cifs: Fix slab-out-of-bounds when tracing SMB tcon
diff mbox series

Message ID 20190321223122.4166-1-paulo@paulo.ac
State New
Headers show
Series
  • cifs: Fix slab-out-of-bounds when tracing SMB tcon
Related show

Commit Message

Paulo Alcantara (SUSE) March 21, 2019, 10:31 p.m. UTC
This patch fixes the following KASAN report:

[  779.044746] BUG: KASAN: slab-out-of-bounds in string+0xab/0x180
[  779.044750] Read of size 1 at addr ffff88814f327968 by task trace-cmd/2812

[  779.044756] CPU: 1 PID: 2812 Comm: trace-cmd Not tainted 5.1.0-rc1+ #62
[  779.044760] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014
[  779.044761] Call Trace:
[  779.044769]  dump_stack+0x5b/0x90
[  779.044775]  ? string+0xab/0x180
[  779.044781]  print_address_description+0x6c/0x23c
[  779.044787]  ? string+0xab/0x180
[  779.044792]  ? string+0xab/0x180
[  779.044797]  kasan_report.cold.3+0x1a/0x32
[  779.044803]  ? string+0xab/0x180
[  779.044809]  string+0xab/0x180
[  779.044816]  ? widen_string+0x160/0x160
[  779.044822]  ? vsnprintf+0x5bf/0x7f0
[  779.044829]  vsnprintf+0x4e7/0x7f0
[  779.044836]  ? pointer+0x4a0/0x4a0
[  779.044841]  ? seq_buf_vprintf+0x79/0xc0
[  779.044848]  seq_buf_vprintf+0x62/0xc0
[  779.044855]  trace_seq_printf+0x113/0x210
[  779.044861]  ? trace_seq_puts+0x110/0x110
[  779.044867]  ? trace_raw_output_prep+0xd8/0x110
[  779.044876]  trace_raw_output_smb3_tcon_class+0x9f/0xc0
[  779.044882]  print_trace_line+0x377/0x890
[  779.044888]  ? tracing_buffers_read+0x300/0x300
[  779.044893]  ? ring_buffer_read+0x58/0x70
[  779.044899]  s_show+0x6e/0x140
[  779.044906]  seq_read+0x505/0x6a0
[  779.044913]  vfs_read+0xaf/0x1b0
[  779.044919]  ksys_read+0xa1/0x130
[  779.044925]  ? kernel_write+0xa0/0xa0
[  779.044931]  ? __do_page_fault+0x3d5/0x620
[  779.044938]  do_syscall_64+0x63/0x150
[  779.044944]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  779.044949] RIP: 0033:0x7f62c2c2db31
[ 779.044955] Code: fe ff ff 48 8d 3d 17 9e 09 00 48 83 ec 08 e8 96 02
02 00 66 0f 1f 44 00 00 8b 05 fa fc 2c 00 48 63 ff 85 c0 75 13 31 c0
0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48
89
[  779.044958] RSP: 002b:00007ffd6e116678 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  779.044964] RAX: ffffffffffffffda RBX: 0000560a38be9260 RCX: 00007f62c2c2db31
[  779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003
[  779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003
[  779.044969] RBP: 00007f62c2ef5420 R08: 0000000000000000 R09: 0000000000000003
[  779.044972] R10: ffffffffffffffa8 R11: 0000000000000246 R12: 00007ffd6e116710
[  779.044975] R13: 0000000000002000 R14: 0000000000000d68 R15: 0000000000002000

[  779.044981] Allocated by task 1257:
[  779.044987]  __kasan_kmalloc.constprop.5+0xc1/0xd0
[  779.044992]  kmem_cache_alloc+0xad/0x1a0
[  779.044997]  getname_flags+0x6c/0x2a0
[  779.045003]  user_path_at_empty+0x1d/0x40
[  779.045008]  do_faccessat+0x12a/0x330
[  779.045012]  do_syscall_64+0x63/0x150
[  779.045017]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  779.045019] Freed by task 1257:
[  779.045023]  __kasan_slab_free+0x12e/0x180
[  779.045029]  kmem_cache_free+0x85/0x1b0
[  779.045034]  filename_lookup.part.70+0x176/0x250
[  779.045039]  do_faccessat+0x12a/0x330
[  779.045043]  do_syscall_64+0x63/0x150
[  779.045048]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  779.045052] The buggy address belongs to the object at ffff88814f326600
which belongs to the cache names_cache of size 4096
[  779.045057] The buggy address is located 872 bytes to the right of
4096-byte region [ffff88814f326600, ffff88814f327600)
[  779.045058] The buggy address belongs to the page:
[  779.045062] page:ffffea00053cc800 count:1 mapcount:0 mapping:ffff88815b191b40 index:0x0 compound_mapcount: 0
[  779.045067] flags: 0x200000000010200(slab|head)
[  779.045075] raw: 0200000000010200 dead000000000100 dead000000000200 ffff88815b191b40
[  779.045081] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[  779.045083] page dumped because: kasan: bad access detected

[  779.045085] Memory state around the buggy address:
[  779.045089]  ffff88814f327800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  779.045093]  ffff88814f327880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  779.045097] >ffff88814f327900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  779.045099]                                                           ^
[  779.045103]  ffff88814f327980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  779.045107]  ffff88814f327a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  779.045109] ==================================================================
[  779.045110] Disabling lock debugging due to kernel taint

Correctly assign tree name str for smb3_tcon event.

Signed-off-by: Paulo Alcantara (SUSE) <paulo@paulo.ac>
---
 fs/cifs/trace.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Steve French March 21, 2019, 11:12 p.m. UTC | #1
tentatively merged into cifs-2.6.git for-next pending build verification tests

On Thu, Mar 21, 2019 at 5:31 PM Paulo Alcantara (SUSE) <paulo@paulo.ac> wrote:
>
> This patch fixes the following KASAN report:
>
> [  779.044746] BUG: KASAN: slab-out-of-bounds in string+0xab/0x180
> [  779.044750] Read of size 1 at addr ffff88814f327968 by task trace-cmd/2812
>
> [  779.044756] CPU: 1 PID: 2812 Comm: trace-cmd Not tainted 5.1.0-rc1+ #62
> [  779.044760] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014
> [  779.044761] Call Trace:
> [  779.044769]  dump_stack+0x5b/0x90
> [  779.044775]  ? string+0xab/0x180
> [  779.044781]  print_address_description+0x6c/0x23c
> [  779.044787]  ? string+0xab/0x180
> [  779.044792]  ? string+0xab/0x180
> [  779.044797]  kasan_report.cold.3+0x1a/0x32
> [  779.044803]  ? string+0xab/0x180
> [  779.044809]  string+0xab/0x180
> [  779.044816]  ? widen_string+0x160/0x160
> [  779.044822]  ? vsnprintf+0x5bf/0x7f0
> [  779.044829]  vsnprintf+0x4e7/0x7f0
> [  779.044836]  ? pointer+0x4a0/0x4a0
> [  779.044841]  ? seq_buf_vprintf+0x79/0xc0
> [  779.044848]  seq_buf_vprintf+0x62/0xc0
> [  779.044855]  trace_seq_printf+0x113/0x210
> [  779.044861]  ? trace_seq_puts+0x110/0x110
> [  779.044867]  ? trace_raw_output_prep+0xd8/0x110
> [  779.044876]  trace_raw_output_smb3_tcon_class+0x9f/0xc0
> [  779.044882]  print_trace_line+0x377/0x890
> [  779.044888]  ? tracing_buffers_read+0x300/0x300
> [  779.044893]  ? ring_buffer_read+0x58/0x70
> [  779.044899]  s_show+0x6e/0x140
> [  779.044906]  seq_read+0x505/0x6a0
> [  779.044913]  vfs_read+0xaf/0x1b0
> [  779.044919]  ksys_read+0xa1/0x130
> [  779.044925]  ? kernel_write+0xa0/0xa0
> [  779.044931]  ? __do_page_fault+0x3d5/0x620
> [  779.044938]  do_syscall_64+0x63/0x150
> [  779.044944]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [  779.044949] RIP: 0033:0x7f62c2c2db31
> [ 779.044955] Code: fe ff ff 48 8d 3d 17 9e 09 00 48 83 ec 08 e8 96 02
> 02 00 66 0f 1f 44 00 00 8b 05 fa fc 2c 00 48 63 ff 85 c0 75 13 31 c0
> 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48
> 89
> [  779.044958] RSP: 002b:00007ffd6e116678 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> [  779.044964] RAX: ffffffffffffffda RBX: 0000560a38be9260 RCX: 00007f62c2c2db31
> [  779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003
> [  779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003
> [  779.044969] RBP: 00007f62c2ef5420 R08: 0000000000000000 R09: 0000000000000003
> [  779.044972] R10: ffffffffffffffa8 R11: 0000000000000246 R12: 00007ffd6e116710
> [  779.044975] R13: 0000000000002000 R14: 0000000000000d68 R15: 0000000000002000
>
> [  779.044981] Allocated by task 1257:
> [  779.044987]  __kasan_kmalloc.constprop.5+0xc1/0xd0
> [  779.044992]  kmem_cache_alloc+0xad/0x1a0
> [  779.044997]  getname_flags+0x6c/0x2a0
> [  779.045003]  user_path_at_empty+0x1d/0x40
> [  779.045008]  do_faccessat+0x12a/0x330
> [  779.045012]  do_syscall_64+0x63/0x150
> [  779.045017]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> [  779.045019] Freed by task 1257:
> [  779.045023]  __kasan_slab_free+0x12e/0x180
> [  779.045029]  kmem_cache_free+0x85/0x1b0
> [  779.045034]  filename_lookup.part.70+0x176/0x250
> [  779.045039]  do_faccessat+0x12a/0x330
> [  779.045043]  do_syscall_64+0x63/0x150
> [  779.045048]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> [  779.045052] The buggy address belongs to the object at ffff88814f326600
> which belongs to the cache names_cache of size 4096
> [  779.045057] The buggy address is located 872 bytes to the right of
> 4096-byte region [ffff88814f326600, ffff88814f327600)
> [  779.045058] The buggy address belongs to the page:
> [  779.045062] page:ffffea00053cc800 count:1 mapcount:0 mapping:ffff88815b191b40 index:0x0 compound_mapcount: 0
> [  779.045067] flags: 0x200000000010200(slab|head)
> [  779.045075] raw: 0200000000010200 dead000000000100 dead000000000200 ffff88815b191b40
> [  779.045081] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
> [  779.045083] page dumped because: kasan: bad access detected
>
> [  779.045085] Memory state around the buggy address:
> [  779.045089]  ffff88814f327800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  779.045093]  ffff88814f327880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  779.045097] >ffff88814f327900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  779.045099]                                                           ^
> [  779.045103]  ffff88814f327980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  779.045107]  ffff88814f327a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  779.045109] ==================================================================
> [  779.045110] Disabling lock debugging due to kernel taint
>
> Correctly assign tree name str for smb3_tcon event.
>
> Signed-off-by: Paulo Alcantara (SUSE) <paulo@paulo.ac>
> ---
>  fs/cifs/trace.h | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/trace.h b/fs/cifs/trace.h
> index fa226de48ef3..68423d3279f7 100644
> --- a/fs/cifs/trace.h
> +++ b/fs/cifs/trace.h
> @@ -549,6 +549,7 @@ DECLARE_EVENT_CLASS(smb3_tcon_class,
>                 __field(unsigned int, xid)
>                 __field(__u32, tid)
>                 __field(__u64, sesid)
> +               __string(name, unc_name)
>                 __field(const char *,  unc_name)
>                 __field(int, rc)
>         ),
> @@ -556,12 +557,12 @@ DECLARE_EVENT_CLASS(smb3_tcon_class,
>                 __entry->xid = xid;
>                 __entry->tid = tid;
>                 __entry->sesid = sesid;
> -               __entry->unc_name = unc_name;
> +               __assign_str(name, unc_name);
>                 __entry->rc = rc;
>         ),
>         TP_printk("xid=%u sid=0x%llx tid=0x%x unc_name=%s rc=%d",
>                 __entry->xid, __entry->sesid, __entry->tid,
> -               __entry->unc_name, __entry->rc)
> +               __get_str(name), __entry->rc)
>  )
>
>  #define DEFINE_SMB3_TCON_EVENT(name)          \
> --
> 2.21.0
>

Patch
diff mbox series

diff --git a/fs/cifs/trace.h b/fs/cifs/trace.h
index fa226de48ef3..68423d3279f7 100644
--- a/fs/cifs/trace.h
+++ b/fs/cifs/trace.h
@@ -549,6 +549,7 @@  DECLARE_EVENT_CLASS(smb3_tcon_class,
 		__field(unsigned int, xid)
 		__field(__u32, tid)
 		__field(__u64, sesid)
+		__string(name, unc_name)
 		__field(const char *,  unc_name)
 		__field(int, rc)
 	),
@@ -556,12 +557,12 @@  DECLARE_EVENT_CLASS(smb3_tcon_class,
 		__entry->xid = xid;
 		__entry->tid = tid;
 		__entry->sesid = sesid;
-		__entry->unc_name = unc_name;
+		__assign_str(name, unc_name);
 		__entry->rc = rc;
 	),
 	TP_printk("xid=%u sid=0x%llx tid=0x%x unc_name=%s rc=%d",
 		__entry->xid, __entry->sesid, __entry->tid,
-		__entry->unc_name, __entry->rc)
+		__get_str(name), __entry->rc)
 )
 
 #define DEFINE_SMB3_TCON_EVENT(name)          \