Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170

From: Sergey Senozhatsky
Date: Tue Nov 07 2017 - 07:05:34 EST

Next message: Anju T Sudhakar: "Re: [PATCH v2] powerpc/kernel/sysfs: Export ldbar spr to sysfs"
Previous message: Andrey Ryabinin: "Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170"
In reply to: Dmitry Vyukov: "Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170"
Next in thread: Sergey Senozhatsky: "Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On (11/07/17 12:09), Dmitry Vyukov wrote:
> > On (11/07/17 17:39), Fengguang Wu wrote:
[..]
> > devkmsg_write() does
> >
> > buf = kmalloc(len+1, GFP_KERNEL);
> > ...
> > kfree(buf);
> >
> > kasan reports that this kfree() is actually happening in unpack_to_rootfs(),
> > before we do copy_from_iter_full().
>
>
> Please ignore the free stack. For slab-out-of-bound bugs the object is
> not actually freed and KASAN prints the free stack where it was freed
> before it was re-allocated as new object.

ah, ok.

> Can that len+1 overflow? Is it checked?

hm, I don't think it overflows there.

__kernel_write()
__vfs_write()
new_sync_write()

__kernel_write() makes sure that if count > MAX_RW_COUNT then
count = MAX_RW_COUNT.

-ss

Next message: Anju T Sudhakar: "Re: [PATCH v2] powerpc/kernel/sysfs: Export ldbar spr to sysfs"
Previous message: Andrey Ryabinin: "Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170"
In reply to: Dmitry Vyukov: "Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170"
Next in thread: Sergey Senozhatsky: "Re: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]