Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2349714ybf;
        Mon, 2 Mar 2020 06:58:36 -0800 (PST)
X-Google-Smtp-Source: APXvYqxTC8krGVsJhgQVQuf9O6Nz5lIbhRc82JCcriz1qCtlaBiHBSG+IDk2OL1qzB+v04sEq5/i
X-Received: by 2002:a9d:6a4f:: with SMTP id h15mr13592983otn.86.1583161115711;
        Mon, 02 Mar 2020 06:58:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583161115; cv=none;
        d=google.com; s=arc-20160816;
        b=tRm3AN143tbc5WEm0WVEmczxDyDuXd+QuzZfjbi6J+sVDKHnJOTKz20yB55h4UExgQ
         nku7/GrgGkU/R+QdpH8wTgmLgRVJzTZ/S6Qb24HqwP5uDtlBaLXy7dnT/pfjDsF4t/vD
         ehYzma4taIO6uff4uS+jx7h+mkkFEs0oMyAKO+U7632XBK7dNFqes6+DBNw/QuZ5rYcx
         LJutEyotyv1wcxNxIGJfSMWu/XaAMbbO5Hi3ALd6t4CjJbiztgXxeEiO2lmPv0psSIb0
         yb8LJA8O3Q7SzofUB5YUEOy3k2uLfi83V16RFkFWOI3HXbOg5rMP3o1dbXVUVZOInXJb
         ayDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=+12d+baUufNFOtbrxNu5ULU097qWdzx/LbKAvXyts3U=;
        b=xEq1AiGXUxCkEt/SK4RjEEYvF7aS9MC7rOdGIKFPHGQKwXNqgONiyS9Ff/w8VfeF00
         QoMK47LvoyJgHiFIxS8x7U64mv+FB3ngi0RTFnTGO9PlyFhT8fzrzke1LpJ5aQVVgD+4
         PrNcFRvdghGEwOsAJYD78lW1fx09mZfDuCiZPHXbNrY2cLSexZ3q/D/b5pEGmhSnd9bu
         J5o8tUVZX/HXowLMqHoy+HkSudAy9NQsaue05HgnlXYB3Ge9i/qJmcer0krWlIztvfTg
         QUOKznOkXm0oQRQnQuZo0P0yAadnjAajsIXWNvB2kzWvWAsUku//a9TePeTIHDaqUo7J
         +5Fw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lw190SWS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e14si5701975otk.89.2020.03.02.06.58.23;
        Mon, 02 Mar 2020 06:58:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lw190SWS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727113AbgCBO56 (ORCPT <rfc822;dexuan.linux@gmail.com>
        + 99 others); Mon, 2 Mar 2020 09:57:58 -0500
Received: from mail-qt1-f193.google.com ([209.85.160.193]:43825 "EHLO
        mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726997AbgCBO56 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 2 Mar 2020 09:57:58 -0500
Received: by mail-qt1-f193.google.com with SMTP id v22so81659qtp.10
        for <linux-kernel@vger.kernel.org>; Mon, 02 Mar 2020 06:57:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=+12d+baUufNFOtbrxNu5ULU097qWdzx/LbKAvXyts3U=;
        b=lw190SWS7FliZNcCsP+XIdcY2cyYcgRI0ZRukiujnC6dTpTnP4vV1Sm5wGbvWsp/u1
         OZIf+bFbEC3q1cdOsEYyPa9K31kRYKo/S+ewl4Zn+LE4J+hcXUaqM9Kvf89YP8qo2fMJ
         9zJBRoWfo6DV65sRXeHGtBHjwkkw5XOvKLdCPX+hhciJIDx91yGIyMoQGu6bwNxNTkYC
         bM7qypwcg6DbSnxjdsrFRcyj8NrS4m4S2baXfPx3sth0nF44dP0HQUx8MEc6et4Ws3hF
         CUbStSHXhHtgP6wIChBQvj21zxjuSoXPVs0SGbmA719F0qalW7SFqdlWjknTK5GUmslT
         7gtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=+12d+baUufNFOtbrxNu5ULU097qWdzx/LbKAvXyts3U=;
        b=YoH0r6E/bGa8cGLjGfm+W3ZoeFiCGKZxhL9dnT7TsJ4gd5zXpvQfTiQUfjxbk2tYnY
         CoAtibBSV/R18O49n81FuI6tbYDt+ioFGCX0W/vHV7HZSBBtT2xVbe1YN1nzsRCr/zgF
         kIWBOjl8ZsQWXzhmJtpnXXmrxIYCQW7hYi7OQXEZGgkTPr07xg77dLW9cS+lAAfzAEiZ
         C3XOY+jfSylWr4vvN6Rw3pypfJn8wTO7uVzrl9kpDpd9LX7a3IY2E9okoEsqSpBgp9Vk
         UL3JtY5zDs2c47QTPdPD0eWa0SfloGti4pEtEeYB4QhH7GslSnXPSG+yVAkTyaiOcxi0
         tBEg==
X-Gm-Message-State: ANhLgQ0GljBHWYz1u4aDm3Uj7lJnt/OC9nsNrw7ILrA1Ou0oGckH8Dvs
        5HsNfZNDTsyTll50TMjg44RtE1mdD+Tyfvj+ue0Tog==
X-Received: by 2002:ac8:1846:: with SMTP id n6mr76025qtk.257.1583161076404;
 Mon, 02 Mar 2020 06:57:56 -0800 (PST)
MIME-Version: 1.0
References: <000000000000d3e319059fcfdc98@google.com> <CAOQ4uxh=tLw1p8vsbzTTqrTzLSqr33WtVHek+Jhbi5C2HKQLTA@mail.gmail.com>
 <CACT4Y+YBOm-VeHXuRnk4mLgwsEMx2MYrOnQ-FJpBjg5dDU_YzQ@mail.gmail.com>
 <CAOQ4uxh=3XWOfKAJMeJBrsfouLEDo3oqTNoYBMZ2f46mVRigvA@mail.gmail.com>
 <CACT4Y+aBvofv8AQqiWr7M77FODSUqruMMoVcHHA5ROfv5VN7tw@mail.gmail.com> <CAOQ4uxhTAR0-evX0DHdvF9BhHwgC8dU-532FyUiSCqcfujfiKA@mail.gmail.com>
In-Reply-To: <CAOQ4uxhTAR0-evX0DHdvF9BhHwgC8dU-532FyUiSCqcfujfiKA@mail.gmail.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Mon, 2 Mar 2020 15:57:45 +0100
Message-ID: <CACT4Y+bLxavqe7e1+P7YXRdTaRCMePb_JMDGEjPkUkNNxdzcKg@mail.gmail.com>
Subject: Re: WARNING: bad unlock balance in ovl_llseek
To:     Amir Goldstein <amir73il@gmail.com>
Cc:     syzbot <syzbot+66a9752fa927f745385e@syzkaller.appspotmail.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Miklos Szeredi <mszeredi@redhat.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 2, 2020 at 2:24 PM Amir Goldstein <amir73il@gmail.com> wrote:
> > > > > On Sun, Mar 1, 2020 at 9:13 PM syzbot
> > > > > <syzbot+66a9752fa927f745385e@syzkaller.appspotmail.com> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit:    f8788d86 Linux 5.6-rc3
> > > > > > git tree:       upstream
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13c5f8f9e00000
> > > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=5d2e033af114153f
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=66a9752fa927f745385e
> > > > > > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=131d9a81e00000
> > > > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14117a81e00000
> > > > > >
> > > > >
> > > > > Dmitry,
> > > > >
> > > > > There is something strange about the C repro.
> > > > > It passes an invalid address for the first arg of mount syscall:
> > > > >
> > > > >     syscall(__NR_mount, 0x400000ul, 0x20000000ul, 0x20000080ul, 0ul,
> > > > >             0x20000100ul);
> > > > >
> > > > > With this address mount syscall returns -EFAULT on my system.
> > > > > I fixed this manually, but repro did not trigger the reported bug on my system.
> > > >
> > > > Hi Amir,
> > > >
> > > > This is not strange in the context of fuzzer, it's goal is to pass
> > > > random data. Generally if it says 0x400000ul, that's what it is, don't
> > > > fix it, or you are running a different program that may not reproduce
> > > > the bug. If syzbot attaches a reproducer, the bug was triggered by
> > > > precisely this program.
> > > >
> > >
> > > What's strange it that a bug in overlay code cannot be triggered if overlay
> > > isn't mounted and as it is the repro couldn't mount overlayfs at all, at
> > > lease with my kernel config.
> >
> > Can it depend on kernel config? The bug was triggered by the program
> > provided somehow.
>
> I am not sure. I do not have CONFIG_HARDENED_USERCOPY set.
>
> >
> > Separate question: why is it failing? Isn't src unused for overlayfs?
> > Where/how does vfs code look at src?
> >
>
> SYSCALL_DEFINE5(mount, ...
> copy_mount_string(dev_name)
> strndup_user()
> memdup_user()
> copy_from_user()
>
> Not in overlayfs code.
> Actually, the source (dev) is not used by overlayfs but is visible at
> /proc/mounts.

Oh, I see, this is another instance of "fuzzer fun".

In the descriptions we define src argument as const 0. And const 0 is
fine and is accepted by copy_mount_string (it has a check for NULL).
Generally fuzzer does not try to change values specified as const, but
sometimes it does. So I guess it happened so that address 0x400000ul
is mapped onto the executable and contained something that resembles a
null-terminated string so that copy_mount_string did not fail (but
otherwise that string does not matter much for overlayfs). But in your
binary 0x400000ul did not contain an addressable null-terminated
string and mount failed.
Additionally we don't attempt changing const value back to the default
value during crash mimization/simplification process:
https://github.com/google/syzkaller/blob/4a4e0509de520c7139ca2b5606712cbadc550db2/prog/minimization.go#L202-L206
because it was deemed too expensive (for each attempt we need a
freshly booted and clean machine) and not important enough (just a
single arg value and does not increase "systematic complexity" of the
repro).

All of this has combined into the effect we see here... I am not sure
what's the action item here...

FWIW fuzzer-found will always be more expensive to debug and deal with
for a very long tail of various reasons. Unit tests don't have this
problem. If only we had a comprehensive test coverage for kernel, we
would not need to deal with so many fuzzer-found bugs... ;)