KASAN: use-after-free Read in crc16
6 views
Skip to first unread message
syzbot
Nov 8, 2019, 3:58:10 PM11/8/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f40abacc ANDROID: overlayfs: fix printk format
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=1410309ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=844cb28a0c5c98da
dashboard link: https://syzkaller.appspot.com/bug?extid=a2ee24871df79496274e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a2ee24...@syzkaller.appspotmail.com
EXT4-fs (loop3): ext4_check_descriptors: Inode bitmap for group 0 overlaps
superblock
EXT4-fs (loop3): ext4_check_descriptors: Inode table for group 0 overlaps
superblock
EXT4-fs (loop3): corrupt root inode, run e2fsck
EXT4-fs (loop3): mount failed
==================================================================
BUG: KASAN: use-after-free in crc16+0xaa/0xc0 lib/crc16.c:60
Read of size 1 at addr ffff88819c4f3000 by task syz-executor.3/23293
CPU: 1 PID: 23293 Comm: syz-executor.3 Not tainted 4.14.152+ #0
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
crc16+0xaa/0xc0 lib/crc16.c:60
ext4_group_desc_csum.isra.0+0x627/0x7d0 fs/ext4/super.c:2356
ext4_group_desc_csum_verify fs/ext4/super.c:2368 [inline]
ext4_group_desc_csum_verify+0x123/0x190 fs/ext4/super.c:2364
ext4_check_descriptors fs/ext4/super.c:2483 [inline]
ext4_fill_super+0x4b95/0xb290 fs/ext4/super.c:4205
mount_bdev+0x2b6/0x360 fs/super.c:1151
mount_fs+0x277/0x312 fs/super.c:1257
vfs_kern_mount.part.0+0xc7/0x4a0 fs/namespace.c:1056
vfs_kern_mount fs/namespace.c:1038 [inline]
do_new_mount fs/namespace.c:2573 [inline]
do_mount+0x3f6/0x26a0 fs/namespace.c:2903
SYSC_mount fs/namespace.c:3119 [inline]
SyS_mount+0xa8/0x120 fs/namespace.c:3096
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45cc6a
RSP: 002b:00007ffb9da3ba88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffb9da3bb40 RCX: 000000000045cc6a
RDX: 00007ffb9da3bae0 RSI: 0000000020000000 RDI: 00007ffb9da3bb00
RBP: 0000000000000abb R08: 00007ffb9da3bb40 R09: 00007ffb9da3bae0
R10: 0000000000004801 R11: 0000000000000206 R12: 0000000000000003
R13: 00000000004c9a8e R14: 00000000004e1788 R15: 00000000ffffffff
Allocated by task 23164:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
kmalloc_array include/linux/slab.h:607 [inline]
kcalloc include/linux/slab.h:618 [inline]
iter_file_splice_write+0x156/0xa50 fs/splice.c:692
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x118/0x160 fs/splice.c:1018
splice_direct_to_actor+0x292/0x760 fs/splice.c:973
do_splice_direct+0x177/0x240 fs/splice.c:1061
do_sendfile+0x493/0xb20 fs/read_write.c:1445
SYSC_sendfile64 fs/read_write.c:1500 [inline]
SyS_sendfile64+0xab/0x140 fs/read_write.c:1492
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
0xffffffffffffffff
Freed by task 23164:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
slab_free_hook mm/slub.c:1407 [inline]
slab_free_freelist_hook mm/slub.c:1458 [inline]
slab_free mm/slub.c:3039 [inline]
kfree+0x108/0x3a0 mm/slub.c:3976
iter_file_splice_write+0x47d/0xa50 fs/splice.c:776
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x118/0x160 fs/splice.c:1018
splice_direct_to_actor+0x292/0x760 fs/splice.c:973
do_splice_direct+0x177/0x240 fs/splice.c:1061
do_sendfile+0x493/0xb20 fs/read_write.c:1445
SYSC_sendfile64 fs/read_write.c:1500 [inline]
SyS_sendfile64+0xab/0x140 fs/read_write.c:1492
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
0xffffffffffffffff
The buggy address belongs to the object at ffff88819c4f3000
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
256-byte region [ffff88819c4f3000, ffff88819c4f3100)
The buggy address belongs to the page:
page:ffffea0006713cc0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000200(slab)
raw: 4000000000000200 0000000000000000 0000000000000000 00000001000c000c
raw: dead000000000100 dead000000000200 ffff8881da802e00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88819c4f2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88819c4f2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88819c4f3000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88819c4f3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88819c4f3100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: f40abacc ANDROID: overlayfs: fix printk format
