KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
10 views
Skip to first unread message
syzbot
Apr 8, 2020, 2:25:16 PM4/8/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1717e657e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link: https://syzkaller.appspot.com/bug?extid=e1f6e4304964f5d37eb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e1f6e4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff8880a4848003 by task syz-executor.5/22211
CPU: 1 PID: 22211 Comm: syz-executor.5 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x822/0x27f0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c889
RSP: 002b:00007ff3dd003c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007ff3dd0046d4 RCX: 000000000045c889
RDX: 00000000c0000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000000f0 R14: 00000000004c3798 R15: 000000000076bf0c
Allocated by task 3637:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x21a/0x680 fs/open.c:448
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 3637:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
putname+0xcd/0x110 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2386
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x21a/0x680 fs/open.c:448
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a4848d40
which belongs to the cache names_cache of size 4096
The buggy address is located 3389 bytes to the left of
4096-byte region [ffff8880a4848d40, ffff8880a4849d40)
The buggy address belongs to the page:
page:ffffea0002921200 count:1 mapcount:0 mapping:ffff8880a4848d40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a4848d40 0000000000000000 0000000100000001
raw: ffffea000285e1a0 ffffea000134c420 ffff8880aa586e40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4847f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a4847f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a4848000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a4848080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a4848100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1717e657e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link: https://syzkaller.appspot.com/bug?extid=e1f6e4304964f5d37eb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e1f6e4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff8880a4848003 by task syz-executor.5/22211
CPU: 1 PID: 22211 Comm: syz-executor.5 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x822/0x27f0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c889
RSP: 002b:00007ff3dd003c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007ff3dd0046d4 RCX: 000000000045c889
RDX: 00000000c0000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000000f0 R14: 00000000004c3798 R15: 000000000076bf0c
Allocated by task 3637:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x21a/0x680 fs/open.c:448
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 3637:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
putname+0xcd/0x110 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2386
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x21a/0x680 fs/open.c:448
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a4848d40
which belongs to the cache names_cache of size 4096
The buggy address is located 3389 bytes to the left of
4096-byte region [ffff8880a4848d40, ffff8880a4849d40)
The buggy address belongs to the page:
page:ffffea0002921200 count:1 mapcount:0 mapping:ffff8880a4848d40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a4848d40 0000000000000000 0000000100000001
raw: ffffea000285e1a0 ffffea000134c420 ffff8880aa586e40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4847f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a4847f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a4848000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a4848080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a4848100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 8, 2020, 2:41:15 PM4/8/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1473fd8fe00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161e6e57e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e1f6e4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff88808ad82003 by task syz-executor689/6335
CPU: 0 PID: 6335 Comm: syz-executor689 Not tainted 4.14.175-syzkaller #0
RSP: 002b:00007fff8440f568 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fff8440f570 RCX: 00000000004402d9
RDX: 00000000c0000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fff8440f570 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401b60
R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat+0x83/0xe0 fs/stat.c:350
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 1:
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat+0x83/0xe0 fs/stat.c:350
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88808ad82080
4096-byte region [ffff88808ad82080, ffff88808ad83080)
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88808ad82080 0000000000000000 0000000100000001
raw: ffffea0002a4f7a0 ffffea0002a31120 ffff8880aa586e40 0000000000000000
ffff88808ad81f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808ad82000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88808ad82080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808ad82100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link: https://syzkaller.appspot.com/bug?extid=e1f6e4304964f5d37eb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e5470be00000
dashboard link: https://syzkaller.appspot.com/bug?extid=e1f6e4304964f5d37eb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161e6e57e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e1f6e4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
CPU: 0 PID: 6335 Comm: syz-executor689 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x822/0x27f0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4402d9
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x822/0x27f0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007fff8440f568 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fff8440f570 RCX: 00000000004402d9
RDX: 00000000c0000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fff8440f570 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401b60
R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat+0x83/0xe0 fs/stat.c:350
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 1:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
putname+0xcd/0x110 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2386
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
putname+0xcd/0x110 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2386
user_path_at include/linux/namei.h:57 [inline]
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat+0x83/0xe0 fs/stat.c:350
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88808ad82080
which belongs to the cache names_cache of size 4096
The buggy address is located 125 bytes to the left of
4096-byte region [ffff88808ad82080, ffff88808ad83080)
The buggy address belongs to the page:
page:ffffea00022b6080 count:1 mapcount:0 mapping:ffff88808ad82080 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88808ad82080 0000000000000000 0000000100000001
raw: ffffea0002a4f7a0 ffffea0002a31120 ffff8880aa586e40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808ad81f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff88808ad81f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808ad82000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88808ad82080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808ad82100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reply all
Reply to author
Forward
0 new messages