KASAN: use-after-free Read in ext4_xattr_set_entry (2)
24 views
Skip to first unread message
syzbot
Jun 11, 2020, 8:57:17 AM6/11/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3fc89857 Linux 4.19.128
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16e43729100000
kernel config: https://syzkaller.appspot.com/x/.config?x=6c6e6bf14f2aabf
dashboard link: https://syzkaller.appspot.com/bug?extid=b0fe9558904a8bb778ac
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b0fe95...@syzkaller.appspotmail.com
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in memmove include/linux/string.h:363 [inline]
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0xb17/0x3340 fs/ext4/xattr.c:1738
Read of size 4 at addr ffff88804570cffe by task syz-fuzzer/6449
CPU: 0 PID: 6449 Comm: syz-fuzzer Not tainted 4.19.128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x222 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
memmove+0x20/0x50 mm/kasan/kasan.c:293
memmove include/linux/string.h:363 [inline]
ext4_xattr_set_entry+0xb17/0x3340 fs/ext4/xattr.c:1738
ext4_xattr_ibody_set+0x81/0x2a0 fs/ext4/xattr.c:2240
ext4_xattr_set_handle+0x5d2/0x1010 fs/ext4/xattr.c:2396
ext4_initxattrs+0xb5/0x120 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:498 [inline]
security_inode_init_security+0x294/0x370 security/security.c:471
__ext4_new_inode+0x3ec5/0x5af0 fs/ext4/ialloc.c:1165
ext4_mkdir+0x396/0xd90 fs/ext4/namei.c:2656
vfs_mkdir+0x423/0x6a0 fs/namei.c:3819
do_mkdirat+0x21e/0x280 fs/namei.c:3842
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4b3cdb
Code: ff e9 69 ff ff ff cc cc cc cc cc cc cc cc cc e8 bb a1 f8 ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
RSP: 002b:000000c019a42958 EFLAGS: 00000216 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 000000c00002c000 RCX: 00000000004b3cdb
RDX: 00000000000001c0 RSI: 000000c0116b20c0 RDI: ffffffffffffff9c
RBP: 000000c019a429b0 R08: 000000000086f901 R09: 0000000000000001
R10: 000000c0116b20c0 R11: 0000000000000216 R12: ffffffffffffffff
R13: 0000000000000007 R14: 0000000000000006 R15: 0000000000000100
The buggy address belongs to the page:
page:ffffea000115c300 count:2 mapcount:0 mapping:ffff888219f17b20 index:0x408
flags: 0xfffe0000001074(referenced|dirty|lru|active|private)
raw: 00fffe0000001074 ffffea000115d3c8 ffffea000106d988 ffff888219f17b20
raw: 0000000000000408 ffff8880430cfd20 00000002ffffffff ffff88821b6eeb00
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88821b6eeb00
Memory state around the buggy address:
ffff88804570cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88804570cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804570d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88804570d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88804570d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 3fc89857 Linux 4.19.128
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16e43729100000
kernel config: https://syzkaller.appspot.com/x/.config?x=6c6e6bf14f2aabf
dashboard link: https://syzkaller.appspot.com/bug?extid=b0fe9558904a8bb778ac
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b0fe95...@syzkaller.appspotmail.com
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in memmove include/linux/string.h:363 [inline]
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0xb17/0x3340 fs/ext4/xattr.c:1738
Read of size 4 at addr ffff88804570cffe by task syz-fuzzer/6449
CPU: 0 PID: 6449 Comm: syz-fuzzer Not tainted 4.19.128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x222 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
memmove+0x20/0x50 mm/kasan/kasan.c:293
memmove include/linux/string.h:363 [inline]
ext4_xattr_set_entry+0xb17/0x3340 fs/ext4/xattr.c:1738
ext4_xattr_ibody_set+0x81/0x2a0 fs/ext4/xattr.c:2240
ext4_xattr_set_handle+0x5d2/0x1010 fs/ext4/xattr.c:2396
ext4_initxattrs+0xb5/0x120 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:498 [inline]
security_inode_init_security+0x294/0x370 security/security.c:471
__ext4_new_inode+0x3ec5/0x5af0 fs/ext4/ialloc.c:1165
ext4_mkdir+0x396/0xd90 fs/ext4/namei.c:2656
vfs_mkdir+0x423/0x6a0 fs/namei.c:3819
do_mkdirat+0x21e/0x280 fs/namei.c:3842
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4b3cdb
Code: ff e9 69 ff ff ff cc cc cc cc cc cc cc cc cc e8 bb a1 f8 ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
RSP: 002b:000000c019a42958 EFLAGS: 00000216 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 000000c00002c000 RCX: 00000000004b3cdb
RDX: 00000000000001c0 RSI: 000000c0116b20c0 RDI: ffffffffffffff9c
RBP: 000000c019a429b0 R08: 000000000086f901 R09: 0000000000000001
R10: 000000c0116b20c0 R11: 0000000000000216 R12: ffffffffffffffff
R13: 0000000000000007 R14: 0000000000000006 R15: 0000000000000100
The buggy address belongs to the page:
page:ffffea000115c300 count:2 mapcount:0 mapping:ffff888219f17b20 index:0x408
flags: 0xfffe0000001074(referenced|dirty|lru|active|private)
raw: 00fffe0000001074 ffffea000115d3c8 ffffea000106d988 ffff888219f17b20
raw: 0000000000000408 ffff8880430cfd20 00000002ffffffff ffff88821b6eeb00
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88821b6eeb00
Memory state around the buggy address:
ffff88804570cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88804570cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804570d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88804570d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88804570d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 6, 2020, 6:20:16 PM11/6/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: b94de4d1 Linux 4.19.155
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fa3034500000
kernel config: https://syzkaller.appspot.com/x/.config?x=252047157acf1cb1
