Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp8883633pxu; Mon, 28 Dec 2020 00:02:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJz8Fk3H1+KprHgExps+yQPoPLlWOagcgEIwz/f/p6CefhO+Lg4SszZyiQ8JBpwYbNWQL48N X-Received: by 2002:a17:906:3685:: with SMTP id a5mr1893163ejc.544.1609142546351; Mon, 28 Dec 2020 00:02:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609142546; cv=none; d=google.com; s=arc-20160816; b=nDXCOnTl9FkBQGisrfOPDOaIEKmK5REdE/3Y11QAWQZ6mgdKCV0D/yPfs2Q7DkXn3S BlPQuVmoFIcTnvZFjCBErOKfpnM4Lb1Vk8c9upLedsHjYF7pwf9O/LHG9yrTFuRIvnRY HS2SYjzyF7CVAG8eR/L68xq4XWh68pAcH0v5lblGiJtBbydSt+gVmyAfEURW0yeeLxLb ynA1BZ6+HHH/ulh1GchTWR+4EzBDDc24f2i3DNI3yBFPpc8858CgFlT28EwMwEEQYchq RsEMZ4l+FcDg/vT6ZVQym2Jtpq4c0HwmL/Gp9H/MbA0mqI5rbgEYwb45++P2FOyCsZDT kkJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=ZJUOdakowzBWslnDmE85jwWBSF+f0kuYDsJt4RW7fWk=; b=vZ5yD3AZTA2/6ueZ/J/6qQatgceZjQb7VRXnm6tZwp6zukh3Kisn+UuuP2mWHFFWGJ y4/BZUKa0GTmZsSQLRB4STm0Hph4W3A8CwZNCsLfUlA4rLGtaw+ugmsGFpK6rn4xh+wb aSi5TCC2ubA3ZTiG90KrH3D2MVgaP+exrspJ+NF0E8Qlb3EpLlZv3GRzEXM/HrvZxER9 GDylEvV5K2TGA6tCdO07VOSuf8Lh7y/N1PVR3h8Za7VP4gYJyqTUX2TsJf3P+4kHJ368 AGieA+ygMvy0Y4SFGP1RtVvwkVfQS7qQXLE0D1KHt7ACKsxsh4Ldriekq3kQmJvWld5n G/Ww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yd29si18503203ejb.741.2020.12.28.00.02.02; Mon, 28 Dec 2020 00:02:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726363AbgL1IBg (ORCPT + 99 others); Mon, 28 Dec 2020 03:01:36 -0500 Received: from mailgw02.mediatek.com ([210.61.82.184]:33242 "EHLO mailgw02.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726282AbgL1IBf (ORCPT ); Mon, 28 Dec 2020 03:01:35 -0500 X-UUID: 016ed02e456a490aac99fbae16da5dad-20201228 X-UUID: 016ed02e456a490aac99fbae16da5dad-20201228 Received: from mtkexhb01.mediatek.inc [(172.21.101.102)] by mailgw02.mediatek.com (envelope-from ) (Cellopoint E-mail Firewall v4.1.14 Build 0819 with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 1454072719; Mon, 28 Dec 2020 16:00:47 +0800 Received: from mtkcas07.mediatek.inc (172.21.101.84) by mtkmbs01n1.mediatek.inc (172.21.101.68) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 28 Dec 2020 16:01:53 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Mon, 28 Dec 2020 16:01:53 +0800 From: Walter Wu To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Andrey Konovalov , Andrew Morton CC: , , , , wsd_upstream , , Walter Wu Subject: [PATCH] kasan: fix null pointer dereference in kasan_record_aux_stack Date: Mon, 28 Dec 2020 16:00:18 +0800 Message-ID: <20201228080018.23041-1-walter-zh.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot reported the following [1]: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 2d993067 P4D 2d993067 PUD 19a3c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 3852 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events free_ipc RIP: 0010:kasan_record_aux_stack+0x77/0xb0 Add null checking slab object from kasan_get_alloc_meta() in order to avoid null pointer dereference. [1] https://syzkaller.appspot.com/x/log.txt?x=10a82a50d00000 Signed-off-by: Walter Wu Suggested-by: Dmitry Vyukov Cc: Andrey Ryabinin CC: Dmitry Vyukov CC: Andrey Konovalov Cc: Alexander Potapenko Cc: Andrew Morton --- mm/kasan/generic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index 1dd5a0f99372..5106b84b07d4 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c @@ -337,6 +337,8 @@ void kasan_record_aux_stack(void *addr) cache = page->slab_cache; object = nearest_obj(cache, page, addr); alloc_meta = kasan_get_alloc_meta(cache, object); + if (!alloc_meta) + return; alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0]; alloc_meta->aux_stack[0] = kasan_save_stack(GFP_NOWAIT); -- 2.18.0