KASAN: use-after-free Write in __ext4_expand_extra_isize
6 views
Skip to first unread message
syzbot
Jul 22, 2019, 10:57:06 PM7/22/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ff33472c Linux 4.14.134
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11817264600000
kernel config: https://syzkaller.appspot.com/x/.config?x=3559c2b3fb5dd4b2
dashboard link: https://syzkaller.appspot.com/bug?extid=ae92ca7e152af41e7cf9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ae92ca...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16531: comm
syz-executor.1: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16530: comm
syz-executor.1: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in memset /./include/linux/string.h:332 [inline]
BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x14f/0x220
/fs/ext4/inode.c:5739
Write of size 2015 at addr ffff88808100cba0 by task syz-executor.5/7684
CPU: 0 PID: 7684 Comm: syz-executor.5 Not tainted 4.14.134 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack /lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c /lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc /mm/kasan/report.c:252
kasan_report_error /mm/kasan/report.c:351 [inline]
kasan_report /mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af /mm/kasan/report.c:393
check_memory_region_inline /mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 /mm/kasan/kasan.c:267
memset+0x24/0x40 /mm/kasan/kasan.c:285
memset /./include/linux/string.h:332 [inline]
__ext4_expand_extra_isize+0x14f/0x220 /fs/ext4/inode.c:5739
ext4_try_to_expand_extra_isize /fs/ext4/inode.c:5791 [inline]
ext4_mark_inode_dirty+0x664/0x860 /fs/ext4/inode.c:5867
ext4_ext_truncate+0x96/0x1f0 /fs/ext4/extents.c:4653
ext4_truncate+0xbab/0x11f0 /fs/ext4/inode.c:4416
ext4_evict_inode+0x8be/0x15c0 /fs/ext4/inode.c:288
evict+0x2e6/0x630 /fs/inode.c:554
iput_final /fs/inode.c:1516 [inline]
iput /fs/inode.c:1543 [inline]
iput+0x471/0x900 /fs/inode.c:1528
dentry_unlink_inode+0x286/0x340 /fs/dcache.c:387
__dentry_kill+0x32e/0x580 /fs/dcache.c:591
dentry_kill /fs/dcache.c:632 [inline]
dput.part.0+0x4e3/0x750 /fs/dcache.c:847
dput+0x20/0x30 /fs/dcache.c:811
path_put+0x31/0x70 /fs/namei.c:501
free_fs_struct+0x25/0x70 /fs/fs_struct.c:90
exit_fs+0xe7/0x120 /fs/fs_struct.c:107
do_exit+0x7b9/0x2c10 /kernel/exit.c:870
do_group_exit+0x111/0x330 /kernel/exit.c:977
get_signal+0x381/0x1cd0 /kernel/signal.c:2409
do_signal+0x86/0x19a0 /arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x15c/0x220 /arch/x86/entry/common.c:160
prepare_exit_to_usermode /arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath /arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 /arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459829
RSP: 002b:00007f45aaa27cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075bf28 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c
R13: 00007ffdf05b432f R14: 00007f45aaa289c0 R15: 000000000075bf2c
The buggy address belongs to the page:
page:ffffea0002040300 count:2 mapcount:0 mapping:ffff888218421520
index:0x42b
flags: 0x1fffc0000001074(referenced|dirty|lru|active|private)
raw: 01fffc0000001074 ffff888218421520 000000000000042b 00000002ffffffff
raw: ffffea0001d8e920 ffffea000196f420 ffff888087702e70 ffff88821b7321c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88821b7321c0
Memory state around the buggy address:
ffff88808100cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808100cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88808100d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808100d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808100d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: ff33472c Linux 4.14.134
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11817264600000
kernel config: https://syzkaller.appspot.com/x/.config?x=3559c2b3fb5dd4b2
dashboard link: https://syzkaller.appspot.com/bug?extid=ae92ca7e152af41e7cf9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ae92ca...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16531: comm
syz-executor.1: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16530: comm
syz-executor.1: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in memset /./include/linux/string.h:332 [inline]
BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x14f/0x220
/fs/ext4/inode.c:5739
Write of size 2015 at addr ffff88808100cba0 by task syz-executor.5/7684
CPU: 0 PID: 7684 Comm: syz-executor.5 Not tainted 4.14.134 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack /lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c /lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc /mm/kasan/report.c:252
kasan_report_error /mm/kasan/report.c:351 [inline]
kasan_report /mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af /mm/kasan/report.c:393
check_memory_region_inline /mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 /mm/kasan/kasan.c:267
memset+0x24/0x40 /mm/kasan/kasan.c:285
memset /./include/linux/string.h:332 [inline]
__ext4_expand_extra_isize+0x14f/0x220 /fs/ext4/inode.c:5739
ext4_try_to_expand_extra_isize /fs/ext4/inode.c:5791 [inline]
ext4_mark_inode_dirty+0x664/0x860 /fs/ext4/inode.c:5867
ext4_ext_truncate+0x96/0x1f0 /fs/ext4/extents.c:4653
ext4_truncate+0xbab/0x11f0 /fs/ext4/inode.c:4416
ext4_evict_inode+0x8be/0x15c0 /fs/ext4/inode.c:288
evict+0x2e6/0x630 /fs/inode.c:554
iput_final /fs/inode.c:1516 [inline]
iput /fs/inode.c:1543 [inline]
iput+0x471/0x900 /fs/inode.c:1528
dentry_unlink_inode+0x286/0x340 /fs/dcache.c:387
__dentry_kill+0x32e/0x580 /fs/dcache.c:591
dentry_kill /fs/dcache.c:632 [inline]
dput.part.0+0x4e3/0x750 /fs/dcache.c:847
dput+0x20/0x30 /fs/dcache.c:811
path_put+0x31/0x70 /fs/namei.c:501
free_fs_struct+0x25/0x70 /fs/fs_struct.c:90
exit_fs+0xe7/0x120 /fs/fs_struct.c:107
do_exit+0x7b9/0x2c10 /kernel/exit.c:870
do_group_exit+0x111/0x330 /kernel/exit.c:977
get_signal+0x381/0x1cd0 /kernel/signal.c:2409
do_signal+0x86/0x19a0 /arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x15c/0x220 /arch/x86/entry/common.c:160
prepare_exit_to_usermode /arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath /arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 /arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459829
RSP: 002b:00007f45aaa27cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075bf28 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c
R13: 00007ffdf05b432f R14: 00007f45aaa289c0 R15: 000000000075bf2c
The buggy address belongs to the page:
page:ffffea0002040300 count:2 mapcount:0 mapping:ffff888218421520
index:0x42b
flags: 0x1fffc0000001074(referenced|dirty|lru|active|private)
raw: 01fffc0000001074 ffff888218421520 000000000000042b 00000002ffffffff
raw: ffffea0001d8e920 ffffea000196f420 ffff888087702e70 ffff88821b7321c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88821b7321c0
Memory state around the buggy address:
ffff88808100cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808100cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88808100d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808100d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808100d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 10, 2020, 10:13:10 AM3/10/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages