1 From f409f8489fbde4570c6372326192f5d2f1363fd2 Mon Sep 17 00:00:00 2001
2 From: "Paulo Alcantara (SUSE)" <paulo@paulo.ac>
3 Date: Thu, 21 Mar 2019 19:31:22 -0300
4 Subject: cifs: Fix slab-out-of-bounds when tracing SMB tcon
6 [ Upstream commit 68ddb496800acdb46172b4981dc3753ea9b39c25 ]
8 This patch fixes the following KASAN report:
10 [ 779.044746] BUG: KASAN: slab-out-of-bounds in string+0xab/0x180
11 [ 779.044750] Read of size 1 at addr ffff88814f327968 by task trace-cmd/2812
13 [ 779.044756] CPU: 1 PID: 2812 Comm: trace-cmd Not tainted 5.1.0-rc1+ #62
14 [ 779.044760] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014
15 [ 779.044761] Call Trace:
16 [ 779.044769] dump_stack+0x5b/0x90
17 [ 779.044775] ? string+0xab/0x180
18 [ 779.044781] print_address_description+0x6c/0x23c
19 [ 779.044787] ? string+0xab/0x180
20 [ 779.044792] ? string+0xab/0x180
21 [ 779.044797] kasan_report.cold.3+0x1a/0x32
22 [ 779.044803] ? string+0xab/0x180
23 [ 779.044809] string+0xab/0x180
24 [ 779.044816] ? widen_string+0x160/0x160
25 [ 779.044822] ? vsnprintf+0x5bf/0x7f0
26 [ 779.044829] vsnprintf+0x4e7/0x7f0
27 [ 779.044836] ? pointer+0x4a0/0x4a0
28 [ 779.044841] ? seq_buf_vprintf+0x79/0xc0
29 [ 779.044848] seq_buf_vprintf+0x62/0xc0
30 [ 779.044855] trace_seq_printf+0x113/0x210
31 [ 779.044861] ? trace_seq_puts+0x110/0x110
32 [ 779.044867] ? trace_raw_output_prep+0xd8/0x110
33 [ 779.044876] trace_raw_output_smb3_tcon_class+0x9f/0xc0
34 [ 779.044882] print_trace_line+0x377/0x890
35 [ 779.044888] ? tracing_buffers_read+0x300/0x300
36 [ 779.044893] ? ring_buffer_read+0x58/0x70
37 [ 779.044899] s_show+0x6e/0x140
38 [ 779.044906] seq_read+0x505/0x6a0
39 [ 779.044913] vfs_read+0xaf/0x1b0
40 [ 779.044919] ksys_read+0xa1/0x130
41 [ 779.044925] ? kernel_write+0xa0/0xa0
42 [ 779.044931] ? __do_page_fault+0x3d5/0x620
43 [ 779.044938] do_syscall_64+0x63/0x150
44 [ 779.044944] entry_SYSCALL_64_after_hwframe+0x44/0xa9
45 [ 779.044949] RIP: 0033:0x7f62c2c2db31
46 [ 779.044955] Code: fe ff ff 48 8d 3d 17 9e 09 00 48 83 ec 08 e8 96 02
47 02 00 66 0f 1f 44 00 00 8b 05 fa fc 2c 00 48 63 ff 85 c0 75 13 31 c0
48 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48
50 [ 779.044958] RSP: 002b:00007ffd6e116678 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
51 [ 779.044964] RAX: ffffffffffffffda RBX: 0000560a38be9260 RCX: 00007f62c2c2db31
52 [ 779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003
53 [ 779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003
54 [ 779.044969] RBP: 00007f62c2ef5420 R08: 0000000000000000 R09: 0000000000000003
55 [ 779.044972] R10: ffffffffffffffa8 R11: 0000000000000246 R12: 00007ffd6e116710
56 [ 779.044975] R13: 0000000000002000 R14: 0000000000000d68 R15: 0000000000002000
58 [ 779.044981] Allocated by task 1257:
59 [ 779.044987] __kasan_kmalloc.constprop.5+0xc1/0xd0
60 [ 779.044992] kmem_cache_alloc+0xad/0x1a0
61 [ 779.044997] getname_flags+0x6c/0x2a0
62 [ 779.045003] user_path_at_empty+0x1d/0x40
63 [ 779.045008] do_faccessat+0x12a/0x330
64 [ 779.045012] do_syscall_64+0x63/0x150
65 [ 779.045017] entry_SYSCALL_64_after_hwframe+0x44/0xa9
67 [ 779.045019] Freed by task 1257:
68 [ 779.045023] __kasan_slab_free+0x12e/0x180
69 [ 779.045029] kmem_cache_free+0x85/0x1b0
70 [ 779.045034] filename_lookup.part.70+0x176/0x250
71 [ 779.045039] do_faccessat+0x12a/0x330
72 [ 779.045043] do_syscall_64+0x63/0x150
73 [ 779.045048] entry_SYSCALL_64_after_hwframe+0x44/0xa9
75 [ 779.045052] The buggy address belongs to the object at ffff88814f326600
76 which belongs to the cache names_cache of size 4096
77 [ 779.045057] The buggy address is located 872 bytes to the right of
78 4096-byte region [ffff88814f326600, ffff88814f327600)
79 [ 779.045058] The buggy address belongs to the page:
80 [ 779.045062] page:ffffea00053cc800 count:1 mapcount:0 mapping:ffff88815b191b40 index:0x0 compound_mapcount: 0
81 [ 779.045067] flags: 0x200000000010200(slab|head)
82 [ 779.045075] raw: 0200000000010200 dead000000000100 dead000000000200 ffff88815b191b40
83 [ 779.045081] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
84 [ 779.045083] page dumped because: kasan: bad access detected
86 [ 779.045085] Memory state around the buggy address:
87 [ 779.045089] ffff88814f327800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
88 [ 779.045093] ffff88814f327880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
89 [ 779.045097] >ffff88814f327900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
91 [ 779.045103] ffff88814f327980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
92 [ 779.045107] ffff88814f327a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
93 [ 779.045109] ==================================================================
94 [ 779.045110] Disabling lock debugging due to kernel taint
96 Correctly assign tree name str for smb3_tcon event.
98 Signed-off-by: Paulo Alcantara (SUSE) <paulo@paulo.ac>
99 Signed-off-by: Steve French <stfrench@microsoft.com>
100 Signed-off-by: Sasha Levin <sashal@kernel.org>
102 fs/cifs/trace.h | 6 +++---
103 1 file changed, 3 insertions(+), 3 deletions(-)
105 diff --git a/fs/cifs/trace.h b/fs/cifs/trace.h
106 index 59be48206932..b49bc925fb4f 100644
107 --- a/fs/cifs/trace.h
108 +++ b/fs/cifs/trace.h
109 @@ -378,19 +378,19 @@ DECLARE_EVENT_CLASS(smb3_tcon_class,
110 __field(unsigned int, xid)
112 __field(__u64, sesid)
113 - __field(const char *, unc_name)
114 + __string(name, unc_name)
120 __entry->sesid = sesid;
121 - __entry->unc_name = unc_name;
122 + __assign_str(name, unc_name);
125 TP_printk("xid=%u sid=0x%llx tid=0x%x unc_name=%s rc=%d",
126 __entry->xid, __entry->sesid, __entry->tid,
127 - __entry->unc_name, __entry->rc)
128 + __get_str(name), __entry->rc)
131 #define DEFINE_SMB3_TCON_EVENT(name) \
projects / thirdparty / kernel / stable-queue.git / blob