Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp289890pxa; Wed, 12 Aug 2020 01:57:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0lbWNb1ANicWLrKpu2O6iQIhIC+zXpC9yR1DZzNdq9oRcZyYXGhXUEtIe9A8hmBtIlJko X-Received: by 2002:a17:906:a3d9:: with SMTP id ca25mr30665906ejb.164.1597222640985; Wed, 12 Aug 2020 01:57:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597222640; cv=none; d=google.com; s=arc-20160816; b=YY4nWthgT69z0ZcQz83n2lJaHhazvMz82Dvka9/p7Gh1M92Aywtuw/vJxD5vEggvjv Q23IzVztk3a7I8FkI7ykG/1fbBA5ByXRiSG3f6D1GQLY5eu79w5kkoUrAExuB3eL/vcD qDCpEpRHaZeMsdE5CvFF6eycmNmuX8dL2HmVCQp2gCYBZbJ7mFaJkzq+zjD2E8r/w4k9 aEyygKUXEMU5KDctuZZp4KBFzjtw0TDGp6JnHUQ5FE/y6Z15ohswvH7CoM+CBhPOv661 cn0z6pDyPHmNAmXDw5VVDEvosghxLNe5CZZmvlOhhKzt4A8WV6FmrOkq/ah0OGxINiUq MDoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=Fc37PF+WN/xQ6r43RXEmWk2wQSsktnVVTFxNoF2ZjR0=; b=yOAZqgtL03iG8cRuw6VoTdZ8cJi7hvpgI5yiJPh1VYh/5qAO7OoII/6DCJwxlZ+FIE Yr7Djplr1MoDv2OjgSwA4XCk2FQUVVSYM6BIVrpF027RFDVdmR6eOpihBSnxLXgEv4xA yQnlabCRIa7FbYTJxVOsqwh1qxj77BXOuXQgFM3nR8tdd3yq/Du651sf0W/0l93I7709 mrdAaKzMAKa8tC2C37ZGCD7qTKeLE2o+X/LRM6kzp4cFWmI7Rfi/dnMXfmEspQ3LQ0g7 OKqtx4XPN4nisyDd8VB1GfqKcZqO0HTS5dq6uCICVBXdaWDypKcajR/qm74pAh6KOmsS THtQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i2si798835ejg.240.2020.08.12.01.56.57; Wed, 12 Aug 2020 01:57:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726629AbgHLI4S (ORCPT + 99 others); Wed, 12 Aug 2020 04:56:18 -0400 Received: from mail5.windriver.com ([192.103.53.11]:47840 "EHLO mail5.wrs.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726572AbgHLI4S (ORCPT ); Wed, 12 Aug 2020 04:56:18 -0400 Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail5.wrs.com (8.15.2/8.15.2) with ESMTPS id 07C8tDEr000485 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 12 Aug 2020 01:55:33 -0700 Received: from pek-qzhang2-d1.wrs.com (128.224.162.183) by ALA-HCA.corp.ad.wrs.com (147.11.189.40) with Microsoft SMTP Server id 14.3.487.0; Wed, 12 Aug 2020 01:55:03 -0700 From: To: , , , CC: , Subject: [PATCH v2] libnvdimm: KASAN: global-out-of-bounds Read in internal_create_group Date: Wed, 12 Aug 2020 16:55:01 +0800 Message-ID: <20200812085501.30963-1-qiang.zhang@windriver.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zqiang Because the last member of the "nvdimm_firmware_attributes" array was not assigned a null ptr, when traversal of "grp->attrs" array is out of bounds in "create_files" func. func: create_files: ->for (i = 0, attr = grp->attrs; *attr && !error; i++, attr++) ->.... BUG: KASAN: global-out-of-bounds in create_files fs/sysfs/group.c:43 [inline] BUG: KASAN: global-out-of-bounds in internal_create_group+0x9d8/0xb20 fs/sysfs/group.c:149 Read of size 8 at addr ffffffff8a2e4cf0 by task kworker/u17:10/959 CPU: 2 PID: 959 Comm: kworker/u17:10 Not tainted 5.8.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound async_run_entry_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 create_files fs/sysfs/group.c:43 [inline] internal_create_group+0x9d8/0xb20 fs/sysfs/group.c:149 internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:189 internal_create_groups fs/sysfs/group.c:185 [inline] sysfs_create_groups+0x25/0x50 fs/sysfs/group.c:215 device_add_groups drivers/base/core.c:2024 [inline] device_add_attrs drivers/base/core.c:2178 [inline] device_add+0x7fd/0x1c40 drivers/base/core.c:2881 nd_async_device_register+0x12/0x80 drivers/nvdimm/bus.c:506 async_run_entry_fn+0x121/0x530 kernel/async.c:123 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the variable: nvdimm_firmware_attributes+0x10/0x40 Reported-by: syzbot+1cf0ffe61aecf46f588f@syzkaller.appspotmail.com Signed-off-by: Zqiang --- v1->v2: Modify the description of the error. drivers/nvdimm/dimm_devs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvdimm/dimm_devs.c b/drivers/nvdimm/dimm_devs.c index 61374def5155..b59032e0859b 100644 --- a/drivers/nvdimm/dimm_devs.c +++ b/drivers/nvdimm/dimm_devs.c @@ -529,6 +529,7 @@ static DEVICE_ATTR_ADMIN_RW(activate); static struct attribute *nvdimm_firmware_attributes[] = { &dev_attr_activate.attr, &dev_attr_result.attr, + NULL, }; static umode_t nvdimm_firmware_visible(struct kobject *kobj, struct attribute *a, int n) -- 2.17.1