Re: KASAN: stack-out-of-bounds Read in __free_filter

From: Dmitry Vyukov
Date: Wed Apr 11 2018 - 10:51:30 EST


On Wed, Apr 11, 2018 at 4:47 PM, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> On Wed, 11 Apr 2018 05:02:02 -0700
> syzbot <syzbot+dadcc936587643d7f568@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Hello,
>>
>> syzbot hit the following crash on upstream commit
>> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +0000)
>> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
>> syzbot dashboard link:
>> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568
>>
>> So far this crash happened 6 times on upstream.
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104
>> syzkaller reproducer:
>> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600
>> Raw console output:
>> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096
>> Kernel config:
>> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474
>> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+dadcc936587643d7f568@xxxxxxxxxxxxxxxxxxxxxxxxx
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>
> Can you try this patch?

Hi Steve,

Instructions for asking syzbot to test a patch are here:

https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

> -- Steve
>
> diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
> index 33b7720e2aa1..5c07ae2ac5d7 100644
> --- a/kernel/trace/trace_events_filter.c
> +++ b/kernel/trace/trace_events_filter.c
> @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call *call,
> struct event_filter **filterp)
> {
> struct filter_parse_error *pe = NULL;
> - struct event_filter *filter = NULL;
> int err;
>
> - err = create_filter_start(filter_string, set_str, &pe, &filter);
> + err = create_filter_start(filter_string, set_str, &pe, filterp);
> if (err)
> return err;
>
> - err = process_preds(call, filter_string, filter, pe);
> + err = process_preds(call, filter_string, *filterp, pe);
> if (err && set_str)
> - append_filter_err(pe, filter);
> + append_filter_err(pe, *filterp);
>
> - *filterp = filter;
> return err;
> }
>
> @@ -1740,24 +1738,22 @@ static int create_system_filter(struct trace_subsystem_dir *dir,
> struct trace_array *tr,
> char *filter_str, struct event_filter **filterp)
> {
> - struct event_filter *filter = NULL;
> struct filter_parse_error *pe = NULL;
> int err;
>
> - err = create_filter_start(filter_str, true, &pe, &filter);
> + err = create_filter_start(filter_str, true, &pe, filterp);
> if (!err) {
> err = process_system_preds(dir, tr, pe, filter_str);
> if (!err) {
> /* System filters just show a default message */
> - kfree(filter->filter_string);
> - filter->filter_string = NULL;
> + kfree((*filterp)->filter_string);
> + (*filterp)->filter_string = NULL;
> } else {
> - append_filter_err(pe, filter);
> + append_filter_err(pe, *filterp);
> }
> }
> create_filter_finish(pe);
>
> - *filterp = filter;
> return err;
> }
>
> @@ -1765,7 +1761,7 @@ static int create_system_filter(struct trace_subsystem_dir *dir,
> int apply_event_filter(struct trace_event_file *file, char *filter_string)
> {
> struct trace_event_call *call = file->event_call;
> - struct event_filter *filter;
> + struct event_filter *filter = NULL;
> int err;
>
> if (!strcmp(strstrip(filter_string), "0")) {
> @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct trace_subsystem_dir *dir,
> {
> struct event_subsystem *system = dir->subsystem;
> struct trace_array *tr = dir->tr;
> - struct event_filter *filter;
> + struct event_filter *filter = NULL;
> int err = 0;
>
> mutex_lock(&event_mutex);
> @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, int event_id,
> char *filter_str)
> {
> int err;
> - struct event_filter *filter;
> + struct event_filter *filter = NULL;
> struct trace_event_call *call;
>
> mutex_lock(&event_mutex);
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxxx
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20180411104702.7f24401f%40gandalf.local.home.
> For more options, visit https://groups.google.com/d/optout.