dashboard link: https://syzkaller.appspot.com/bug?extid=b0fe9558904a8bb778ac
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144add46500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cdfb32500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b0fe95...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3244/0x3690 fs/ext4/xattr.c:1604
Read of size 4 at addr ffff88808c7bb004 by task syz-executor444/11523
CPU: 1 PID: 11523 Comm: syz-executor444 Not tainted 4.19.155-syzkaller #0
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
ext4_xattr_set_entry+0x3244/0x3690 fs/ext4/xattr.c:1604
ext4_xattr_ibody_set+0x81/0x2a0 fs/ext4/xattr.c:2243
ext4_xattr_set_handle+0x5ad/0xfa0 fs/ext4/xattr.c:2399
ext4_xattr_set+0x135/0x2a0 fs/ext4/xattr.c:2511
__vfs_setxattr+0x10e/0x170 fs/xattr.c:149
__vfs_setxattr_noperm+0x11a/0x420 fs/xattr.c:180
__vfs_setxattr_locked+0x176/0x250 fs/xattr.c:238
vfs_setxattr+0xe5/0x270 fs/xattr.c:255
setxattr+0x23d/0x330 fs/xattr.c:520
path_setxattr+0x170/0x190 fs/xattr.c:539
__do_sys_setxattr fs/xattr.c:554 [inline]
__se_sys_setxattr fs/xattr.c:550 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:550
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445669
Code: e8 7c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdc22f8938 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 0000000000445669
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100
RBP: 0000000001a18c30 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000001ee
R13: 00007ffdc22f89b0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea000231eec0 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea00023a3208 ffffea00022edcc8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
ffff88808c7baf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808c7bb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808c7bb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808c7bb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
HEAD commit: b94de4d1 Linux 4.19.155
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fa3034500000
kernel config: https://syzkaller.appspot.com/x/.config?x=252047157acf1cb1
dashboard link: https://syzkaller.appspot.com/bug?extid=b0fe9558904a8bb778ac
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144add46500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cdfb32500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b0fe95...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3244/0x3690 fs/ext4/xattr.c:1604
Read of size 4 at addr ffff88808c7bb004 by task syz-executor444/11523
CPU: 1 PID: 11523 Comm: syz-executor444 Not tainted 4.19.155-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
ext4_xattr_set_entry+0x3244/0x3690 fs/ext4/xattr.c:1604
ext4_xattr_ibody_set+0x81/0x2a0 fs/ext4/xattr.c:2243
ext4_xattr_set_handle+0x5ad/0xfa0 fs/ext4/xattr.c:2399
ext4_xattr_set+0x135/0x2a0 fs/ext4/xattr.c:2511
__vfs_setxattr+0x10e/0x170 fs/xattr.c:149
__vfs_setxattr_noperm+0x11a/0x420 fs/xattr.c:180
__vfs_setxattr_locked+0x176/0x250 fs/xattr.c:238
vfs_setxattr+0xe5/0x270 fs/xattr.c:255
setxattr+0x23d/0x330 fs/xattr.c:520
path_setxattr+0x170/0x190 fs/xattr.c:539
__do_sys_setxattr fs/xattr.c:554 [inline]
__se_sys_setxattr fs/xattr.c:550 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:550
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445669
Code: e8 7c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdc22f8938 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 0000000000445669
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100
RBP: 0000000001a18c30 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000001ee
R13: 00007ffdc22f89b0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea00023a3208 ffffea00022edcc8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808c7baf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808c7baf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808c7bb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808c7bb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808c7bb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
syzbot
Oct 12, 2021, 5:56:12 PM10/12/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit c481607ba522e31e6ed01efefc19cc1d0e0a46fa
Author: Theodore Ts'o <ty...@mit.edu>
Date: Sat Aug 21 03:44:17 2021 +0000
ext4: fix race writing to an inline_data file while its xattrs are changing
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=123ce5bf300000
start commit: 830a059cbba6 Linux 4.19.186
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=7415cc95f9edb7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=b0fe9558904a8bb778ac
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112d4046d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106b7f36d00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: ext4: fix race writing to an inline_data file while its xattrs are changing
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit c481607ba522e31e6ed01efefc19cc1d0e0a46fa
Author: Theodore Ts'o <ty...@mit.edu>
Date: Sat Aug 21 03:44:17 2021 +0000
ext4: fix race writing to an inline_data file while its xattrs are changing
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=123ce5bf300000
start commit: 830a059cbba6 Linux 4.19.186
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=7415cc95f9edb7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=b0fe9558904a8bb778ac
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112d4046d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106b7f36d00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: ext4: fix race writing to an inline_data file while its xattrs are changing
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages