[Android 5.15] KASAN: use-after-free Read in ext4_convert_inline_data_nolock
0 views
Skip to first unread message
syzbot
May 28, 2024, 10:55:28 PMMay 28
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 424f92bcbe8f Merge branch 'android13-5.15' into branch 'an..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=169a571a980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4bd6534b2e0a6561
dashboard link: https://syzkaller.appspot.com/bug?extid=397f67bde5bd3d596c12
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f71f1a980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13659734980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6f32113ae406/disk-424f92bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e5c859ca07ad/vmlinux-424f92bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c7430ddb9727/bzImage-424f92bc.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/671137a20c78/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/d52edd871af1/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+397f67...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:210 [inline]
BUG: KASAN: use-after-free in ext4_convert_inline_data_nolock+0x319/0xda0 fs/ext4/inline.c:1237
Read of size 68 at addr ffff88811eaa80cf by task syz-executor291/308
CPU: 1 PID: 308 Comm: syz-executor291 Not tainted 5.15.149-syzkaller-00055-g424f92bcbe8f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
memcpy+0x2d/0x70 mm/kasan/shadow.c:65
ext4_read_inline_data fs/ext4/inline.c:210 [inline]
ext4_convert_inline_data_nolock+0x319/0xda0 fs/ext4/inline.c:1237
ext4_try_add_inline_entry+0x7ff/0xb60 fs/ext4/inline.c:1363
ext4_add_entry+0x6c2/0x12b0 fs/ext4/namei.c:2409
ext4_mkdir+0x54f/0xce0 fs/ext4/namei.c:3032
vfs_mkdir+0x3f6/0x610 fs/namei.c:4065
do_mkdirat+0x1eb/0x450 fs/namei.c:4090
__do_sys_mkdir fs/namei.c:4110 [inline]
__se_sys_mkdir fs/namei.c:4108 [inline]
__x64_sys_mkdir+0x6e/0x80 fs/namei.c:4108
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f36d6360587
Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc5753448 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f36d6360587
RDX: 0000000000000000 RSI: 00000000000001ff RDI: 0000000020000580
RBP: 0000000020000580 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000f4240 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcc57534e0 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the page:
page:ffffea00047aaa00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11eaa8
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea00047ab748 ffffea0004474f08 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 327, ts 35498273299, free_ts 35506324883
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
__alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
__alloc_pages_node include/linux/gfp.h:591 [inline]
alloc_pages_node include/linux/gfp.h:605 [inline]
alloc_pages include/linux/gfp.h:618 [inline]
do_anonymous_page mm/memory.c:4032 [inline]
handle_pte_fault+0xea0/0x24d0 mm/memory.c:4869
do_handle_mm_fault+0x1ea9/0x23a0 mm/memory.c:5293
handle_mm_fault include/linux/mm.h:1836 [inline]
do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
handle_page_fault arch/x86/mm/fault.c:1549 [inline]
exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1471 [inline]
free_pcp_prepare mm/page_alloc.c:1543 [inline]
free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533
free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670
release_pages+0x1310/0x1370 mm/swap.c:1009
free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2691
__do_munmap+0x1421/0x1a90 mm/mmap.c:2925
__vm_munmap+0x166/0x2a0 mm/mmap.c:2948
__do_sys_munmap mm/mmap.c:2974 [inline]
__se_sys_munmap mm/mmap.c:2970 [inline]
__x64_sys_munmap+0x6b/0x80 mm/mmap.c:2970
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff88811eaa7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811eaa8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811eaa8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88811eaa8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811eaa8180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop3): ext4_check_all_de:656: inode #12: block 5: comm syz-executor291: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, size=124 fake=0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 424f92bcbe8f Merge branch 'android13-5.15' into branch 'an..
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=169a571a980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4bd6534b2e0a6561
dashboard link: https://syzkaller.appspot.com/bug?extid=397f67bde5bd3d596c12
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f71f1a980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13659734980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6f32113ae406/disk-424f92bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e5c859ca07ad/vmlinux-424f92bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c7430ddb9727/bzImage-424f92bc.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/671137a20c78/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/d52edd871af1/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+397f67...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:210 [inline]
BUG: KASAN: use-after-free in ext4_convert_inline_data_nolock+0x319/0xda0 fs/ext4/inline.c:1237
Read of size 68 at addr ffff88811eaa80cf by task syz-executor291/308
CPU: 1 PID: 308 Comm: syz-executor291 Not tainted 5.15.149-syzkaller-00055-g424f92bcbe8f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
memcpy+0x2d/0x70 mm/kasan/shadow.c:65
ext4_read_inline_data fs/ext4/inline.c:210 [inline]
ext4_convert_inline_data_nolock+0x319/0xda0 fs/ext4/inline.c:1237
ext4_try_add_inline_entry+0x7ff/0xb60 fs/ext4/inline.c:1363
ext4_add_entry+0x6c2/0x12b0 fs/ext4/namei.c:2409
ext4_mkdir+0x54f/0xce0 fs/ext4/namei.c:3032
vfs_mkdir+0x3f6/0x610 fs/namei.c:4065
do_mkdirat+0x1eb/0x450 fs/namei.c:4090
__do_sys_mkdir fs/namei.c:4110 [inline]
__se_sys_mkdir fs/namei.c:4108 [inline]
__x64_sys_mkdir+0x6e/0x80 fs/namei.c:4108
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f36d6360587
Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc5753448 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f36d6360587
RDX: 0000000000000000 RSI: 00000000000001ff RDI: 0000000020000580
RBP: 0000000020000580 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000f4240 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcc57534e0 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the page:
page:ffffea00047aaa00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11eaa8
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea00047ab748 ffffea0004474f08 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 327, ts 35498273299, free_ts 35506324883
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
__alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
__alloc_pages_node include/linux/gfp.h:591 [inline]
alloc_pages_node include/linux/gfp.h:605 [inline]
alloc_pages include/linux/gfp.h:618 [inline]
do_anonymous_page mm/memory.c:4032 [inline]
handle_pte_fault+0xea0/0x24d0 mm/memory.c:4869
do_handle_mm_fault+0x1ea9/0x23a0 mm/memory.c:5293
handle_mm_fault include/linux/mm.h:1836 [inline]
do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
handle_page_fault arch/x86/mm/fault.c:1549 [inline]
exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1471 [inline]
free_pcp_prepare mm/page_alloc.c:1543 [inline]
free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533
free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670
release_pages+0x1310/0x1370 mm/swap.c:1009
free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2691
__do_munmap+0x1421/0x1a90 mm/mmap.c:2925
__vm_munmap+0x166/0x2a0 mm/mmap.c:2948
__do_sys_munmap mm/mmap.c:2974 [inline]
__se_sys_munmap mm/mmap.c:2970 [inline]
__x64_sys_munmap+0x6b/0x80 mm/mmap.c:2970
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff88811eaa7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811eaa8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811eaa8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88811eaa8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811eaa8180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop3): ext4_check_all_de:656: inode #12: block 5: comm syz-executor291: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, size=124 fake=0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages