[Android 5.10] general protection fault in ext4_xattr_set_entry (5)
7 views
Skip to first unread message
syzbot
Jun 8, 2023, 5:27:54 AM6/8/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 43c801dc3325 Revert "ASoC: hdac_hdmi: use set_stream() ins..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=160647b5280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c298cd1af0b8136
dashboard link: https://syzkaller.appspot.com/bug?extid=036561ce64947eedccbf
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=106ec643280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1127d11d280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/df726002fbe5/disk-43c801dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2b767931d62c/vmlinux-43c801dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9048fda500c7/bzImage-43c801dc.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/acd0ddcc85bd/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+036561...@syzkaller.appspotmail.com
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 285 Comm: syz-executor491 Not tainted 5.10.178-syzkaller-00127-g43c801dc3325 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:ext4_xattr_set_entry+0x498/0x3960 fs/ext4/xattr.c:1616
Code: 24 78 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 38 00 74 08 48 89 df e8 12 b3 ba ff 4c 8b 23 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 d1 2e 00 00 4c 89 e8 48 2b 44 24 20 48
RSP: 0018:ffffc90000ae6f20 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ae7320 RCX: ffff88811eb862c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc90000ae71c0 R08: ffffffff81eccc44 R09: ffffed10220b7536
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000001c R15: dffffc0000000000
FS: 00005555558ca300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b87bbcf588 CR3: 000000011ea44000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_xattr_ibody_set+0x7c/0x2b0 fs/ext4/xattr.c:2253
ext4_xattr_set_handle+0xc26/0x14e0 fs/ext4/xattr.c:2410
ext4_initxattrs+0xa7/0x120 fs/ext4/xattr_security.c:43
security_inode_init_security+0x252/0x390 security/security.c:1033
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3159/0x3f70 fs/ext4/ialloc.c:1319
ext4_create+0x267/0x530 fs/ext4/namei.c:2770
lookup_open fs/namei.c:3253 [inline]
open_last_lookups fs/namei.c:3323 [inline]
path_openat+0x1377/0x3000 fs/namei.c:3512
do_filp_open+0x21c/0x460 fs/namei.c:3542
do_sys_openat2+0x13f/0x6e0 fs/open.c:1217
do_sys_open fs/open.c:1233 [inline]
__do_sys_creat fs/open.c:1307 [inline]
__se_sys_creat fs/open.c:1301 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1301
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f0466c8b799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffddacd2a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 33921e5989711fe9 RCX: 00007f0466c8b799
RDX: 00007f0466c49e13 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f0466c4b030 R08: 0000000000000486 R09: 0000000000000000
R10: 00007ffddacd2920 R11: 0000000000000246 R12: 00007f0466c4b0c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace ca57c76f9facbc9e ]---
RIP: 0010:ext4_xattr_set_entry+0x498/0x3960 fs/ext4/xattr.c:1616
Code: 24 78 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 38 00 74 08 48 89 df e8 12 b3 ba ff 4c 8b 23 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 d1 2e 00 00 4c 89 e8 48 2b 44 24 20 48
RSP: 0018:ffffc90000ae6f20 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ae7320 RCX: ffff88811eb862c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc90000ae71c0 R08: ffffffff81eccc44 R09: ffffed10220b7536
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000001c R15: dffffc0000000000
FS: 00005555558ca300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b87bbcf588 CR3: 000000011ea44000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 24 78 and $0x78,%al
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 48 89 84 24 28 01 00 mov %rax,0x128(%rsp)
10: 00
11: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 12 b3 ba ff callq 0xffbab332
20: 4c 8b 23 mov (%rbx),%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 d1 2e 00 00 jne 0x2f08
37: 4c 89 e8 mov %r13,%rax
3a: 48 2b 44 24 20 sub 0x20(%rsp),%rax
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 43c801dc3325 Revert "ASoC: hdac_hdmi: use set_stream() ins..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=160647b5280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c298cd1af0b8136
dashboard link: https://syzkaller.appspot.com/bug?extid=036561ce64947eedccbf
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=106ec643280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1127d11d280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/df726002fbe5/disk-43c801dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2b767931d62c/vmlinux-43c801dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9048fda500c7/bzImage-43c801dc.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/acd0ddcc85bd/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+036561...@syzkaller.appspotmail.com
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 285 Comm: syz-executor491 Not tainted 5.10.178-syzkaller-00127-g43c801dc3325 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:ext4_xattr_set_entry+0x498/0x3960 fs/ext4/xattr.c:1616
Code: 24 78 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 38 00 74 08 48 89 df e8 12 b3 ba ff 4c 8b 23 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 d1 2e 00 00 4c 89 e8 48 2b 44 24 20 48
RSP: 0018:ffffc90000ae6f20 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ae7320 RCX: ffff88811eb862c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc90000ae71c0 R08: ffffffff81eccc44 R09: ffffed10220b7536
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000001c R15: dffffc0000000000
FS: 00005555558ca300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b87bbcf588 CR3: 000000011ea44000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_xattr_ibody_set+0x7c/0x2b0 fs/ext4/xattr.c:2253
ext4_xattr_set_handle+0xc26/0x14e0 fs/ext4/xattr.c:2410
ext4_initxattrs+0xa7/0x120 fs/ext4/xattr_security.c:43
security_inode_init_security+0x252/0x390 security/security.c:1033
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3159/0x3f70 fs/ext4/ialloc.c:1319
ext4_create+0x267/0x530 fs/ext4/namei.c:2770
lookup_open fs/namei.c:3253 [inline]
open_last_lookups fs/namei.c:3323 [inline]
path_openat+0x1377/0x3000 fs/namei.c:3512
do_filp_open+0x21c/0x460 fs/namei.c:3542
do_sys_openat2+0x13f/0x6e0 fs/open.c:1217
do_sys_open fs/open.c:1233 [inline]
__do_sys_creat fs/open.c:1307 [inline]
__se_sys_creat fs/open.c:1301 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1301
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f0466c8b799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffddacd2a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 33921e5989711fe9 RCX: 00007f0466c8b799
RDX: 00007f0466c49e13 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f0466c4b030 R08: 0000000000000486 R09: 0000000000000000
R10: 00007ffddacd2920 R11: 0000000000000246 R12: 00007f0466c4b0c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace ca57c76f9facbc9e ]---
RIP: 0010:ext4_xattr_set_entry+0x498/0x3960 fs/ext4/xattr.c:1616
Code: 24 78 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 38 00 74 08 48 89 df e8 12 b3 ba ff 4c 8b 23 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 d1 2e 00 00 4c 89 e8 48 2b 44 24 20 48
RSP: 0018:ffffc90000ae6f20 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ae7320 RCX: ffff88811eb862c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
RBP: ffffc90000ae71c0 R08: ffffffff81eccc44 R09: ffffed10220b7536
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000001c R15: dffffc0000000000
FS: 00005555558ca300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b87bbcf588 CR3: 000000011ea44000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 24 78 and $0x78,%al
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 48 89 84 24 28 01 00 mov %rax,0x128(%rsp)
10: 00
11: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
16: 74 08 je 0x20
18: 48 89 df mov %rbx,%rdi
1b: e8 12 b3 ba ff callq 0xffbab332
20: 4c 8b 23 mov (%rbx),%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 d1 2e 00 00 jne 0x2f08
37: 4c 89 e8 mov %r13,%rax
3a: 48 2b 44 24 20 sub 0x20(%rsp),%rax
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 8, 2023, 1:25:24 PM6/8/23
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit bb8592efcf8ef2f62947745d3182ea05b5256a15
Author: Baokun Li <liba...@huawei.com>
Date: Thu Jun 16 02:13:56 2022 +0000
ext4: fix use-after-free in ext4_xattr_set_entry
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17009af1280000
start commit: 43c801dc3325 Revert "ASoC: hdac_hdmi: use set_stream() ins..
git tree: android13-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=14809af1280000
console output: https://syzkaller.appspot.com/x/log.txt?x=10809af1280000
Fixes: bb8592efcf8e ("ext4: fix use-after-free in ext4_xattr_set_entry")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit bb8592efcf8ef2f62947745d3182ea05b5256a15
Author: Baokun Li <liba...@huawei.com>
Date: Thu Jun 16 02:13:56 2022 +0000
ext4: fix use-after-free in ext4_xattr_set_entry
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17009af1280000
start commit: 43c801dc3325 Revert "ASoC: hdac_hdmi: use set_stream() ins..
git tree: android13-5.10-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=14809af1280000
console output: https://syzkaller.appspot.com/x/log.txt?x=10809af1280000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c298cd1af0b8136
dashboard link: https://syzkaller.appspot.com/bug?extid=036561ce64947eedccbf
dashboard link: https://syzkaller.appspot.com/bug?extid=036561ce64947eedccbf
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=106ec643280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1127d11d280000
Reported-by: syzbot+036561...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1127d11d280000
Fixes: bb8592efcf8e ("ext4: fix use-after-free in ext4_xattr_set_entry")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Tudor Ambarus
Jun 12, 2023, 11:05:21 AM6/12/23
to syzbot+036561...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, Lee Jones
The queue of fixes from bottom to top that fix this bug are:
Revert "ext4: fix use-after-free in ext4_xattr_set_entry"
Since we can't yet specify prerequisite commits to syzbot, specify
just the last commit that fixes the bug, even though without its
prerequisites the bug is still there, as the callers of the
duplicated method are not fixed.
#syz fix: ext4: fix use-after-free in ext4_xattr_set_entry
ext4: fix use-after-free in ext4_xattr_set_entry
ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()
Revert "ext4: fix use-after-free in ext4_xattr_set_entry"
Since we can't yet specify prerequisite commits to syzbot, specify
just the last commit that fixes the bug, even though without its
prerequisites the bug is still there, as the callers of the
duplicated method are not fixed.
#syz fix: ext4: fix use-after-free in ext4_xattr_set_entry
Reply all
Reply to author
Forward
0 new messages