Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754348AbbBTKOy (ORCPT <rfc822;w@1wt.eu>);
	Fri, 20 Feb 2015 05:14:54 -0500
Received: from aserp1040.oracle.com ([141.146.126.69]:36044 "EHLO
	aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753992AbbBTKOw (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 20 Feb 2015 05:14:52 -0500
Message-ID: <54E708F3.9080404@oracle.com>
Date: Fri, 20 Feb 2015 05:14:11 -0500
From: Sasha Levin <sasha.levin@oracle.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Andrew Morton <akpm@linux-foundation.org>, fabf@skynet.be,
        saproj@gmail.com, Al Viro <viro@ZenIV.linux.org.uk>
CC: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>, Dave Jones <davej@redhat.com>,
        Andrey Ryabinin <a.ryabinin@samsung.com>
Subject: fs: hfsplus: use after free in
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 5612
Lines: 93

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel, I've stumbled on the following spew:

[ 2014.561050] BUG: KASan: use after free in memcpy+0x21/0x50 at addr ffff880ff138afee
[ 2014.561050] Read of size 4 by task trinity-main/10201
[ 2014.561050] page:ffffea003fc4e280 count:0 mapcount:0 mapping:          (null) index:0x2
[ 2014.561050] flags: 0xcafffff80000000()
[ 2014.561050] page dumped because: kasan: bad access detected
[ 2014.561050] CPU: 23 PID: 10201 Comm: trinity-main Not tainted 3.19.0-next-20150219-sasha-00045-g9130270f #1939
[ 2014.561050]  ffff880ff138afee 000000002e9b0643 ffff8803023cf0f8 ffffffffa2b40d3a
[ 2014.561050]  1ffffd4007f89c57 ffff8803023cf188 ffff8803023cf178 ffffffff987648f4
[ 2014.561050]  ffff8803023c0d52 ffff8803023c0000 0000000000000282 ffff8803023c0ce0
[ 2014.561050] Call Trace:
[ 2014.561050] dump_stack (lib/dump_stack.c:52)
[ 2014.561050] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[ 2014.561050] kasan_report (mm/kasan/report.c:230)
[ 2014.561050] ? memcpy (mm/kasan/kasan.c:283)
[ 2014.561050] __asan_loadN (mm/kasan/kasan.c:477)
[ 2014.561050] ? __might_sleep (kernel/sched/core.c:7356 (discriminator 14))
[ 2014.561050] memcpy (mm/kasan/kasan.c:283)
[ 2014.561050] hfsplus_bnode_read (fs/hfsplus/bnode.c:34)
[ 2014.561050] hfsplus_brec_lenoff (fs/hfsplus/brec.c:26)
[ 2014.561050] ? __lock_is_held (kernel/locking/lockdep.c:3518)
[ 2014.561050] ? hfs_btree_inc_height (fs/hfsplus/brec.c:20)
[ 2014.561050] ? hfsplus_brec_remove (fs/hfsplus/bfind.c:96)
[ 2014.561050] __hfsplus_brec_find (fs/hfsplus/bfind.c:130)
[ 2014.561050] ? hfs_find_1st_rec_by_cnid (fs/hfsplus/bfind.c:115)
[ 2014.561050] ? hfsplus_bnode_find (./arch/x86/include/asm/bitops.h:311 fs/hfsplus/bnode.c:494)
[ 2014.561050] ? _atomic_dec_and_lock (./arch/x86/include/asm/atomic.h:118 lib/dec_and_lock.c:28)
[ 2014.561050] ? hfsplus_bnode_put (fs/hfsplus/bnode.c:483)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? hfsplus_bnode_put (fs/hfsplus/bnode.c:657)
[ 2014.561050] hfsplus_brec_find (fs/hfsplus/bfind.c:196)
[ 2014.561050] ? hfsplus_brec_remove (fs/hfsplus/bfind.c:96)
[ 2014.561050] ? __hfsplus_brec_find (fs/hfsplus/bfind.c:166)
[ 2014.561050] ? kasan_kmalloc (mm/kasan/kasan.c:354)
[ 2014.561050] ? __kmalloc (mm/slub.c:3325)
[ 2014.561050] ? each_symbol_section (kernel/module.c:3810)
[ 2014.561050] hfsplus_brec_read (fs/hfsplus/bfind.c:224)
[ 2014.561050] hfsplus_lookup (fs/hfsplus/dir.c:53)
[ 2014.561050] ? hfsplus_link (fs/hfsplus/dir.c:32)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? __lock_acquire (kernel/locking/lockdep.c:2019 kernel/locking/lockdep.c:3184)
[ 2014.561050] ? __d_alloc (fs/dcache.c:1525)
[ 2014.561050] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051)
[ 2014.561050] ? __slab_alloc (mm/slub.c:2413 (discriminator 2))
[ 2014.561050] ? mark_held_locks (kernel/locking/lockdep.c:2525)
[ 2014.561050] ? lockdep_init_map (kernel/locking/lockdep.c:2986)
[ 2014.561050] ? d_alloc (fs/dcache.c:769 fs/dcache.c:1601)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? d_alloc (fs/dcache.c:1607)
[ 2014.561050] ? vfs_rename (fs/namei.c:1405)
[ 2014.561050] lookup_real (fs/namei.c:1377)
[ 2014.561050] do_last (fs/namei.c:2875 fs/namei.c:2987)
[ 2014.561050] ? complete_walk (fs/namei.c:1775)
[ 2014.561050] ? __slab_alloc (mm/slub.c:2413 (discriminator 2))
[ 2014.561050] ? path_init (fs/namei.c:2921)
[ 2014.561050] ? path_init (fs/namei.c:1953)
[ 2014.561050] ? path_init (fs/namei.c:1933)
[ 2014.561050] ? __mutex_init (kernel/locking/mutex.c:61)
[ 2014.561050] path_openat (fs/namei.c:3236)
[ 2014.561050] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:77 include/linux/spinlock_api_smp.h:154 kernel/locking/spinlock.c:183)
[ 2014.561050] ? filename_create (fs/namei.c:3215)
[ 2014.561050] ? getname_flags (fs/namei.c:136)
[ 2014.561050] ? set_track (mm/slub.c:530)
[ 2014.561050] ? __slab_alloc (mm/slub.c:2413 (discriminator 2))
[ 2014.561050] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2554 kernel/locking/lockdep.c:2601)
[ 2014.561050] do_filp_open (fs/namei.c:3283)
[ 2014.561050] ? user_path_mountpoint_at (fs/namei.c:3277)
[ 2014.561050] ? __alloc_fd (fs/file.c:501)
[ 2014.561050] do_sys_open (fs/open.c:1013)
[ 2014.561050] ? filp_open (fs/open.c:999)
[ 2014.561050] ? syscall_trace_enter_phase2 (arch/x86/kernel/ptrace.c:1598)
[ 2014.561050] SyS_openat (fs/open.c:1034)
[ 2014.561050] tracesys_phase2 (arch/x86/kernel/entry_64.S:422)
[ 2014.561050] Memory state around the buggy address:
[ 2014.561050]  ffff880ff138ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050]  ffff880ff138af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050] >ffff880ff138af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050]                                                           ^
[ 2014.561050]  ffff880ff138b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2014.561050]  ffff880ff138b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/