2018-04-10 08:40:06

by syzbot

[permalink] [raw]
Subject: KASAN: null-ptr-deref Read in xattr_getsecurity

Hello,

syzbot hit the following crash on upstream commit
fd40ffc72e2f74c7db61e400903e7d50a88bc0b0 (Mon Apr 9 18:36:05 2018 +0000)
selinux: fix missing dput() before selinuxfs unmount
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=9369930ca44f29e60e2d

So far this crash happened 41 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5421128315043840
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-771321277174894814
compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

R13: 0000000000000098 R14: 00000000006f3ee0 R15: 0000000000000002
==================================================================
BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:345 [inline]
BUG: KASAN: null-ptr-deref in xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251
Read of size 20 at addr 0000000000000000 by task syz-executor5/12111

CPU: 0 PID: 12111 Comm: syz-executor5 Not tainted 4.16.0+ #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report.cold.7+0x13b/0x2f5 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
memcpy+0x23/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:345 [inline]
xattr_getsecurity+0x18a/0x1f0 fs/xattr.c:251
vfs_getxattr+0xf2/0x160 fs/xattr.c:333
getxattr+0x139/0x2c0 fs/xattr.c:540
SYSC_fgetxattr fs/xattr.c:598 [inline]
SyS_fgetxattr+0x109/0x190 fs/xattr.c:589
do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455259
RSP: 002b:00007f20bc46fc68 EFLAGS: 00000246 ORIG_RAX: 00000000000000c1
RAX: ffffffffffffffda RBX: 00007f20bc4706d4 RCX: 0000000000455259
RDX: 0000000020000280 RSI: 00000000200002c0 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffff27 R11: 0000000000000246 R12: 0000000000000015
R13: 0000000000000098 R14: 00000000006f3ee0 R15: 0000000000000002
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.


2018-04-10 10:18:25

by Tetsuo Handa

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <[email protected]>
Date: Tue, 10 Apr 2018 15:15:16 +0900
Subject: [PATCH] commoncap: Handle memory allocation failure.

syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
memory allocation failed. Return -ENOMEM if memory allocation failed.

[1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107

Signed-off-by: Tetsuo Handa <[email protected]>
Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
Reported-by: syzbot <[email protected]>
Cc: stable <[email protected]> # 4.14+
Cc: Serge E. Hallyn <[email protected]>
Cc: Eric W. Biederman <[email protected]>
---
security/commoncap.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/security/commoncap.c b/security/commoncap.c
index 48620c9..1ce701f 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
magic |= VFS_CAP_FLAGS_EFFECTIVE;
memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
cap->magic_etc = cpu_to_le32(magic);
+ } else {
+ size = -ENOMEM;
}
}
kfree(tmpbuf);
--
1.8.3.1


2018-04-10 14:47:38

by Eric W. Biederman

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

Tetsuo Handa <[email protected]> writes:

> From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <[email protected]>
> Date: Tue, 10 Apr 2018 15:15:16 +0900
> Subject: [PATCH] commoncap: Handle memory allocation failure.
>
> syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> memory allocation failed. Return -ENOMEM if memory allocation failed.
>
> [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107

Acked-by: "Eric W. Biederman" <[email protected]>

Tetsuo I can pick this up, or do you have preferred path for getting
this change merged?

Serge does this fix look ok to you? I am a bit worried that
might be a bit brittler but I don't see any issues with this change.

Eric


> Signed-off-by: Tetsuo Handa <[email protected]>
> Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> Reported-by: syzbot <[email protected]>
> Cc: stable <[email protected]> # 4.14+
> Cc: Serge E. Hallyn <[email protected]>
> Cc: Eric W. Biederman <[email protected]>
> ---
> security/commoncap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 48620c9..1ce701f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> magic |= VFS_CAP_FLAGS_EFFECTIVE;
> memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
> cap->magic_etc = cpu_to_le32(magic);
> + } else {
> + size = -ENOMEM;
> }
> }
> kfree(tmpbuf);
> --
> 1.8.3.1

2018-04-10 14:48:52

by Serge E. Hallyn

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

On Tue, Apr 10, 2018 at 07:13:23PM +0900, Tetsuo Handa wrote:
> syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> memory allocation failed. Return -ENOMEM if memory allocation failed.
>
> [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Signed-off-by: Tetsuo Handa <[email protected]>
> Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> Reported-by: syzbot <[email protected]>
> Cc: stable <[email protected]> # 4.14+
> Cc: Serge E. Hallyn <[email protected]>

Acked-by: Serge Hallyn <[email protected]>

thanks!

-serge

> Cc: Eric W. Biederman <[email protected]>
> ---
> security/commoncap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 48620c9..1ce701f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> magic |= VFS_CAP_FLAGS_EFFECTIVE;
> memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
> cap->magic_etc = cpu_to_le32(magic);
> + } else {
> + size = -ENOMEM;
> }
> }
> kfree(tmpbuf);
> --
> 1.8.3.1

2018-04-10 14:51:27

by Serge E. Hallyn

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

On Tue, Apr 10, 2018 at 09:42:50AM -0500, Eric W. Biederman wrote:
> Tetsuo Handa <[email protected]> writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <[email protected]>
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman" <[email protected]>
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?
>
> Serge does this fix look ok to you? I am a bit worried that

yup, looks good to me. would have replied an hour or two ago but lacked
an lkml-acceptable mailer :)

thanks,
serge

> might be a bit brittler but I don't see any issues with this change.
>
> Eric
>
>
> > Signed-off-by: Tetsuo Handa <[email protected]>
> > Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities")
> > Reported-by: syzbot <[email protected]>
> > Cc: stable <[email protected]> # 4.14+
> > Cc: Serge E. Hallyn <[email protected]>
> > Cc: Eric W. Biederman <[email protected]>
> > ---
> > security/commoncap.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 48620c9..1ce701f 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> > magic |= VFS_CAP_FLAGS_EFFECTIVE;
> > memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
> > cap->magic_etc = cpu_to_le32(magic);
> > + } else {
> > + size = -ENOMEM;
> > }
> > }
> > kfree(tmpbuf);
> > --
> > 1.8.3.1

2018-04-10 21:05:15

by Tetsuo Handa

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

Eric W. Biederman wrote:
> Tetsuo Handa <[email protected]> writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <[email protected]>
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman" <[email protected]>
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?

I don't have preferred path. You can pick this up. Thanks.

2018-04-10 23:29:27

by James Morris

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

On Tue, 10 Apr 2018, Eric W. Biederman wrote:

> Tetsuo Handa <[email protected]> writes:
>
> > From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001
> > From: Tetsuo Handa <[email protected]>
> > Date: Tue, 10 Apr 2018 15:15:16 +0900
> > Subject: [PATCH] commoncap: Handle memory allocation failure.
> >
> > syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1],
> > for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when
> > memory allocation failed. Return -ENOMEM if memory allocation failed.
> >
> > [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107
>
> Acked-by: "Eric W. Biederman" <[email protected]>
>
> Tetsuo I can pick this up, or do you have preferred path for getting
> this change merged?
>

It can go via my tree if needed, but otherwise:


Acked-by: James Morris <[email protected]>


--
James Morris
<[email protected]>


2018-04-25 11:04:48

by Tetsuo Handa

[permalink] [raw]
Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity

OK. Patch was sent to linux.git as 1f5781725dcbb026.

#syz fix: commoncap: Handle memory allocation failure.