[Android 5.4] KASAN: use-after-free Read in ext4_search_dir
0 views
Skip to first unread message
syzbot
Apr 15, 2024, 2:47:21 AMApr 15
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d0d34dcb02cc FROMLIST: binder: check offset alignment in b..
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17a716f5180000
kernel config: https://syzkaller.appspot.com/x/.config?x=60c0e8be982a03fd
dashboard link: https://syzkaller.appspot.com/bug?extid=a133fb1e9618ba1cc23d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a10f4d180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165e7393180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/de032a90cf4e/disk-d0d34dcb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2bae6132625/vmlinux-d0d34dcb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c3043eb62d8/bzImage-d0d34dcb.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a57d7bf3e962/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a133fb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xee/0x1b0 fs/ext4/namei.c:1504
Read of size 1 at addr ffff8881dcecd6e3 by task syz-executor424/362
CPU: 0 PID: 362 Comm: syz-executor424 Not tainted 5.4.268-syzkaller-00012-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
ext4_search_dir+0xee/0x1b0 fs/ext4/namei.c:1504
ext4_find_inline_entry+0x4b6/0x5e0 fs/ext4/inline.c:1698
__ext4_find_entry+0x2a9/0x1b50 fs/ext4/namei.c:1577
ext4_lookup_entry fs/ext4/namei.c:1730 [inline]
ext4_lookup+0x3c6/0xaa0 fs/ext4/namei.c:1798
lookup_open fs/namei.c:3308 [inline]
do_last fs/namei.c:3421 [inline]
path_openat+0x159a/0x3480 fs/namei.c:3634
do_filp_open+0x20b/0x450 fs/namei.c:3664
do_sys_open+0x39c/0x810 fs/open.c:1113
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
The buggy address belongs to the page:
page:ffffea000773b340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea000773b388 ffffea000773b308 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffff8881dcecd580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881dcecd600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881dcecd680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881dcecd700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881dcecd780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_find_dest_de:2063: inode #12: block 5: comm syz-executor424: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d0d34dcb02cc FROMLIST: binder: check offset alignment in b..
git tree: android12-5.4
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17a716f5180000
kernel config: https://syzkaller.appspot.com/x/.config?x=60c0e8be982a03fd
dashboard link: https://syzkaller.appspot.com/bug?extid=a133fb1e9618ba1cc23d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a10f4d180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165e7393180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/de032a90cf4e/disk-d0d34dcb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2bae6132625/vmlinux-d0d34dcb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2c3043eb62d8/bzImage-d0d34dcb.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a57d7bf3e962/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a133fb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xee/0x1b0 fs/ext4/namei.c:1504
Read of size 1 at addr ffff8881dcecd6e3 by task syz-executor424/362
CPU: 0 PID: 362 Comm: syz-executor424 Not tainted 5.4.268-syzkaller-00012-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
ext4_search_dir+0xee/0x1b0 fs/ext4/namei.c:1504
ext4_find_inline_entry+0x4b6/0x5e0 fs/ext4/inline.c:1698
__ext4_find_entry+0x2a9/0x1b50 fs/ext4/namei.c:1577
ext4_lookup_entry fs/ext4/namei.c:1730 [inline]
ext4_lookup+0x3c6/0xaa0 fs/ext4/namei.c:1798
lookup_open fs/namei.c:3308 [inline]
do_last fs/namei.c:3421 [inline]
path_openat+0x159a/0x3480 fs/namei.c:3634
do_filp_open+0x20b/0x450 fs/namei.c:3664
do_sys_open+0x39c/0x810 fs/open.c:1113
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
The buggy address belongs to the page:
page:ffffea000773b340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea000773b388 ffffea000773b308 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffff8881dcecd580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881dcecd600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881dcecd680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881dcecd700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881dcecd780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_find_dest_de:2063: inode #12: block 5: comm syz-executor424: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages