Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754591AbdCIKAY (ORCPT ); Thu, 9 Mar 2017 05:00:24 -0500 Received: from mail-eopbgr00127.outbound.protection.outlook.com ([40.107.0.127]:8173 "EHLO EUR02-AM5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753194AbdCIKAK (ORCPT ); Thu, 9 Mar 2017 05:00:10 -0500 Authentication-Results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=virtuozzo.com; Subject: Re: kasan behavior when built with unsupported compiler To: Nikolay Borisov , Dmitry Vyukov References: <1eb0b1ba-3847-9bdc-8f4a-adcd34de3486@gmail.com> <9ebf6262-fd9e-5b58-4039-b0004623493a@gmail.com> CC: Alexander Potapenko , LKML , kasan-dev , Kees Cook From: Andrey Ryabinin Message-ID: <95bc2575-b62b-73e5-2324-d02289d92867@virtuozzo.com> Date: Thu, 9 Mar 2017 12:46:01 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 MIME-Version: 1.0 In-Reply-To: <9ebf6262-fd9e-5b58-4039-b0004623493a@gmail.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [195.214.232.6] X-ClientProxiedBy: AM5PR0101CA0014.eurprd01.prod.exchangelabs.com (10.169.240.24) To VI1PR0801MB2062.eurprd08.prod.outlook.com (10.173.74.147) X-MS-Office365-Filtering-Correlation-Id: af44094d-d246-43db-9d3a-08d466d0ed91 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:VI1PR0801MB2062; X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2062;3:iGg/umJiHuvOEdnChBZFiVt8G5fhULF85mDebjvEz/f372D9e+5JKY03hrnpZE8BfKRWOzkup/RXelgnyp5I35P4dk1wIMmwR4EQES3+dJdLVLU+eGqFwkcmqF/TDD+297HB+FacKsId8eGh6UAi2EMROyw7xUX6OiqQMXV42lzbLd2IjHM+k/N4JgIifcP4P1fjXU9CJQBAjYRNeA91NtvOLmrzq5z/hPyKqHkE+0sSyWiKR0rPmrPsz5KkmmeIHP8nUDkEQfONtxKA3nFWUg==;25:5LtUBvF6I10D7/jRht5H6GW8DcMwHEGh2pNSj5sCEsdnvXP+tLDSh4yElFWsdPIVIMakhEMPBHH0NypoC9KdFtDMiG6jtFwtlPVi5ATaqcRQrTBUl72+6o43lvaq6NGnhAsSyRMzfaVWDtoxTpfVchPljBQrKf6RSdXtNzxGXVQv7f4QAPtE04tXodpUEG6qCBQ2iq88YdcY05bsvzYNhsHxJvAf7DdMIOM40IyagH7Ao/68saDdWOw124+giEcmoAjSS304Ee6Rhfw0K9He7j6MUWCFgO/FdLAG33MkbLYeUGY58LO/EU842xwUEK8FZxXp42LfEES39FwTNvQZcGTSKAWDhCyQnQ6IllhiIAAHMYo7YDuAk/mkX1/T1cGCh45GCFyCixJVTyy/tVvWUddYIp9wQZWscA+fkuTQBGPqFDhgHVWvJyOi4WEvtfcuTXtykgPpcIDN0H2zCJtHMQ== X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2062;31:K5N0KTrhydjppa7RvgqJUCLYqX1C8Aa8JdMbNUy7J8qpL0ir68YkCeKr2pgvXy+A5/h6ZPT2g9Apob2SpjLqOOqTCs1n2ZDkJECDu4mP3b01ks60AUmLsgZz10MnXaeFSWUeDfOKuI/dieR4Xj72yg8THuP+KbgxMWmI8x0tFcEzQ3pz6qocJ39/uhUvg0JGYcbdKZDpLtWFSe/oVC2s8wOyzUY4+S6RnmwigzpcsIdPLFR6nCQbFPNKfLi9gxE3z7Okko3L78fjAJrwOrpeHg==;20:b+OxavmF4c0cBa/gCz2s1MI+QYs9TdKkQaUfElub3lPBX1alHFIRFzA2Mp6rdVXaD8yzspRpLRfiOTzwLCSQZ05LWW8/mj6ovn3UdBDpbQGi7g7VdFKQkx0B1s5sbnu56BqmLYux6a2Ywvd3zWtwxRPU7eU5aoYfEtpAkmdYpCjBHj7/FkQEz1abXvCAZnSLLWUxFzwWaWqN27q6i2TTZQURvbI6O5oYEhkJmlSqOiovRyp0ELumQFZLlN4A6jtLyfgysg3Hvd1/HakYdqt78XQF1pCkO0+yL1EKMusASaap1tpg7pqjBjvT8AOQwPpuayF/Ndhk369rYt2out5p8AKfJ2DPFuHTVKldLekUYggMQsDNxJtX+yRspAaTGtvjPs42EwxUyx8ZYNfbcc/UX++NdO9DQj4cp4cHI8EuuAU= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123562025)(20161123558025)(20161123555025)(20161123560025)(20161123564025)(6072148);SRVR:VI1PR0801MB2062;BCL:0;PCL:0;RULEID:;SRVR:VI1PR0801MB2062; X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2062;4:0GDHNX07286K3l2Bq8R50pweG3qiSvncVRFKUQJRcPd75cYtmuK47HIjzMTR0GkopGwFdOPio6fYHSS8wjcoU43gF+HIC/Q0Y7EAp7RmINY8ht9QETFbwsKaP4duxL6d/RlTalSOeMLhQsQStBsa1UHeM6JrYaHff1zP9ZNAEn4s5O2jvqXdU6ZtYjKUgehi4qf4BDjkRjz03deBFjHKZT5FwNDi2gpHyf9wve9+D+zWnZyxwexYeh/+8RONDpjG84Irgu0qtPCZKzLAH13u692FDk2HzRZcKI9jrQUs/7EUpIfAWZz5IOvnWSD1Yvi1LfOFUtp2BBG8QjNQ2bw8TRvlJBn3ib2d5xvEyn4ZieUIA1K6noy6mW2j4yAkY6TwRtmoMKfx4h8F1P5O8dIj894lOL7m6uVOY4ZGYNavBJ/SP6k0BeC6JFI3Hm5DAFoWloChWffbsxJiyuSv9QKTZmtetUXLlc9MB0MqUaG4EaoBdjv7KvdF3fb4jhCK/PDO7+WyxbZVe5+triH3KD0ioCDmGnG/rmsmOm9wc6h6SfIR6mIsrL0L9tK9kfY2gDdOStNDkQcNP3OvaTsSh+UpfzrTFA5OPWg/E1e60qUGsow= X-Forefront-PRVS: 0241D5F98C X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(979002)(6009001)(6049001)(39410400002)(39830400002)(39450400003)(24454002)(377454003)(66066001)(3846002)(6666003)(5890100001)(6116002)(65806001)(5660300001)(25786008)(33646002)(31696002)(305945005)(90366009)(65826007)(230700001)(54906002)(6486002)(23676002)(2950100002)(76176999)(50986999)(31686004)(77096006)(7736002)(54356999)(229853002)(65956001)(6246003)(38730400002)(86362001)(81166006)(42186005)(4001350100001)(83506001)(47776003)(36756003)(53546006)(50466002)(64126003)(8676002)(53936002)(4326008)(189998001)(2906002)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1102;SCL:1;SRVR:VI1PR0801MB2062;H:[172.16.25.12];FPR:;SPF:None;MLV:ovrnspm;PTR:InfoNoRecords;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtWSTFQUjA4MDFNQjIwNjI7MjM6UmpHc3Q2RXN0L2hrYVJLM1RoeTlDNE5X?= =?utf-8?B?Yzh3SmpXWGJsT0d2bGxpUEJDS2pIS1Niem9mMXhjRlRzdjhQa0lRMituM1dh?= =?utf-8?B?Z1JwaklNTHgxZ1MrY1BoL3gxSHc4bEFiSjFWWkVoNDNPV1RybzliSUNwTHky?= =?utf-8?B?SDJZZ3kycXJhZ215RUlnZnYzNW5rV29PSnlRekVXQlpvQysvNFMybHNITTlr?= =?utf-8?B?TmswbXJybENUS1lLVkE1S255ME1tMk5YVHRHdDIzOHpLY1p5RGhhTHNybkU1?= =?utf-8?B?UHJ1K0hicUpXQU5PUzRjVUhpWkJJSjYxN0J2aEpxQTRpUzhPQjRJbkw1NDVm?= =?utf-8?B?QUprN0YxY0dCSDF1QWxjMkRvNmhzUldGNmprL2pQaTlWQjZHZGliOGgvbzZv?= =?utf-8?B?Z2Urd1hvd3FnbUhHV1BMVnlTNmwwTVpWMnJzcFV3Vm1oeEFWSGNDM2MzUFJq?= =?utf-8?B?SW5rS0hyelVMcUdwb3dYcGYvOEdDTkZXZGZjRzNQTXM2V1hpQURYT1RqZGhs?= =?utf-8?B?OXBiSEZmN0tMOVIveWRsNWZ2b3Y3V2d2YnlyT0ViQWtBRDRNcDMrcTNUOVRp?= =?utf-8?B?cy9xeEs3M2grdGxnRVF5ZkRtWVYxVzN3YUFQZWNXWGNMdnorcXBMa280MGp3?= =?utf-8?B?RmMxWExJZENoZzUxQnNFZ1FBa2kzU1pTSFZkWEcwdUlsMFRsOEFDeWRSK1BS?= =?utf-8?B?MStXdXFjbU5JVHFxajNDZWlkSzhScjhBMHEvMzJhanh1VERodC8yaHpNWTJZ?= =?utf-8?B?aUg3M1kzVGdXZS9KKy9QdnBaN0diVk04bWVyMU1pQWN3b21mVDZyUDlndlFk?= =?utf-8?B?dWs5b09MZjA2dFJOTVN3RWZrN1lkNlR5djNrUDV5ejVxTHRqTjVtQjdNQkZC?= =?utf-8?B?QzNUVENHRCtKKzFoQ0oxaGF2TTNvUXphTzlVM1BsTVZRaC92UkZ6eEZGblpw?= =?utf-8?B?Y3E1UlhpMFhYVzhEWXRTZ0psLy96eHEzeGRwYURTaGNKYkp3ZnR2cXc1YTg5?= =?utf-8?B?UVNPTmNjYVJmYkJXcGYwNEhoK0twZXp5bjdER3lxLzdyaUFIZ3FjdCsvSkxT?= =?utf-8?B?VSthTlRkSmNNRU14V3lYdTdhcWc4TFFKbnRQQ1hUWVpJb1Q4ZTZGcFcvZmRm?= =?utf-8?B?MldyMU1LRHZOYmFoU0JYdWlXZjFOVm5IeUQ5bmV6eEIxTU44Mys0TWtwbktX?= =?utf-8?B?NGQvK2JMdTd2d1ZvWTVyL3R6UUhwQjBLN3g5bUhUQXE0QWhjNmNYb1RBTjFo?= =?utf-8?B?Z1FEdzFBWXUzS2dkaWorVUdUalpEU200RnlwbThVSGxXa1F2Qi96amFOdUtV?= =?utf-8?B?QVpMVFBwV2NkZ3RCa3dmeXN5S1J3ZDlKQTNBaVpyYWkxbmlqL0RoU2ZQWXFy?= =?utf-8?B?NUxscTgrdzU1aWdTVEVDRVo2VVBXMTJuQ3RIVk1MZk5EbGcrMlRycjY3UFNu?= =?utf-8?B?ZnpMck5sMTAwVER2cEh1ajJaU1hTYXZzOUtiWFJSdWdMcnBSRERLVGtObm5p?= =?utf-8?B?ZTB1bzlZZUNyNnVIU0x0bndEZHB6a0N2TytSMW9UbFAvQ282azI1ckUxOVpp?= =?utf-8?B?VWhlU1h2TElXdXZ2N3BWTWxkQ0lnOFdlcWJIb1pKNWhSOWlIWCtEMzhXSVNT?= =?utf-8?B?UjlvRDVNNHpyWGdFZGRVOWJrem0vN1VPRXRpS3FuR0I5OUswNkZTU2U4RjFF?= =?utf-8?B?VCtWYkhacVk5eU5KcmNIUkNPL3NvdGFkdEg3akxKS2IrVHhZZVR1Z2lhRW5k?= =?utf-8?B?Y0g1WDdZTEZvbWNLazRuTjUzUFhXc1Qya3Vnb1hOTUtsUFVVd0R6bllkbU9n?= =?utf-8?B?RGg5U1pQeWFlN2pCRkFDK3ZWRFhubDJYaXZjd3VkUC92cHNYUT09?= X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2062;6:I3UFdFyL4b5R6TSdEoSccyD8Wjh25dSDFKIG5/C34NVMrWKkIrRUZZq8GvAfKZhxUBBCcPcRPNtoG3t6S30EZBNwajuHtNYtjWT8VmiEh8pTrK5UB8jtXPtA8wvuVkvu3CK4ON5W5gRAtWVthfz0PB+sxU660UyQfdUkQk9BiFB2eB6xy5IM4a6Y5sIY0lfN5QE3NZ19zCwlxiE6iwSjp356GDkXNzyzsMim0Toj5WN9U2YW1StHhRZBLy/PKv94eU0p5N/+PuGunpJux0OLJ+S6JsKLHMJuQirvBg2148QC33O7SW4z29SCloiQsXZqdRJLV86g5mqcW41zh42QuvVU0+uIZ2mYEOpSJkVLLCvE7Ml6nImGv/Rr/r0sQRPfSmbim0MK44Io82kENtJUJA==;5:h5CoRpVvTjlc5uXZqSTZ5Cno67i3pJj8zIlPHxRq7lHe2ot7ci5V+sza1j933gy1Nch2KhGDC+D2EpFpz8fryS8Zk66//cxpxQOFx0lWH25izj71RTupDwzDHJcK3dh/2zs6lyN6swPHHgXt7W/i/Qs0B/glJfKApa6Va3spL4E=;24:A5EXanc/cvr3G6f0fIVBRZiRZYWhEhtWlC22bDx555JyGwk14xUarvTVnxGrN/0rriZ3xVXzfa3T4Q6irQTzk1xzXxE8ILhXv2KIbkJqjtQ= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2062;7:eX9bLQvCvQ68US4uEcnAt3M4RKriYXrqh4KfO6V19KTRCi0W5F0iYYhgNycd/0AInoN5iU93CjEKXp+vqhxYuKxM2Q0ZzayhNRop/n4rE8FFPYuwqvM020qg6h2ULGtHx7GSuXs5bBuAsNT5aZV9Bpt54y7Cc7a1ycUOI1XUCufFt/hoFmycN6YQqhjOMEB+dPiZnWuhKUEYnunzsWtNKt6GrGa/Z6GrTb4cwSj5v56jusWL9611MiQMZqXeSn8CQq5DnZ5py3bqz4nfZjKqvfChUwt6zgg++qkMo5Qih4T3WUanJEjFF1FOgF6OSoxu5GgoiI6AvaSWErmmvE9Emw==;20:fp/L0Lx1CtNDSGymaYQIse91rAw2PzcB+EyG+isXl9B+CzmsXkplPHn72zig9+l4qSEMmaq/uHmWZKGZGt63qNFPwDihPlfm7/x8DUTCCdza3AijKRC5UDVvU4/NI4DsLRk4vToWEibsuEczPacvPgOMdwyIMjduYdemymR5ToI= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Mar 2017 09:44:48.5471 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB2062 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1871 Lines: 40 On 03/08/2017 11:10 AM, Nikolay Borisov wrote: > > So apparently this is indeed a false positive, resulting from using the old > compiler. I used the attached patch to verify it. > > And what it prints is : > [ 17.184288] Assigned fbdev-blacklist.conff(ffff880001ea8020)20 whole object: ffff88006ae8fdb0 inode:ffff88006bff60d0 > [ 17.185808] Calling filldir with ffff88006ae8fdb0 > > So the first line essentially happens when the object ffff88006ae8fdb0 is > being allocated and the second when it's used in filldir. The warning in > ext4_ext_map_blocks doesn't trigger. However, if I remove the check for > the value of ext4_global_pointer then I see multiple lines such as: > [ 17.386283] ext4_ext_map_blocks:freeing pointer used in ext4_htree_store_dirent: ffff88006ae8fdb0 inode: ffff88006bff60d0 > [ 17.387601] Assigned fbdev-blacklist.conff(ffff880001eb3020)20 whole object: ffff88006ae8fdb0 inode:ffff88006bff60d0 > [ 17.388740] Calling filldir with ffff88006ae8fdb0 > > so that same object was used right before it is allocated again in > ext4_htree_store_dirent. And when you think about it it is logical since > before filling in the dentry names in ext4_htree_store_dirent ext4 has to fetch the > contents of the directory from disk. > > This leads me to believe that kasan is getting confused thinking that > the object is being freed As I said before, this is *not* use-after-free. It's out-of-bounds access. No, kasan is not confused, it doesn't think that object is freed. Object is allocated and kasan see it as allocated object. The problem is that filldir reads past the end of that allocated object. I don't see any sign that it's a false-positive. > AFTER being allocated in > ext4_htree_store_dirent but testing shows it's being freed BEFORE. So > I deem this a false positive, triggered by the compiler. > > >