Bug 212693

Summary: CIFS: KASAN: out-of-bound memory access when calling smb3_notify() at mount point
Product: File System Reporter: Eugene Korenevsky (eugene)
Component: CIFSAssignee: fs_cifs (fs_cifs)
Status: ASSIGNED ---    
Severity: high CC: smfrench
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.12.0-rc7 Subsystem:
Regression: No Bisected commit-id:
Attachments: notify.c

Description Eugene Korenevsky 2021-04-16 07:16:42 UTC 
Created attachment 296403 [details]
notify.c

Kernel: git://git.samba.org/sfrench/cifs-2.6, commit c89698c5ea9212bc6673a7d89f3674940584e697
Kernel version: 5.12.0-rc7+

Steps to reproduce:

1. Compile the kernel with CONFIG_KASAN=y

2. Compile the test program

```
$ gcc notify.c -o /tmp/a.out
```

3. Run test program with superuser privileges at CIFS mountpoint:

```
$ cd `mount|grep cifs|head -n1|awk '{print $3}'`
$ sudo /tmp/a.out
CIFS_IOC_NOTIFY returned -1, errno:2
```

dmesg messages:

```
[   63.137757] ==================================================================
[   63.138849] BUG: KASAN: slab-out-of-bounds in cifs_convert_path_to_utf16+0x8a/0x130 [cifs]
[   63.139831] Read of size 1 at addr ffff8880037e9000 by task a.out/229
[   63.140520]
[   63.140735] CPU: 0 PID: 229 Comm: a.out Not tainted 5.12.0-rc7+ #1
[   63.141244] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   63.142059] Call Trace:
[   63.142371]  dump_stack+0x89/0xb4
[   63.142748]  ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs]
[   63.143304]  print_address_description.constprop.8+0x1a/0x150
[   63.143840]  ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs]
[   63.144439]  ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs]
[   63.144938]  kasan_report.cold.13+0x7f/0x111
[   63.145328]  ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs]
[   63.146602]  cifs_convert_path_to_utf16+0x8a/0x130 [cifs]
[   63.147224]  ? smb2_check_message+0x580/0x580 [cifs]
[   63.147705]  ? build_path_from_dentry_optional_prefix+0x119/0x240 [cifs]
[   63.148333]  smb3_notify+0x1a0/0x2d0 [cifs]
[   63.148737]  ? smb3_downgrade_oplock+0xf0/0xf0 [cifs]
[   63.149202]  ? kasan_save_stack+0x19/0x40
[   63.149644]  ? __kasan_kmalloc+0x70/0xa0
[   63.150062]  ? kasan_set_free_info+0x20/0x30
[   63.150448]  ? avc_ss_reset+0xa0/0xa0
[   63.150817]  ? do_syscall_64+0x33/0x40
[   63.151322]  ? trace_page_fault_kernel+0x80/0x80
[   63.151785]  ? next_uptodate_page+0x3a0/0x3a0
[   63.152149]  ? restore_nameidata+0x76/0xa0
[   63.152824]  ? do_filp_open+0x13e/0x1b0
[   63.153957]  ? cifs_sb_tlink+0x1e4/0xc70 [cifs]
[   63.154589]  ? _raw_read_lock_irq+0x30/0x30
[   63.154949]  cifs_ioctl+0xadf/0xf80 [cifs]
[   63.155483]  ? cifs_readdir+0xba0/0xba0 [cifs]
[   63.156038]  ? do_vfs_ioctl+0xf7/0x890
[   63.156468]  ? ioctl_file_clone+0xd0/0xd0
[   63.156814]  ? selinux_file_ioctl+0x2b2/0x360
[   63.157184]  ? selinux_capable+0x20/0x20
[   63.157560]  ? do_sys_openat2+0x25b/0x410
[   63.157935]  ? file_open_root+0x220/0x220
[   63.158423]  ? do_user_addr_fault+0x3ac/0x870
[   63.158826]  __x64_sys_ioctl+0xb5/0xf0
[   63.159269]  do_syscall_64+0x33/0x40
[   63.159695]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   63.160241] RIP: 0033:0x7f18331463c7
[   63.160720] Code: c0 75 b5 49 8d 3c 1c e8 17 ff ff ff 85 c0 78 b6 4c 89 e0 5b 5d 41 5c c3 66 2e 0f 1f 84 00 00 00 00 00 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 71 9a 0c 00 f7 d8 64 89 01 48
[   63.162309] RSP: 002b:00007ffd8319d278 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   63.163009] RAX: ffffffffffffffda RBX: 000055d325601220 RCX: 00007f18331463c7
[   63.164076] RDX: 00007ffd8319d283 RSI: 000000004005cf09 RDI: 0000000000000003
[   63.164870] RBP: 00007ffd8319d290 R08: 0000000000000000 R09: 00007f1833227e70
[   63.165552] R10: 00007f1833235120 R11: 0000000000000206 R12: 000055d3256010a0
[   63.166318] R13: 00007ffd8319d380 R14: 0000000000000000 R15: 0000000000000000
[   63.166924]
[   63.167119] Allocated by task 229:
[   63.169326]  kasan_save_stack+0x19/0x40
[   63.169957]  __kasan_slab_alloc+0x5b/0x70
[   63.170482]  kmem_cache_alloc+0xbb/0x1c0
[   63.171104]  smb3_notify+0xe9/0x2d0 [cifs]
[   63.171636]  cifs_ioctl+0xadf/0xf80 [cifs]
[   63.172091]  __x64_sys_ioctl+0xb5/0xf0
[   63.172577]  do_syscall_64+0x33/0x40
[   63.173296]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   63.174003]
[   63.174253] The buggy address belongs to the object at ffff8880037e8000
[   63.174253]  which belongs to the cache names_cache of size 4096
[   63.176299] The buggy address is located 0 bytes to the right of
[   63.176299]  4096-byte region [ffff8880037e8000, ffff8880037e9000)
[   63.177700] The buggy address belongs to the page:
[   63.178256] page:0000000074828ba6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37e8
[   63.180977] head:0000000074828ba6 order:3 compound_mapcount:0 compound_pincount:0
[   63.181790] flags: 0x100000000010200(slab|head)
[   63.182204] raw: 0100000000010200 dead000000000100 dead000000000122 ffff8880011358c0
[   63.183158] raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
[   63.183934] page dumped because: kasan: bad access detected
[   63.184695]
[   63.184897] Memory state around the buggy address:
[   63.185511]  ffff8880037e8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   63.186130]  ffff8880037e8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   63.186850] >ffff8880037e9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.187457]                    ^
[   63.187766]  ffff8880037e9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.188606]  ffff8880037e9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.189744] ==================================================================
[   63.190445] Disabling lock debugging due to kernel taint
```
Comment 1 Steve French 2021-04-18 01:58:51 UTC 
Patch merged into cifs-2.6.git for-next and marked for cc: stable