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=1410309ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=844cb28a0c5c98da
dashboard link: https://syzkaller.appspot.com/bug?extid=a2ee24871df79496274e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a2ee24...@syzkaller.appspotmail.com
EXT4-fs (loop3): ext4_check_descriptors: Inode bitmap for group 0 overlaps
superblock
EXT4-fs (loop3): ext4_check_descriptors: Inode table for group 0 overlaps
superblock
EXT4-fs (loop3): corrupt root inode, run e2fsck
EXT4-fs (loop3): mount failed
==================================================================
BUG: KASAN: use-after-free in crc16+0xaa/0xc0 lib/crc16.c:60
Read of size 1 at addr ffff88819c4f3000 by task syz-executor.3/23293
CPU: 1 PID: 23293 Comm: syz-executor.3 Not tainted 4.14.152+ #0
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
crc16+0xaa/0xc0 lib/crc16.c:60
ext4_group_desc_csum.isra.0+0x627/0x7d0 fs/ext4/super.c:2356
ext4_group_desc_csum_verify fs/ext4/super.c:2368 [inline]
ext4_group_desc_csum_verify+0x123/0x190 fs/ext4/super.c:2364
ext4_check_descriptors fs/ext4/super.c:2483 [inline]
ext4_fill_super+0x4b95/0xb290 fs/ext4/super.c:4205
mount_bdev+0x2b6/0x360 fs/super.c:1151
mount_fs+0x277/0x312 fs/super.c:1257
vfs_kern_mount.part.0+0xc7/0x4a0 fs/namespace.c:1056
vfs_kern_mount fs/namespace.c:1038 [inline]
do_new_mount fs/namespace.c:2573 [inline]
do_mount+0x3f6/0x26a0 fs/namespace.c:2903
SYSC_mount fs/namespace.c:3119 [inline]
SyS_mount+0xa8/0x120 fs/namespace.c:3096
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45cc6a
RSP: 002b:00007ffb9da3ba88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffb9da3bb40 RCX: 000000000045cc6a
RDX: 00007ffb9da3bae0 RSI: 0000000020000000 RDI: 00007ffb9da3bb00
RBP: 0000000000000abb R08: 00007ffb9da3bb40 R09: 00007ffb9da3bae0
R10: 0000000000004801 R11: 0000000000000206 R12: 0000000000000003
R13: 00000000004c9a8e R14: 00000000004e1788 R15: 00000000ffffffff
Allocated by task 23164:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
kmalloc_array include/linux/slab.h:607 [inline]
kcalloc include/linux/slab.h:618 [inline]
iter_file_splice_write+0x156/0xa50 fs/splice.c:692
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x118/0x160 fs/splice.c:1018
splice_direct_to_actor+0x292/0x760 fs/splice.c:973
do_splice_direct+0x177/0x240 fs/splice.c:1061
do_sendfile+0x493/0xb20 fs/read_write.c:1445
SYSC_sendfile64 fs/read_write.c:1500 [inline]
SyS_sendfile64+0xab/0x140 fs/read_write.c:1492
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
0xffffffffffffffff
Freed by task 23164:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
slab_free_hook mm/slub.c:1407 [inline]
slab_free_freelist_hook mm/slub.c:1458 [inline]
slab_free mm/slub.c:3039 [inline]
kfree+0x108/0x3a0 mm/slub.c:3976
iter_file_splice_write+0x47d/0xa50 fs/splice.c:776
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x118/0x160 fs/splice.c:1018
splice_direct_to_actor+0x292/0x760 fs/splice.c:973
do_splice_direct+0x177/0x240 fs/splice.c:1061
do_sendfile+0x493/0xb20 fs/read_write.c:1445
SYSC_sendfile64 fs/read_write.c:1500 [inline]
SyS_sendfile64+0xab/0x140 fs/read_write.c:1492
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
0xffffffffffffffff
The buggy address belongs to the object at ffff88819c4f3000
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
256-byte region [ffff88819c4f3000, ffff88819c4f3100)
The buggy address belongs to the page:
page:ffffea0006713cc0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000200(slab)
raw: 4000000000000200 0000000000000000 0000000000000000 00000001000c000c
raw: dead000000000100 dead000000000200 ffff8881da802e00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88819c4f2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88819c4f2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88819c4f3000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88819c4f3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88819c4f3100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 7, 2020, 2:58:07 PM3/7/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages