Received: by 10.213.65.68 with SMTP id h4csp1795417imn;
        Thu, 5 Apr 2018 04:03:49 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49K491Am1byBMwTo7W1JDHhJvTF2Xt7P2BmneK/zxD6euuCLk64oc/EhV9zyCHDy5rFTnH8
X-Received: by 2002:a17:902:8c83:: with SMTP id t3-v6mr22626941plo.391.1522926229465;
        Thu, 05 Apr 2018 04:03:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522926229; cv=none;
        d=google.com; s=arc-20160816;
        b=yG18+uAERmK831fegYg//uQLhAyAx4isnBrC7iU2z+XOeCoXlqB/DQUNnDt77KHhjn
         mP3Ttzk/sqIk5ftEk08YkjhjssdHf8ZJ4//pVvD5KRZY6vSMn78u53MRU5fN51RH43yD
         AQ+VS0R3S5TdnaHxaUoyLaVCiyouR6D+l6TFawo5A1d2yNpovHOumNdr55uVNDxfTgu2
         wv0k/hzu//S+uzCH6WU0P2ilqZ+VM3moF4wNzV9P8clG3PR3w/jGFKmwsP71aAQEhs4D
         cor97UKQ9j+Wtc/Rnbbn+2kv0Q+zbD5eiXgWt1TidHjUb8FWidUeYNC+OMvnwSWhyEGw
         ho8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:cc:from:references:to:subject:arc-authentication-results;
        bh=WpkH8PAriaSYlAp1omvO2N3HV2TZwoxrJtatOk4iSgM=;
        b=eO7/7j6XMIF6yjYiLR64B6K3QhdM8T82LVimKkUF+6omdYT9jLmiiAYZhykVhW8j8r
         MH+9d1acogs7dbnPssYHObruMdsNmpdmVzm1rXLCUdWMKwUxFzM03A9+L4331ajrKy/S
         txbVmHop7JIHx2EhKPf7NSuohzPIZJXQ2iFKWlMDmME2NxTPaMyv4dfxXPrQHDooNCDc
         L+gLsJyOQ4uyxh2LF5cdF3SJT7wf5AHB92FAxFb2vFtzEoLdG5SQsHEeka+PrLWPvMT3
         y8TYszaKGV4a+KTPxRZD+7Bc7j1UuUVtqOatiAdRmVXhxtZNyzsaY/wlBOexJHrrtIpX
         mChA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j2si3945780pff.214.2018.04.05.04.03.33;
        Thu, 05 Apr 2018 04:03:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751329AbeDELCW (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Thu, 5 Apr 2018 07:02:22 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:29606 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751178AbeDELCV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Apr 2018 07:02:21 -0400
Received: from fsav302.sakura.ne.jp (fsav302.sakura.ne.jp [153.120.85.133])
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w35B2Cig027188;
        Thu, 5 Apr 2018 20:02:12 +0900 (JST)
        (envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav302.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav302.sakura.ne.jp);
 Thu, 05 Apr 2018 20:02:12 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav302.sakura.ne.jp)
Received: from [192.168.1.8] (softbank126099184120.bbtec.net [126.99.184.120])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w35B2Bdx027184
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Thu, 5 Apr 2018 20:02:11 +0900 (JST)
        (envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Subject: Re: KASAN: global-out-of-bounds Write in string
To:     dhowells@redhat.com, reiserfs-devel@vger.kernel.org
References: <000000000000b696800568f4a6c6@google.com>
From:   Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc:     syzbot <syzbot+b890b3335a4d8c608963@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Message-ID: <f1254802-d801-41d6-72ca-33f011e63253@I-love.SAKURA.ne.jp>
Date:   Thu, 5 Apr 2018 20:02:06 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <000000000000b696800568f4a6c6@google.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018/04/04 2:01, syzbot wrote:
> BUG: KASAN: global-out-of-bounds in string+0x1cb/0x200 lib/vsprintf.c:598
> Write of size 1 at addr ffffffff89e166a0 by task syz-executor0/4522
> 
> CPU: 1 PID: 4522 Comm: syz-executor0 Not tainted 4.16.0+ #12
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x1a7/0x27d lib/dump_stack.c:53
>  print_address_description+0x178/0x250 mm/kasan/report.c:256
>  kasan_report_error mm/kasan/report.c:354 [inline]
>  kasan_report+0x23c/0x360 mm/kasan/report.c:412
>  __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
>  string+0x1cb/0x200 lib/vsprintf.c:598
>  vsnprintf+0x863/0x1900 lib/vsprintf.c:2282
>  vsprintf+0x2a/0x40 lib/vsprintf.c:2462
>  prepare_error_buf+0x1d2/0x1820 fs/reiserfs/prints.c:240
>  __reiserfs_warning+0xc8/0x1a0 fs/reiserfs/prints.c:267
>  reiserfs_getopt fs/reiserfs/super.c:1044 [inline]
>  reiserfs_parse_options+0x11e5/0x24e0 fs/reiserfs/super.c:1194
>  reiserfs_fill_super+0x520/0x33a0 fs/reiserfs/super.c:1946

> The buggy address belongs to the variable:
>  error_buf+0x400/0x420

I guess this is a buffer overflow bug due to

  static char error_buf[1024];
  char *p = error_buf;
  vsprintf(p, fmt1, args);

at prepare_error_buf(). Need to check available bytes.

> 
> Memory state around the buggy address:
>  ffffffff89e16580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffffffff89e16600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffffffff89e16680: 00 00 00 00 fa fa fa fa 04 fa fa fa fa fa fa fa
>                                ^
>  ffffffff89e16700: 00 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
>  ffffffff89e16780: 00 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
> ==================================================================