Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1309327imm; Fri, 1 Jun 2018 21:11:07 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJm/N8EdRKYh1q1qhY3mKkqmYC4gaqOKwE0wzAWK1L/gCd/Q7RoTDi0mUo4wLdqlmjOad5A X-Received: by 2002:a63:9041:: with SMTP id a62-v6mr10841974pge.191.1527912667632; Fri, 01 Jun 2018 21:11:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527912667; cv=none; d=google.com; s=arc-20160816; b=Nmfnl4FP0HVlr1XWeFKGsKUOJDRldE3ygsfKXKzb2c5BBj3TocP59AVMZqXOasbT/6 KgChfzS3aPcEZU7C7+imBFxiwg5RjMiXBH4uUw3rCTlJUJFUTrmyCsqMx0niwN2mIza5 /OUn4JKe7sMpJ+sjtAeJtzp4UEtxjq3WOhFdCS+PvbFJeNjoyuvLxOTeftsJ6QxhCBbe fX8iQixaGKR1UueSHR6vneUwoL41En4yU/4/PKFo8ht304SDu3Uv4ODuWVqBKETq7+It vvmkmR/Hgu0/Rer13Y15VolO4zFZZK53UEcVrahIuRKpIhom3ptKuPP/ruTXAMx6Lq0B EULA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ea2m0oCQNtxFD0QNzhrinn4uPWqEC3SmzunNDfxBShw=; b=uTDCnQkIeGFF89pAu9SHWF4zRiFfbPltSrqt2Uujj3mx1RtzqBvvhsjbuR9494szTe eSx4iyvl+zzomYfrnzbOKwqWUrBxdrlJDI8JrmR1kIBnJGFlroRHf+7tD5wRLz7EndX4 tXiJN9wFG3EtxK7kL8BUC43+CuXg2xRy3MDlQvx3QBYQk3D78aUHe9h83BkcRE6aZFnH ynrgugxz1r6USPdtw1BTGh+JiXXuzxE4umImX/50CZ3tdrdMRqH0jDKJBxak8vkytk1m 77JUFjZG1bSNbwW02x90U9hUEI4wEnd4gHRpIU1fsh1BpIuPzbRj+uzciDFwO2Br1Bsa ISxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IIXT9Koz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f13-v6si11520333pfn.84.2018.06.01.21.10.15; Fri, 01 Jun 2018 21:11:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IIXT9Koz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751284AbeFBEGw (ORCPT + 99 others); Sat, 2 Jun 2018 00:06:52 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:41652 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750748AbeFBEGv (ORCPT ); Sat, 2 Jun 2018 00:06:51 -0400 Received: by mail-lf0-f68.google.com with SMTP id d24-v6so17583072lfa.8 for ; Fri, 01 Jun 2018 21:06:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ea2m0oCQNtxFD0QNzhrinn4uPWqEC3SmzunNDfxBShw=; b=IIXT9Koz609juDn0NoS1aALGLfcLdIJPnKg5gWE1wxm8P/7GQLu2qOAnY3g+q0e5hM 2uwI45AWtOeq1q6QoMeDXhT7Kl0Z4iJRoUqRtXPbenn+I8n5vr/LygCrOSRl1lJsRdYW 6MENKnt9C+c6PX/IQ25288V2F5FmPbCCIlgVuwvNm48Eh6rvcKp5lfhnjAqm6hA1H0No cR9GLxQPKUt/5ZmVhjBa9kSl6oCEsOMH9MR1rhYj1JsZai/Oh2yw1AokegYnlk0tp9FR CTrjzqI4fbwiZRG8DO6pNQgnlKr/rHjzinSi1EawUFo6yUGnfDIdWsp8FF8uAM/OLj4g 19gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ea2m0oCQNtxFD0QNzhrinn4uPWqEC3SmzunNDfxBShw=; b=lSXUDcDRJlR5ZLtNRMeSJzddoY5/LcYfJuW3H79h9G49SMTRFqcytpb3BkaD9LDRqh G1+S9mMbhDQI67FLpz3tN7a4KMkuiwVFPfP+BPwnHaJV9QPbgtb4jp/e8ZR9/Vm+Y0lP 3taqZFcTZlUpp14Tp8gJUKU+ygJA7dl+S5HNaVAgjE9DFHvzA2yhjLbF/OQKSSAm+TEp q6UjhRlzXEzbSp4lPh6090Or3/XQcMqaq8pbAdIWCO0Ohdn3D9gqJFTda6ucmPZhreAv Jv1ux/foK0Js0LSAQMjmsrqA6jNW7QSIpyzKc572sZFpMc0CFGzNCNuTm/sh2zdJh/9H K//A== X-Gm-Message-State: ALKqPwcjIWq10S50Btp6ZWNCyhVY4XY+Pb7k8GspHBmbHWQ/W9cCCKvk eCOlc9Uuh6jKni/aCXHE7Fk88lpMjDjcreKtnXCuog== X-Received: by 2002:a19:14ca:: with SMTP id 71-v6mr8420771lfu.126.1527912409643; Fri, 01 Jun 2018 21:06:49 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:94d6:0:0:0:0:0 with HTTP; Fri, 1 Jun 2018 21:06:49 -0700 (PDT) In-Reply-To: References: From: shankarapailoor Date: Fri, 1 Jun 2018 21:06:49 -0700 Message-ID: Subject: Re: Slab out of bounds in setxattr To: shaggy@kernel.org Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Looking at the crash some more, it seems that if value_len > PAGE_SIZE then e_buf->max_size is rounded up nearest page size [1]. If a new attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then no new space is allocated for the attiribute list [2] and this triggers the KASAN slab out of bounds error. This is the case in the C repro I provided. 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor wrote: > Hi Dave et al, > > I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: > slab-out-of-bounds in jfs_xattr. > > Attached are my kernel configs and a C reproducer. In the first > setxattr call it appears that length is much larger than the name. In > __jfs_setxattr, I don't see where the length is checked against the > actual value length. > > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor