Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4129645ybx; Mon, 4 Nov 2019 08:17:20 -0800 (PST) X-Google-Smtp-Source: APXvYqzMdgcsUr/pnlCUVc4ofn+fWLE0REiv6M+ooEShBftBrSxvSQLd0Dgnb6KIkwZ4WWHhLxtl X-Received: by 2002:a17:906:2d49:: with SMTP id e9mr24363381eji.240.1572884240203; Mon, 04 Nov 2019 08:17:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572884240; cv=none; d=google.com; s=arc-20160816; b=ENMXxCxdmIR2nQxrCQePM6tsMEIW89VXqo4Cw/kFzAjVqyi3mzbS//DyFPGElRtQ3Z IO07o61ECWSHHBOMIbw0TazxK+WEjHjqPyptpO+96t5+kxnCvlPOCalFKgViVqRq/ZoI GVFm92hTKXNJK8w7twPfZhz39eXzLlbVr7/2X0BGhfJbDeiLbNBfyjIBmj42rtdCNpXK 8EfmO339x9jwJ+XiDg6cK418rk3H/KmQIS7gh9vtWjUNXVUqwn+7HnsHkatkWTiB3mEl xF1hKherTSqZ+qNfDJL+s6Vj58SlqoRyzSMLJlJApUrawgFHCUwaqjQd3FtPU0whwI6/ /pXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature:dkim-signature; bh=mFhURUNVmFWcOu3bxAoWR3XpZvxWQeC5PUvoch+yHXI=; b=vsl932ufL1LAcTb/n+JMBuC4fF7jRzjokgiSO0FidolB0PkjDZw6Dw2LVBRXG7A+pP O45U4srnFD1JW22fMTBWqsym52/x+MM5PLZBM/1ED2kOGP1+/KGJVys+XGzMdCZ628s3 XCxxurVvpVoSGm74GONUg6S2l11LQlbQqxyJt6o+O5tqRR1/ntI7T9rycOB6DMnPRfbF Sgu3N9/uelPqsaiBN+idhnVBAkvId0Jycg4lKgFMmpowX4QDvmX4bQF9YLrUUJtweXe7 uH+ar7kGXeIy9YF/Qv5mGoo8uWMkhdv1ty5DHXwEM/JIxPws6UZreXIcgfQhH0/+yISI KwdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paloaltonetworks.com header.s=PPS12012017 header.b=NhVH8N4H; dkim=pass header.i=@paloaltonetworks-com.20150623.gappssmtp.com header.s=20150623 header.b=WE241TQU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paloaltonetworks.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3si2650924ejr.86.2019.11.04.08.16.56; Mon, 04 Nov 2019 08:17:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paloaltonetworks.com header.s=PPS12012017 header.b=NhVH8N4H; dkim=pass header.i=@paloaltonetworks-com.20150623.gappssmtp.com header.s=20150623 header.b=WE241TQU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paloaltonetworks.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729182AbfKDQPf (ORCPT + 99 others); Mon, 4 Nov 2019 11:15:35 -0500 Received: from mx0a-00169c01.pphosted.com ([67.231.148.124]:35848 "EHLO mx0b-00169c01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728144AbfKDQPf (ORCPT ); Mon, 4 Nov 2019 11:15:35 -0500 Received: from pps.filterd (m0045114.ppops.net [127.0.0.1]) by mx0a-00169c01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA4GF9HG026849 for ; Mon, 4 Nov 2019 08:15:33 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=PPS12012017; bh=mFhURUNVmFWcOu3bxAoWR3XpZvxWQeC5PUvoch+yHXI=; b=NhVH8N4HCz+6c944X1nCX/mAdnqMzbRA3ar/y38JvFviGGIs7Oy7gXqMZ9KgMWi4wxek 5AlhKGi/HiUfOm9c4ZbjA2JRjPCgG85LViN58zQ8p5Yrb6XyJ2DrcTf4PNLZlV9TVa1H R0PjUPU0/AAAJoAhLKaHFI2P446mKsjFue6cStnVDjYzOvXLeaqytCs/0qFnnathq4Yj oNJubA9sWVB+EMGgkji4mB8aH4vX1B3/LStXAMQsOAaQ11apm/t/+v1hRbNkiuBiy2Mk j5ickHwRDSF77WzVSAPyaZUY93v/QoC/fl748Oh+eC2OHx5LYWLeglTEUA+M+JzXBAvB SA== Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by mx0a-00169c01.pphosted.com with ESMTP id 2w15tpmfef-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 04 Nov 2019 08:15:32 -0800 Received: by mail-qk1-f197.google.com with SMTP id q125so443541qka.1 for ; Mon, 04 Nov 2019 08:15:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mFhURUNVmFWcOu3bxAoWR3XpZvxWQeC5PUvoch+yHXI=; b=WE241TQU3pR7IXvEdzH/1ByttVaPiDTtg7NfhEZ28PqfYdPX/QPaOLrZFjHfRG4UEj 2/VfW6zy0gF1CggKc+ma8L1uo3qcEHEWaoFHFMJUzbmRNVBCuG3Q97+WxDpHECwZeB1u /ZK0F1OPCoJDTcrmfhlev9frVrVY0Q6Ws/F3FaTSu7JIkT1pZXyj0g5UloTm5E802Wf1 3KxpeI8HX/2GuOSO2cRidmEnMe8z57M0TvzryenY1C8hh7Tv21SMdulL+BPA5+0TTNkm QYwcaCAu22dFzlII8P5nH/yHTAg70uZrcO4nsRvUIVrTwRM/2yhq0FK0NQDLg1vpj8L0 iRLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mFhURUNVmFWcOu3bxAoWR3XpZvxWQeC5PUvoch+yHXI=; b=LSHJLftgSQ0Ij4bUSVmbIXqoi5g15C15oujZLjUPKLe1ryXvFSLo2WSIu615/T+A2u ZNpNb+OUs6d4D8RbGcWv689lzzSQMcEiZFbBDKeTdemLfSRsMTfZTM8lZjmcV8SzuSwV g6NTN74XdrZ0xNW2U1+ebC5i1fsOhkUVwEx8LT1eTVEEYRAlR5cygw4MXvO96HdqMFKK HSmVka/WROfO7KrG+KAoGmsiEaffGu3cPBqChc0htyqNUHLXzraqZSr6SEz3WV3yKRu7 JEX6QosrfiX0zyQGzOYxQ6IYqeyQERtFSokTJC9+myY2WV+B20JcxLpuPFOA2mkr5HuK ySQg== X-Gm-Message-State: APjAAAVbk4umnj8+SatUqXrEztWNWSMZqOUxz05J2U0hCP0XIM/NQQOo 79cxJMKaiU6lr9RHXKPZnRlnR+CHl+q6yTDwhjhKfcx2KGngBmNp/te2fEUD9OOrRASbow8OKQ3 Y/g0BZhAykSQ4eElrwI5Ot8KvUoHiZGmywm28uErR X-Received: by 2002:a37:a345:: with SMTP id m66mr8778508qke.487.1572884129531; Mon, 04 Nov 2019 08:15:29 -0800 (PST) X-Received: by 2002:a37:a345:: with SMTP id m66mr8778457qke.487.1572884129211; Mon, 04 Nov 2019 08:15:29 -0800 (PST) MIME-Version: 1.0 References: <20191104152428.GA2252441@kroah.com> In-Reply-To: From: Or Cohen Date: Mon, 4 Nov 2019 08:15:18 -0800 Message-ID: Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw To: Nicolas Pitre Cc: Greg KH , jslaby@suse.com, textshell@uchuujin.de, Daniel Vetter , sam@ravnborg.org, mpatocka@redhat.com, ghalat@redhat.com, linux-kernel@vger.kernel.org, jwilk@jwilk.net, Nadav Markus , syzkaller@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-11-04_09:2019-11-04,2019-11-04 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 suspectscore=1 mlxscore=0 malwarescore=0 phishscore=0 clxscore=1015 adultscore=0 spamscore=0 impostorscore=0 mlxlogscore=803 bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1911040160 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org @gregkh@linuxfoundation.org @nico@fluxnic.net - Thanks for the quick response. @gregkh@linuxfoundation.org - Regarding your question, I don't think the 1 byte buffer is related to the problem. ( it's just was there in the initial reproducer the fuzzer created, and I forgot to remove it while reducing code from the reproducer ). I think the problem is related to the huge size argument , which influences the initialization of "this_round". On Mon, Nov 4, 2019 at 7:50 AM Nicolas Pitre wrote: > > On Mon, 4 Nov 2019, Greg KH wrote: > > > On Mon, Nov 04, 2019 at 04:39:55AM -0800, Or Cohen wrote: > > > Hi, > > > I discovered a OOB access bug using Syzkaller and decided to report it, > > > as I could not find a similar report in syzkaller mailing list, > > > syzkaller-bugs mailing list > [...] > > > > I am at another conference at the moment and can't look at this much > > now, will try to later this week... > > I'll looking into it now. > > > Nicolas