__bd_flags and masks out BD_PARTNO,
which is 255.

In other words we should never be able to get a value bigger than 255
from bdev_partno, so something is really fishy here that a WARN_ON in
the show function won't help with.

Also the fact that the low-level printf code trips over a 8-bit integer
sounds wrong, and if it does for something not caused by say a use
after free higher up we've got another deep problem there.

All of that has nothing to do with show_partition, though.