KASAN: use-after-free Read in ext4_xattr_set_entry
17 views
Skip to first unread message
syzbot
Apr 13, 2019, 8:02:20 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4ed22187 Revert "ANDROID: Revert "arm64: move ELF_ET_DYN_B..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=157e6e0b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7acec4778e485bac
dashboard link: https://syzkaller.appspot.com/bug?extid=14d28d8eae5ee1bd6f88
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+14d28d...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x24c7/0x2e10
fs/ext4/xattr.c:1599
Read of size 4 at addr ffff88019ad5c083 by task syz-fuzzer/11081
CPU: 1 PID: 11081 Comm: syz-fuzzer Not tainted 4.14.78+ #26
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
ext4_xattr_set_entry+0x24c7/0x2e10 fs/ext4/xattr.c:1599
ext4_xattr_ibody_set+0x73/0x280 fs/ext4/xattr.c:2239
ext4_xattr_set_handle+0x6a6/0xd90 fs/ext4/xattr.c:2393
ext4_initxattrs+0xb8/0x110 fs/ext4/xattr_security.c:43
security_inode_init_security+0x228/0x310 security/security.c:493
__ext4_new_inode+0x3473/0x48e0 fs/ext4/ialloc.c:1166
ext4_mkdir+0x234/0xb40 fs/ext4/namei.c:2624
vfs_mkdir2+0x3cb/0x640 fs/namei.c:3836
SYSC_mkdirat fs/namei.c:3865 [inline]
SyS_mkdirat+0x126/0x220 fs/namei.c:3849
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x47fc44
RSP: 002b:000000c4240f9858 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fc44
RDX: 00000000000001c0 RSI: 000000c4206e29c0 RDI: ffffffffffffff9c
RBP: 000000c4240f98b8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb29926a000
R13: 0000000000000020 R14: 0000000000000013 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00066b5700 count:0 mapcount:-127 mapping: (null)
index:0x1
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea0006b5a520 ffffea00066bf820 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88019ad5bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88019ad5c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88019ad5c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88019ad5c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88019ad5c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4ed22187 Revert "ANDROID: Revert "arm64: move ELF_ET_DYN_B..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=157e6e0b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7acec4778e485bac
dashboard link: https://syzkaller.appspot.com/bug?extid=14d28d8eae5ee1bd6f88
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+14d28d...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1602: inode #16690: comm
syz-fuzzer: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x24c7/0x2e10
fs/ext4/xattr.c:1599
Read of size 4 at addr ffff88019ad5c083 by task syz-fuzzer/11081
CPU: 1 PID: 11081 Comm: syz-fuzzer Not tainted 4.14.78+ #26
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
ext4_xattr_set_entry+0x24c7/0x2e10 fs/ext4/xattr.c:1599
ext4_xattr_ibody_set+0x73/0x280 fs/ext4/xattr.c:2239
ext4_xattr_set_handle+0x6a6/0xd90 fs/ext4/xattr.c:2393
ext4_initxattrs+0xb8/0x110 fs/ext4/xattr_security.c:43
security_inode_init_security+0x228/0x310 security/security.c:493
__ext4_new_inode+0x3473/0x48e0 fs/ext4/ialloc.c:1166
ext4_mkdir+0x234/0xb40 fs/ext4/namei.c:2624
vfs_mkdir2+0x3cb/0x640 fs/namei.c:3836
SYSC_mkdirat fs/namei.c:3865 [inline]
SyS_mkdirat+0x126/0x220 fs/namei.c:3849
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x47fc44
RSP: 002b:000000c4240f9858 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047fc44
RDX: 00000000000001c0 RSI: 000000c4206e29c0 RDI: ffffffffffffff9c
RBP: 000000c4240f98b8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb29926a000
R13: 0000000000000020 R14: 0000000000000013 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00066b5700 count:0 mapcount:-127 mapping: (null)
index:0x1
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea0006b5a520 ffffea00066bf820 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88019ad5bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88019ad5c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88019ad5c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88019ad5c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88019ad5c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 25, 2019, 9:15:04 PM6/25/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages