[LU-13039] BUG: KASAN: stack-out-of-bounds in strchr+0x2d/0x50 Created: 30/Nov/19  Updated: 18/Jan/20  Resolved: 18/Jan/20

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: None
Fix Version/s: Lustre 2.14.0

Type: Bug Priority: Minor
Reporter: Shaun Tancheff Assignee: Shaun Tancheff
Resolution: Fixed Votes: 0
Labels: None

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description    
Nov 27 02:56:55 mds kernel: BUG: KASAN: stack-out-of-bounds in strchr+0x2d/0x50
Nov 27 02:56:55 mds kernel: Read of size 1 at addr ffff88808d9f7c85 by task badarea_io/28126
Nov 27 02:56:55 mds kernel: 
Nov 27 02:56:55 mds kernel: CPU: 1 PID: 28126 Comm: badarea_io Tainted: P O 5.4.0-1.ldiskfs.d.el7.x86_64 #1
Nov 27 02:56:55 mds kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Nov 27 02:56:55 mds kernel: Call Trace:
Nov 27 02:56:55 mds kernel: dump_stack+0x7b/0xba
Nov 27 02:56:55 mds kernel: ? strchr+0x2d/0x50
Nov 27 02:56:55 mds kernel: print_address_description.constprop.7.cold.9+0x9/0x350
Nov 27 02:56:55 mds kernel: ? strchr+0x2d/0x50
Nov 27 02:56:55 mds kernel: ? strchr+0x2d/0x50
Nov 27 02:56:55 mds kernel: __kasan_report.cold.10+0x1b/0x3f
Nov 27 02:56:55 mds kernel: ? __kmem_cache_shutdown.cold.101+0x12f/0x140
Nov 27 02:56:55 mds kernel: ? strchr+0x2d/0x50
Nov 27 02:56:55 mds kernel: kasan_report+0x12/0x20
Nov 27 02:56:55 mds kernel: __asan_load1+0x47/0x50
Nov 27 02:56:55 mds kernel: strchr+0x2d/0x50
Nov 27 02:56:55 mds kernel: qsd_enabled_seq_write+0xf0/0x300 [lquota]
Nov 27 02:56:55 mds kernel: ? qsd_state_seq_show+0x520/0x520 [lquota]
Nov 27 02:56:55 mds kernel: ? init_object+0x7e/0x90
Nov 27 02:56:55 mds kernel: ? restore_nameidata+0x7f/0xa0
Nov 27 02:56:55 mds kernel: proc_reg_write+0x12e/0x190
Nov 27 02:56:55 mds kernel: ? proc_reg_unlocked_ioctl+0x180/0x180
Nov 27 02:56:55 mds kernel: ? security_file_permission+0x62/0x180
Nov 27 02:56:55 mds kernel: __vfs_write+0x50/0xa0
Nov 27 02:56:55 mds kernel: vfs_write+0xf3/0x280
Nov 27 02:56:55 mds kernel: ksys_write+0xc0/0x160
Nov 27 02:56:55 mds kernel: ? __ia32_sys_read+0x50/0x50
Nov 27 02:56:55 mds kernel: ? __audit_syscall_exit+0x374/0x470
Nov 27 02:56:55 mds kernel: __x64_sys_write+0x43/0x50
Nov 27 02:56:55 mds kernel: do_syscall_64+0x78/0x200
Nov 27 02:56:55 mds kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Nov 27 02:56:55 mds kernel: RIP: 0033:0x7fd02707a9b0
Nov 27 02:56:55 mds kernel: Code: 73 01 c3 48 8b 0d c0 74 2d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d ed d5 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee cb 01 00 48 89 04 24
Nov 27 02:56:55 mds kernel: RSP: 002b:00007fff21478d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
Nov 27 02:56:55 mds kernel: RAX: ffffffffffffffda RBX: 00007fff21478d7c RCX: 00007fd02707a9b0
Nov 27 02:56:55 mds kernel: RDX: 0000000000000000 RSI: 00007fff21478d7c RDI: 0000000000000003
Nov 27 02:56:55 mds kernel: RBP: 00007fff21478e78 R08: 00007fd027353e80 R09: 0000000000000000
Nov 27 02:56:55 mds kernel: R10: 00007fff214787e0 R11: 0000000000000246 R12: 00000000004006cc
Nov 27 02:56:55 mds kernel: R13: 00007fff21478e70 R14: 0000000000000000 R15: 0000000000000000
Nov 27 02:56:55 mds kernel: 
Nov 27 02:56:55 mds kernel: The buggy address belongs to the page:
Nov 27 02:56:55 mds kernel: page:ffffea0002367dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
Nov 27 02:56:55 mds kernel: flags: 0xfffffc0000000()
Nov 27 02:56:55 mds kernel: raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000
Nov 27 02:56:55 mds kernel: raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
Nov 27 02:56:55 mds kernel: page dumped because: kasan: bad access detected
Nov 27 02:56:55 mds kernel: 
Nov 27 02:56:55 mds kernel: addr ffff88808d9f7c85 is located in stack of task badarea_io/28126 at offset 37 in frame:
Nov 27 02:56:55 mds kernel: qsd_enabled_seq_write+0x0/0x300 [lquota]
Nov 27 02:56:55 mds kernel: 
Nov 27 02:56:55 mds kernel: this frame has 2 objects:
Nov 27 02:56:55 mds kernel: [32, 37) 'valstr'
Nov 27 02:56:55 mds kernel: [96, 105) 'fsname'
Nov 27 02:56:55 mds kernel: 
Nov 27 02:56:55 mds kernel: Memory state around the buggy address:
Nov 27 02:56:55 mds kernel: ffff88808d9f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 27 02:56:55 mds kernel: ffff88808d9f7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
Nov 27 02:56:55 mds kernel: >ffff88808d9f7c80: 05 f2 f2 f2 f2 f2 f2 f2 00 01 f2 f2 00 00 00 00
Nov 27 02:56:55 mds kernel: ^
Nov 27 02:56:55 mds kernel: ffff88808d9f7d00: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2
Nov 27 02:56:55 mds kernel: ffff88808d9f7d80: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 27 02:56:55 mds kernel: ==================================================================

 Comments   
Comment by Gerrit Updater [ 30/Nov/19 ]

Shaun Tancheff (stancheff@cray.com) uploaded a new patch: https://review.whamcloud.com/36899
Subject: LU-13039 quota: Ensure local buffer is null terminated
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 6f6be6fc97dbd5a10478ff68fb45850b7c72309e

Comment by Gerrit Updater [ 18/Jan/20 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/36899/
Subject: LU-13039 quota: Ensure local buffer is null terminated
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: c232a80d95849b8e776ae6b738585eacbfdc3612

Comment by Peter Jones [ 18/Jan/20 ]

Landed for 2.14

Generated at Sat Feb 10 02:57:50 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.