Bug 200019 - BUG: KASAN: slab-out-of-bounds in predicate_parse kernel/trace/trace_events_filter.c
Summary: BUG: KASAN: slab-out-of-bounds in predicate_parse kernel/trace/trace_events_f...
Status: RESOLVED CODE_FIX
Alias: None
Product: Other
Classification: Unclassified
Component: Bug Tracker (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Steven Rostedt
URL:
Keywords:
: 200017 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-06-10 12:09 UTC by icytxw
Modified: 2019-05-22 13:04 UTC (History)
1 user (show)

See Also:
Kernel Version: v4.17
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Found this bug with modified syzkaller (1.01 MB, text/plain)
2018-06-10 12:10 UTC, icytxw 		Details
report0 (1.58 KB, text/plain)
2018-06-10 12:10 UTC, icytxw 		Details
tracing: Check for no filter when processing event filters (2.26 KB, patch)
2018-06-21 17:39 UTC, Steven Rostedt 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description icytxw 2018-06-10 12:09:35 UTC 
==================================================================
BUG: KASAN: slab-out-of-bounds in predicate_parse kernel/trace/trace_events_filter.c:557 [inline]
BUG: KASAN: slab-out-of-bounds in process_preds+0x140a/0x16b0 kernel/trace/trace_events_filter.c:1509
Write of size 4 at addr ffff8800695b3a10 by task syz-executor1/26773

CPU: 0 PID: 26773 Comm: syz-executor1 Not tainted 4.17.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:

Allocated by task 2813:
(stack is not available)

Freed by task 2813:
(stack is not available)

The buggy address belongs to the object at ffff8800695b39c0
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes to the right of
 64-byte region [ffff8800695b39c0, ffff8800695b3a00)
The buggy address belongs to the page:
page:ffffea0001a56cc0 count:1 mapcount:0 mapping:ffff88006d0018c0 index:0x0
flags: 0x100000000000100(slab)
raw: 0100000000000100 ffffea0001a626c0 0000000c0000000c ffff88006d0018c0
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8800695b3900: 00 00 00 00 00 00 00 00 fc fc fc fc fb fb fb fb
 ffff8800695b3980: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 00 fc
>ffff8800695b3a00: fc fc fc fc 00 00 00 00 00 00 fc fc fc fc fc fc
                         ^
 ffff8800695b3a80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
 ffff8800695b3b00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
Comment 1 icytxw 2018-06-10 12:10:25 UTC 
Created attachment 276445 [details]
Found this bug with modified syzkaller
Comment 2 icytxw 2018-06-10 12:10:57 UTC 
Created attachment 276447 [details]
report0
Comment 3 icytxw 2018-06-12 02:02:34 UTC 
*** Bug 200017 has been marked as a duplicate of this bug. ***
Comment 4 Steven Rostedt 2018-06-21 17:39:44 UTC 
Created attachment 276707 [details]
tracing: Check for no filter when processing event filters

Looks to be that the filter parsing could be called with no filter, which N=0 when it expected at least one line to have been read, which makes the N-1 index off of the program fail.
Comment 5 icytxw 2018-06-22 06:41:14 UTC 
I think it works, I can't repro this anymore.
Note You need to log in before you can comment on or make changes to this bug.