[Android 6.1] KASAN: use-after-free Read in get_max_inline_xattr_value_size
3 views
Skip to first unread message
syzbot
Jul 15, 2023, 5:28:44 AM7/15/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a24911abfd55 ANDROID: Update symbol for Exynos SoC
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1457f142a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b75c7b7ab5a09aff
dashboard link: https://syzkaller.appspot.com/bug?extid=4307d88364336839639e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15774f96a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10da132ea80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ebbd9c5d620c/disk-a24911ab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/91631c1e2a1a/vmlinux-a24911ab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ec5213f3f38d/bzImage-a24911ab.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/067fb9de89cf/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4307d8...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
EXT4-fs error (device loop0): ext4_xattr_ibody_get:619: inode #18: comm syz-executor289: corrupted in-inode xattr
==================================================================
BUG: KASAN: use-after-free in get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62
Read of size 4 at addr ffff888121308004 by task syz-executor289/312
CPU: 1 PID: 312 Comm: syz-executor289 Not tainted 6.1.25-syzkaller-00027-ga24911abfd55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:427
kasan_report+0x13c/0x170 mm/kasan/report.c:531
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62
ext4_get_max_inline_size+0x13d/0x1f0 fs/ext4/inline.c:113
ext4_try_to_write_inline_data+0xd3/0x1420 fs/ext4/inline.c:663
ext4_write_begin+0x200/0xfb0 fs/ext4/inode.c:1179
ext4_da_write_begin+0x2ff/0x920 fs/ext4/inode.c:2987
generic_perform_write+0x2f9/0x5c0 mm/filemap.c:3765
ext4_buffered_write_iter+0x360/0x640 fs/ext4/file.c:285
ext4_file_write_iter+0x194/0x1cf0
call_write_iter include/linux/fs.h:2215 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8d1/0xe80 fs/read_write.c:584
ksys_write+0x199/0x2c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc74bc54329
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb248cf38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc74bc54329
RDX: 0000000000000001 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 431bde82d7b634db R15: 00007ffdb248cfa0
</TASK>
The buggy address belongs to the physical page:
page:ffffea000484c200 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x121308
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000484c248 ffffea000484c948 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 306, tgid 306 (syz-executor289), ts 24774942178, free_ts 24859714760
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2581
prep_new_page mm/page_alloc.c:2588 [inline]
get_page_from_freelist+0x276c/0x2850 mm/page_alloc.c:4385
__alloc_pages+0x3a1/0x780 mm/page_alloc.c:5662
__folio_alloc+0x15/0x40 mm/page_alloc.c:5694
__folio_alloc_node include/linux/gfp.h:245 [inline]
folio_alloc include/linux/gfp.h:274 [inline]
shmem_alloc_folio mm/shmem.c:1578 [inline]
shmem_alloc_and_acct_folio+0x78c/0xa50 mm/shmem.c:1603
shmem_get_folio_gfp+0x12d4/0x24b0 mm/shmem.c:1931
shmem_get_folio mm/shmem.c:2062 [inline]
shmem_write_begin+0x164/0x3a0 mm/shmem.c:2550
generic_perform_write+0x2f9/0x5c0 mm/filemap.c:3765
__generic_file_write_iter+0x174/0x3a0 mm/filemap.c:3893
generic_file_write_iter+0xb1/0x310 mm/filemap.c:3925
call_write_iter include/linux/fs.h:2215 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8d1/0xe80 fs/read_write.c:584
ksys_write+0x199/0x2c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1493 [inline]
free_pcp_prepare mm/page_alloc.c:1567 [inline]
free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3484
free_unref_page_list+0xf6/0x6c0 mm/page_alloc.c:3626
release_pages+0xf7f/0xfe0 mm/swap.c:1055
__pagevec_release+0x84/0x100 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x609/0x15b0 mm/shmem.c:949
shmem_truncate_range mm/shmem.c:1048 [inline]
shmem_evict_inode+0x25f/0xa30 mm/shmem.c:1157
evict+0x2a3/0x630 fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x642/0x870 fs/inode.c:1773
dentry_unlink_inode+0x34f/0x440 fs/dcache.c:401
__dentry_kill+0x447/0x650 fs/dcache.c:607
dentry_kill+0xc0/0x2a0
dput+0x160/0x310 fs/dcache.c:913
__fput+0x5f0/0x870 fs/file_table.c:328
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
ptrace_notify+0x29e/0x350 kernel/signal.c:2357
Memory state around the buggy address:
ffff888121307f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888121307f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888121308000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888121308080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888121308100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:438: comm syz-executor289: Invalid block bitmap block 4294967295 in block_group 0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a24911abfd55 ANDROID: Update symbol for Exynos SoC
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1457f142a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b75c7b7ab5a09aff
dashboard link: https://syzkaller.appspot.com/bug?extid=4307d88364336839639e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15774f96a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10da132ea80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ebbd9c5d620c/disk-a24911ab.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/91631c1e2a1a/vmlinux-a24911ab.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ec5213f3f38d/bzImage-a24911ab.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/067fb9de89cf/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4307d8...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
EXT4-fs error (device loop0): ext4_xattr_ibody_get:619: inode #18: comm syz-executor289: corrupted in-inode xattr
==================================================================
BUG: KASAN: use-after-free in get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62
Read of size 4 at addr ffff888121308004 by task syz-executor289/312
CPU: 1 PID: 312 Comm: syz-executor289 Not tainted 6.1.25-syzkaller-00027-ga24911abfd55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:427
kasan_report+0x13c/0x170 mm/kasan/report.c:531
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62
ext4_get_max_inline_size+0x13d/0x1f0 fs/ext4/inline.c:113
ext4_try_to_write_inline_data+0xd3/0x1420 fs/ext4/inline.c:663
ext4_write_begin+0x200/0xfb0 fs/ext4/inode.c:1179
ext4_da_write_begin+0x2ff/0x920 fs/ext4/inode.c:2987
generic_perform_write+0x2f9/0x5c0 mm/filemap.c:3765
ext4_buffered_write_iter+0x360/0x640 fs/ext4/file.c:285
ext4_file_write_iter+0x194/0x1cf0
call_write_iter include/linux/fs.h:2215 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8d1/0xe80 fs/read_write.c:584
ksys_write+0x199/0x2c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc74bc54329
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb248cf38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc74bc54329
RDX: 0000000000000001 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 431bde82d7b634db R15: 00007ffdb248cfa0
</TASK>
The buggy address belongs to the physical page:
page:ffffea000484c200 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x121308
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000484c248 ffffea000484c948 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 306, tgid 306 (syz-executor289), ts 24774942178, free_ts 24859714760
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2581
prep_new_page mm/page_alloc.c:2588 [inline]
get_page_from_freelist+0x276c/0x2850 mm/page_alloc.c:4385
__alloc_pages+0x3a1/0x780 mm/page_alloc.c:5662
__folio_alloc+0x15/0x40 mm/page_alloc.c:5694
__folio_alloc_node include/linux/gfp.h:245 [inline]
folio_alloc include/linux/gfp.h:274 [inline]
shmem_alloc_folio mm/shmem.c:1578 [inline]
shmem_alloc_and_acct_folio+0x78c/0xa50 mm/shmem.c:1603
shmem_get_folio_gfp+0x12d4/0x24b0 mm/shmem.c:1931
shmem_get_folio mm/shmem.c:2062 [inline]
shmem_write_begin+0x164/0x3a0 mm/shmem.c:2550
generic_perform_write+0x2f9/0x5c0 mm/filemap.c:3765
__generic_file_write_iter+0x174/0x3a0 mm/filemap.c:3893
generic_file_write_iter+0xb1/0x310 mm/filemap.c:3925
call_write_iter include/linux/fs.h:2215 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8d1/0xe80 fs/read_write.c:584
ksys_write+0x199/0x2c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1493 [inline]
free_pcp_prepare mm/page_alloc.c:1567 [inline]
free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3484
free_unref_page_list+0xf6/0x6c0 mm/page_alloc.c:3626
release_pages+0xf7f/0xfe0 mm/swap.c:1055
__pagevec_release+0x84/0x100 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x609/0x15b0 mm/shmem.c:949
shmem_truncate_range mm/shmem.c:1048 [inline]
shmem_evict_inode+0x25f/0xa30 mm/shmem.c:1157
evict+0x2a3/0x630 fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x642/0x870 fs/inode.c:1773
dentry_unlink_inode+0x34f/0x440 fs/dcache.c:401
__dentry_kill+0x447/0x650 fs/dcache.c:607
dentry_kill+0xc0/0x2a0
dput+0x160/0x310 fs/dcache.c:913
__fput+0x5f0/0x870 fs/file_table.c:328
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
ptrace_notify+0x29e/0x350 kernel/signal.c:2357
Memory state around the buggy address:
ffff888121307f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888121307f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888121308000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888121308080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888121308100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:438: comm syz-executor289: Invalid block bitmap block 4294967295 in block_group 0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 13, 2023, 5:51:09 AM11/13/23
to syzkaller-a...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 1d2caddbeeee56fbbc36b428c5b909c3ad88eb7f
Author: Theodore Ts'o <ty...@mit.edu>
Date: Fri May 12 19:11:02 2023 +0000
ext4: add bounds checking in get_max_inline_xattr_value_size()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=109e7420e80000
start commit: a24911abfd55 ANDROID: Update symbol for Exynos SoC
git tree: android14-6.1
#syz fix: ext4: add bounds checking in get_max_inline_xattr_value_size()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 1d2caddbeeee56fbbc36b428c5b909c3ad88eb7f
Author: Theodore Ts'o <ty...@mit.edu>
Date: Fri May 12 19:11:02 2023 +0000
ext4: add bounds checking in get_max_inline_xattr_value_size()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=109e7420e80000
start commit: a24911abfd55 ANDROID: Update symbol for Exynos SoC
git tree: android14-6.1
kernel config: https://syzkaller.appspot.com/x/.config?x=b75c7b7ab5a09aff
dashboard link: https://syzkaller.appspot.com/bug?extid=4307d88364336839639e
dashboard link: https://syzkaller.appspot.com/bug?extid=4307d88364336839639e
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15774f96a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10da132ea80000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10da132ea80000
#syz fix: ext4: add bounds checking in get_max_inline_xattr_value_size()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Jan 19, 2024, 9:48:12 AMJan 19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages