KASAN: use-after-free Read in ext4_xattr_set_entry (4)
44 views
Skip to first unread message
syzbot
Jan 30, 2021, 6:05:17 AM1/30/21
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot found the following issue on:
HEAD commit: f8ad8187 fs/pipe: allow sendfile() to pipe again
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b8ad10d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=96b123631a6700e9
dashboard link: https://syzkaller.appspot.com/bug?extid=4cb1e27475bf90a9b926
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11131f94d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c3761b500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4cb1e2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3151/0x3780 fs/ext4/xattr.c:1586
Read of size 4 at addr ffff888030c00004 by task syz-executor392/11280
CPU: 0 PID: 11280 Comm: syz-executor392 Not tainted 5.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
ext4_xattr_set_entry+0x3151/0x3780 fs/ext4/xattr.c:1586
ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224
ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380
ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493
__vfs_setxattr+0x10e/0x170 fs/xattr.c:177
__vfs_setxattr_noperm+0x11a/0x4c0 fs/xattr.c:208
__vfs_setxattr_locked+0x1bf/0x250 fs/xattr.c:266
vfs_setxattr+0x135/0x320 fs/xattr.c:291
setxattr+0x1ff/0x290 fs/xattr.c:553
path_setxattr+0x170/0x190 fs/xattr.c:572
__do_sys_setxattr fs/xattr.c:587 [inline]
__se_sys_setxattr fs/xattr.c:583 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:583
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x445589
Code: e8 4c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffdf5f9b28 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 0000000000445589
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100
RBP: 0000000001a18c30 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000073d
R13: 00007fffdf5f9ba0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:00000000f7ed6945 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x1 pfn:0x30c00
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea0000c56508 ffffea0000c17d88 0000000000000000
raw: 0000000000000001 0000000000000001 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888030bfff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888030bfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888030c00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888030c00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888030c00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: f8ad8187 fs/pipe: allow sendfile() to pipe again
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b8ad10d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=96b123631a6700e9
dashboard link: https://syzkaller.appspot.com/bug?extid=4cb1e27475bf90a9b926
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11131f94d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c3761b500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4cb1e2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3151/0x3780 fs/ext4/xattr.c:1586
Read of size 4 at addr ffff888030c00004 by task syz-executor392/11280
CPU: 0 PID: 11280 Comm: syz-executor392 Not tainted 5.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
ext4_xattr_set_entry+0x3151/0x3780 fs/ext4/xattr.c:1586
ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224
ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380
ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493
__vfs_setxattr+0x10e/0x170 fs/xattr.c:177
__vfs_setxattr_noperm+0x11a/0x4c0 fs/xattr.c:208
__vfs_setxattr_locked+0x1bf/0x250 fs/xattr.c:266
vfs_setxattr+0x135/0x320 fs/xattr.c:291
setxattr+0x1ff/0x290 fs/xattr.c:553
path_setxattr+0x170/0x190 fs/xattr.c:572
__do_sys_setxattr fs/xattr.c:587 [inline]
__se_sys_setxattr fs/xattr.c:583 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:583
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x445589
Code: e8 4c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffdf5f9b28 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 0000000000445589
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100
RBP: 0000000001a18c30 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000073d
R13: 00007fffdf5f9ba0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:00000000f7ed6945 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x1 pfn:0x30c00
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea0000c56508 ffffea0000c17d88 0000000000000000
raw: 0000000000000001 0000000000000001 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888030bfff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888030bfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888030c00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888030c00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888030c00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Mar 23, 2022, 11:07:16 AM3/23/22
to adilger...@dilger.ca, cmai...@redhat.com, lcze...@redhat.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, s...@chobot.com, syzkall...@googlegroups.com, ty...@mit.edu, wanji...@vivo.com
syzbot suspects this issue was fixed by commit:
commit 6e47a3cc68fc525428297a00524833361ebbb0e9
Author: Lukas Czerner <lcze...@redhat.com>
Date: Wed Oct 27 14:18:52 2021 +0000
ext4: get rid of super block and sbi from handle_mount_ops()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=100bc10b700000
start commit: f8ad8187c3b5 fs/pipe: allow sendfile() to pipe again
git tree: upstream
#syz fix: ext4: get rid of super block and sbi from handle_mount_ops()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 6e47a3cc68fc525428297a00524833361ebbb0e9
Author: Lukas Czerner <lcze...@redhat.com>
Date: Wed Oct 27 14:18:52 2021 +0000
ext4: get rid of super block and sbi from handle_mount_ops()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=100bc10b700000
start commit: f8ad8187c3b5 fs/pipe: allow sendfile() to pipe again
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=96b123631a6700e9
dashboard link: https://syzkaller.appspot.com/bug?extid=4cb1e27475bf90a9b926
dashboard link: https://syzkaller.appspot.com/bug?extid=4cb1e27475bf90a9b926
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11131f94d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c3761b500000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c3761b500000
#syz fix: ext4: get rid of super block and sbi from handle_mount_ops()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Dmitry Vyukov
Mar 25, 2022, 2:19:00 AM3/25/22
to syzbot, adilger...@dilger.ca, cmai...@redhat.com, lcze...@redhat.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, s...@chobot.com, syzkall...@googlegroups.com, ty...@mit.edu, wanji...@vivo.com
Ritesh Harjani
Mar 29, 2022, 7:50:15 AM3/29/22
to Dmitry Vyukov, syzbot, adilger...@dilger.ca, cmai...@redhat.com, lcze...@redhat.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, s...@chobot.com, syzkall...@googlegroups.com, ty...@mit.edu, wanji...@vivo.com
But why do we think that this patch could fix the reported bug?
Because I see this patch from Lukas is a part of "ext4: new mount API
conversion" patch series. This I guess has nothing to do with the reported call
stack, no?
Or am I missing anything?
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3151/0x3780 fs/ext4/xattr.c:1586
Read of size 4 at addr ffff888030c00004 by task syz-executor392/11280
CPU: 0 PID: 11280 Comm: syz-executor392 Not tainted 5.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
ext4_xattr_set_entry+0x3151/0x3780 fs/ext4/xattr.c:1586
ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224
ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380
ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493
__vfs_setxattr+0x10e/0x170 fs/xattr.c:177
__vfs_setxattr_noperm+0x11a/0x4c0 fs/xattr.c:208
__vfs_setxattr_locked+0x1bf/0x250 fs/xattr.c:266
vfs_setxattr+0x135/0x320 fs/xattr.c:291
setxattr+0x1ff/0x290 fs/xattr.c:553
path_setxattr+0x170/0x190 fs/xattr.c:572
__do_sys_setxattr fs/xattr.c:587 [inline]
__se_sys_setxattr fs/xattr.c:583 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:583
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
Dmitry Vyukov
Mar 29, 2022, 8:01:37 AM3/29/22
to Ritesh Harjani, syzbot, adilger...@dilger.ca, cmai...@redhat.com, lcze...@redhat.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, s...@chobot.com, syzkall...@googlegroups.com, ty...@mit.edu, wanji...@vivo.com
It looked reasonable because the identified patch is in ext4 and the
bug is also in ext4 + the bisection log looked reasonable + there were
no other suggestions/corrections. In such a case it's better to close
the bug with at least some reasonable fix, then let it pile to
hundreds of other unclosed bugs and prevent reporting of new bugs.
Reply all
Reply to author
Forward
0 new messages