From: Haichi Wang <wanghaichi@tju.edu.cn>
To: paulmck@kernel.org, rientjes@google.com, josh@joshtriplett.org,
dvyukov@google.com, akpm@linux-foundation.org,
linux-fsdevel@vger.kernel.org, mathieu.desnoyers@efficios.com,
andreyknvl@gmail.com, peterz@infradead.org,
jfs-discussion@lists.sourceforge.net, bp@alien8.de,
linux-mm@kvack.org, cl@linux.com, joel@joelfernandes.org,
iamjoonsoo.kim@lge.com, jiangshanlai@gmail.com,
viro@zeniv.linux.org.uk, kasan-dev@googlegroups.com,
mingo@redhat.com, tglx@linutronix.de, luto@kernel.org,
neeraj.upadhyay@kernel.org, urezki@gmail.com,
roman.gushchin@linux.dev, vbabka@suse.cz,
linux-kernel@vger.kernel.org, jack@suse.cz, rcu@vger.kernel.org,
boqun.feng@gmail.com, x86@kernel.org, frederic@kernel.org,
vincenzo.frascino@arm.com, rostedt@goodmis.org,
42.hyeyoo@gmail.com, shaggy@kernel.org, penberg@kernel.org,
dave.hansen@linux.intel.com, hpa@zytor.com, brauner@kernel.org,
glider@google.com, qiang.zhang1211@gmail.com,
ryabinin.a.a@gmail.com
Cc: syzkaller <syzkaller@googlegroups.com>
Subject: Kernel Bug: "KASAN: slab-out-of-bounds Read in jfs_readdir"
Date: Fri, 20 Dec 2024 16:07:45 +0800 (GMT+08:00) [thread overview]
Message-ID: <AFMAUQCEIuMrCuBcOuRJwqrY.1.1734682065298.Hmail.3014218099@tju.edu.cn> (raw)
[-- Attachment #1: Type: text/plain, Size: 4517 bytes --]
Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **KASAN: slab-out-of-bounds Read in jfs_readdir**, discovered using a modified version of Syzkaller.
### Affected Files
The affected files, as obtained from the VM log, are listed below. The corresponding maintainers were identified using `./scripts/get_maintainer.pl`:
kernel/entry/common.c
fs/jfs/namei.c
fs/super.c
kernel/rcu/tree.c
__call_rcu_common.c
fs/namespace.c
fs/jfs/super.c
mm/kasan/generic.c
mm/kasan/common.c
fs/inode.c
kernel/task_work.c
fs/jfs/inode.c
fs/readdir.c
kernel/softirq.c
mm/slub.c
arch/x86/entry/common.c
arch/x86/kernel/apic/apic.c
fs/jfs/jfs_dtree.c
fs/namei.c
mm/kasan/report.c
lib/dump_stack.c
### Kernel Versions
- **Kernel Version Tested:** v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230
- **Latest Kernel Version Reproduced On:** f44d154d6e3d633d4c49a5d6a8aed0e4684ae25e
### Environment Details
- **QEMU Version:** QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.29)
- **GCC Version:** gcc (Ubuntu 11.4.0-2ubuntu1~20.04) 11.4.0
- **Syzkaller Version:** 2b3ef1577cde5da4fd1f7ece079731e140351177
### Attached Files
We have attached the following files to assist in reproducing and diagnosing the bug:
- **Bug Title:** `bugtitle`
- **Bug Report:** `report`
- **Machine Information:** `machineInfo`
- **Kernel Config:** `config`
- **Compiled Kernel Image:** `vmlinux`
- **Syzkaller Reproducing Program:** `repro.txt`
- **VM Log for Syzkaller Reproducer:** `vm_syz.log`
### Reproduction Instructions
To reproduce the bug, please follow the instructions below. For additional details, refer to [Syzkaller Reproducing Crashes Documentation](https://github.com/google/syzkaller/blob/master/docs/reproducing_crashes.md).
Feel free to email us if any other information are needed. Hope the provided materials will help finding and fixing the
bug.
We also provide a brief documentation for how to execute the reproducing program:
#### Prepare the Linux Kernel Image
1. Clone the Linux kernel repository and checkout the latest kernel version:
```bash
cd /path/to/linux
git checkout f44d154d6e3d633d4c49a5d6a8aed0e4684ae25e
cp /path/to/config /path/to/linux/.config
make olddefconfig
make -j$(nproc)
```
#### Prepare the Root Filesystem
Follow the setup instructions at [Setting Up Ubuntu Host QEMU VM](https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md). Ensure the root filesystem is prepared at `/path/to/rootfs`.
#### Start the Virtual Machine
Use the following QEMU command to start the VM:
```bash
# start vm
# Here port is set to 10099, change it as needed
qemu-system-x86_64 \
-m 20G -qmp unix:/tmp/qmp-sock,server,nowait \
-smp 2 \
-kernel /path/to/linux/arch/x86/boot/bzImage\
-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
-drive file=/path/to/rootfs/bullseye.img,format=raw \
-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10099-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-pidfile vm.pid \
2>&1 | tee vm.log
```
#### Reproduce the Bug
- **For Syzkaller Reproducing Program:**
1. Install Syzkaller ([Setup Guide](https://github.com/google/syzkaller/blob/master/docs/linux/setup.md#go-and-syzkaller)):
```bash
git clone https://github.com/google/syzkaller
cd syzkaller
make
# if make command returns something like `cannot find package "github.com/google/syzkaller/` error, please run the following command, and try again
# go env -w GO111MODULE=on
```
2. Transfer the Syzkaller reproducing program and binary to the VM:
```bash
scp -i /path/to/rootfs/bullseye.id_rsa -P 10099 -o "StrictHostKeyChecking no" -r /path/to/repro.txt root@localhost:/root/
scp -i /path/to/rootfs/bullseye.id_rsa -P 10099 -o "StrictHostKeyChecking no" -r /path/to/syzkaller/bin/linux_amd64/* root@localhost:/root/
ssh -i /path/to/rootfs/bullseye.id_rsa -p 10099 -o "StrictHostKeyChecking no" root@localhost
cd root && ./syz-execprog repro.txt
```
Feel free to reach out if additional information or clarifications are needed. We hope this report aids in identifying and fixing the bug.
Best regards,
Haichi Wang
Tianjin University
从网易企业邮箱发来的云附件
35eebc3386d681e5ad3da113221ad93ecf42b5b0.7z
189.38M | 过期时间:2025年1月4日 16:06
下载
[-- Attachment #2: Type: text/html, Size: 9774 bytes --]
next reply other threads:[~2024-12-20 8:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-20 8:07 Haichi Wang [this message]
2024-12-20 9:14 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AFMAUQCEIuMrCuBcOuRJwqrY.1.1734682065298.Hmail.3014218099@tju.edu.cn \
--to=wanghaichi@tju.edu.cn \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=boqun.feng@gmail.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=cl@linux.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvyukov@google.com \
--cc=frederic@kernel.org \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jack@suse.cz \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=jiangshanlai@gmail.com \
--cc=joel@joelfernandes.org \
--cc=josh@joshtriplett.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@redhat.com \
--cc=neeraj.upadhyay@kernel.org \
--cc=paulmck@kernel.org \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=qiang.zhang1211@gmail.com \
--cc=rcu@vger.kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rostedt@goodmis.org \
--cc=ryabinin.a.a@gmail.com \
--cc=shaggy@kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=urezki@gmail.com \
--cc=vbabka@suse.cz \
--cc=vincenzo.frascino@arm.com \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox