KASAN: null-ptr-deref Read in filemap_fault

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1QmELMwhyVxAejCYF8VHxvAsExK6GtR8F/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1Qfns0v9ZZO6kge192F5wUzyFRcM0lHYU/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

BUG: KASAN: null-ptr-deref in filemap_fault+0x538/0x2500
Read of size 4 at addr 0000000000000028 by task syz-executor.2/5967

CPU: 5 PID: 5967 Comm: syz-executor.2 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x178/0x260
 kasan_report+0xc0/0xf0
 kasan_check_range+0x144/0x190
 filemap_fault+0x538/0x2500
 __do_fault+0x103/0x3d0
 do_fault+0x68a/0x11c0
 __handle_mm_fault+0x106f/0x2660
 handle_mm_fault+0x1ab/0xa90
 do_user_addr_fault+0x583/0x12e0
 exc_page_fault+0xb6/0x1d0
 asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297

RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
 </TASK>
==================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 5 PID: 5967 Comm: syz-executor.2 Tainted: G    B              6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS:  0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 __do_fault+0x103/0x3d0
 do_fault+0x68a/0x11c0
 __handle_mm_fault+0x106f/0x2660
 handle_mm_fault+0x1ab/0xa90
 do_user_addr_fault+0x583/0x12e0
 exc_page_fault+0xb6/0x1d0
 asm_exc_page_fault+0x26/0x30
RIP: 0033:0x7f6be40bc12c
Code: Unable to access opcode bytes at 0x7f6be40bc102.
RSP: 002b:00007ffc198c1350 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000001601 RCX: 00007f6be40bc11f
RDX: 00007ffc198c13d0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffc198c13d0
R13: 0000000000000000 R14: 00007ffc198c144c R15: 0000000000000032
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_fault+0x549/0x2500
Code: 00 00 e8 8a be d3 ff 49 8d 5c 24 34 be 04 00 00 00 48 89 df e8 98 08 23 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b
RSP: 0018:ffffc9000b457b70 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000028 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff81d1bdb1 RDI: 0000000000000007
RBP: 00000000000000ac R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 74206c656e72656b R12: fffffffffffffff4
R13: ffff88810d9b34c0 R14: 0000000000000008 R15: 0000000000000001
FS:  0000555556b73980(0000) GS:ffff88811a280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6be40bc102 CR3: 0000000055006000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0:   00 00                   add    %al,(%rax)
   2:   e8 8a be d3 ff          call   0xffd3be91
   7:   49 8d 5c 24 34          lea    0x34(%r12),%rbx
   c:   be 04 00 00 00          mov    $0x4,%esi
  11:   48 89 df                mov    %rbx,%rdi
  14:   e8 98 08 23 00          call   0x2308b1
  19:   48 89 da                mov    %rbx,%rdx
  1c:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  23:   fc ff df
  26:   48 c1 ea 03             shr    $0x3,%rdx
* 2a:   0f b6 14 02             movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2e:   48 89 d8                mov    %rbx,%rax
  31:   83 e0 07                and    $0x7,%eax
  34:   83 c0 03                add    $0x3,%eax
  37:   38 d0                   cmp    %dl,%al
  39:   7c 08                   jl     0x43
  3b:   84 d2                   test   %dl,%dl
  3d:   0f                      .byte 0xf
  3e:   85                      .byte 0x85
  3f:   7b                      .byte 0x7b
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux