KASAN: out-of-bounds Read in ext4_xattr_set_entry
13 views
Skip to first unread message
syzbot
Mar 21, 2021, 6:06:22 PM3/21/21
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 543ec454 Merge 5.4.107 into android12-5.4
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=15373026d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c34b9a3c528ee57b
dashboard link: https://syzkaller.appspot.com/bug?extid=7e8d321460434dffad35
compiler: Debian clang version 11.0.1-2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15449906d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1189133ad00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7e8d32...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x1bc7/0x3c50 fs/ext4/xattr.c:1726
Read of size 18446744073709551600 at addr ffff8881e9df00d4 by task syz-executor357/343
CPU: 1 PID: 343 Comm: syz-executor357 Not tainted 5.4.107-syzkaller-00750-g543ec4541c0e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x24e lib/dump_stack.c:118
print_address_description+0x9b/0x650 mm/kasan/report.c:384
__kasan_report+0x182/0x260 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:141 [inline]
check_memory_region+0x2a5/0x2e0 mm/kasan/generic.c:191
memmove+0x25/0x50 mm/kasan/common.c:114
ext4_xattr_set_entry+0x1bc7/0x3c50 fs/ext4/xattr.c:1726
ext4_xattr_ibody_inline_set+0x74/0x280 fs/ext4/xattr.c:2215
ext4_destroy_inline_data_nolock+0x1c9/0x5e0 fs/ext4/inline.c:435
ext4_convert_inline_data_nolock+0x434/0x1640 fs/ext4/inline.c:1218
ext4_convert_inline_data+0x33c/0x430 fs/ext4/inline.c:2043
ext4_fallocate+0xdf/0x800 fs/ext4/extents.c:4898
vfs_fallocate+0x564/0x840 fs/open.c:309
ksys_fallocate fs/open.c:332 [inline]
__do_sys_fallocate fs/open.c:340 [inline]
__se_sys_fallocate fs/open.c:338 [inline]
__x64_sys_fallocate+0xb9/0x100 fs/open.c:338
do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44a3c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e5e560208 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00000000004cc4e8 RCX: 000000000044a3c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 00000000004cc4e0 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000bb89 R11: 0000000000000246 R12: 00000000004cc4ec
R13: 00007ffdfbb28fef R14: 00007f4e5e560300 R15: 0000000000022000
The buggy address belongs to the page:
page:ffffea0007a77c00 refcount:2 mapcount:0 mapping:ffff8881f45e5268 index:0x8
def_blk_aops
flags: 0x800000000002203e(referenced|uptodate|dirty|lru|active|private|mappedtodisk)
raw: 800000000002203e ffffea0007773408 ffffea0007a38648 ffff8881f45e5268
raw: 0000000000000008 ffff8881e0072e70 00000002ffffffff ffff8881f5cac000
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8881f5cac000
Memory state around the buggy address:
ffff8881e9deff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881e9df0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881e9df0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff8881e9df0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881e9df0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 543ec454 Merge 5.4.107 into android12-5.4
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=15373026d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c34b9a3c528ee57b
dashboard link: https://syzkaller.appspot.com/bug?extid=7e8d321460434dffad35
compiler: Debian clang version 11.0.1-2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15449906d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1189133ad00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7e8d32...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x1bc7/0x3c50 fs/ext4/xattr.c:1726
Read of size 18446744073709551600 at addr ffff8881e9df00d4 by task syz-executor357/343
CPU: 1 PID: 343 Comm: syz-executor357 Not tainted 5.4.107-syzkaller-00750-g543ec4541c0e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x24e lib/dump_stack.c:118
print_address_description+0x9b/0x650 mm/kasan/report.c:384
__kasan_report+0x182/0x260 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:141 [inline]
check_memory_region+0x2a5/0x2e0 mm/kasan/generic.c:191
memmove+0x25/0x50 mm/kasan/common.c:114
ext4_xattr_set_entry+0x1bc7/0x3c50 fs/ext4/xattr.c:1726
ext4_xattr_ibody_inline_set+0x74/0x280 fs/ext4/xattr.c:2215
ext4_destroy_inline_data_nolock+0x1c9/0x5e0 fs/ext4/inline.c:435
ext4_convert_inline_data_nolock+0x434/0x1640 fs/ext4/inline.c:1218
ext4_convert_inline_data+0x33c/0x430 fs/ext4/inline.c:2043
ext4_fallocate+0xdf/0x800 fs/ext4/extents.c:4898
vfs_fallocate+0x564/0x840 fs/open.c:309
ksys_fallocate fs/open.c:332 [inline]
__do_sys_fallocate fs/open.c:340 [inline]
__se_sys_fallocate fs/open.c:338 [inline]
__x64_sys_fallocate+0xb9/0x100 fs/open.c:338
do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44a3c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e5e560208 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00000000004cc4e8 RCX: 000000000044a3c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 00000000004cc4e0 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000bb89 R11: 0000000000000246 R12: 00000000004cc4ec
R13: 00007ffdfbb28fef R14: 00007f4e5e560300 R15: 0000000000022000
The buggy address belongs to the page:
page:ffffea0007a77c00 refcount:2 mapcount:0 mapping:ffff8881f45e5268 index:0x8
def_blk_aops
flags: 0x800000000002203e(referenced|uptodate|dirty|lru|active|private|mappedtodisk)
raw: 800000000002203e ffffea0007773408 ffffea0007a38648 ffff8881f45e5268
raw: 0000000000000008 ffff8881e0072e70 00000002ffffffff ffff8881f5cac000
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8881f5cac000
Memory state around the buggy address:
ffff8881e9deff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881e9df0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881e9df0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff8881e9df0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881e9df0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Aug 23, 2023, 5:06:36 AM8/23/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages