KASAN: use-after-free Read in dbAdjTree
7 views
Skip to first unread message
syzbot
Oct 31, 2022, 10:16:51 AM10/31/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=157c42ea880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=53390df14fd653c557fd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+53390d...@syzkaller.appspotmail.com
audit: type=1804 audit(1667225732.042:72): pid=16787 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir1393698535/syzkaller.NXb3r0/2393/file0/file3" dev="loop1" ino=5 res=1
vhci_hcd: release socket
vhci_hcd: vhci_device speed not set
==================================================================
BUG: KASAN: use-after-free in dbAdjTree+0x265/0x2c0 fs/jfs/jfs_dmap.c:2936
vhci_hcd: disconnect device
Read of size 1 at addr ffff88809d78d021 by task jfsCommit/1985
CPU: 0 PID: 1985 Comm: jfsCommit Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
dbAdjTree+0x265/0x2c0 fs/jfs/jfs_dmap.c:2936
dbJoin+0x1d0/0x220 fs/jfs/jfs_dmap.c:2877
dbFreeBits+0xf0/0x710 fs/jfs/jfs_dmap.c:2378
dbFreeDmap+0x61/0x1a0 fs/jfs/jfs_dmap.c:2127
dbFree+0x252/0x500 fs/jfs/jfs_dmap.c:385
txFreeMap+0x7a4/0xb20 fs/jfs/jfs_txnmgr.c:2579
txUpdateMap+0x369/0x1000 fs/jfs/jfs_txnmgr.c:2375
txLazyCommit fs/jfs/jfs_txnmgr.c:2709 [inline]
jfs_lazycommit+0x525/0x9d0 fs/jfs/jfs_txnmgr.c:2777
vhci_hcd: stop threads
vhci_hcd: release socket
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
vhci_hcd: disconnect device
The buggy address belongs to the page:
page:ffffea000275e340 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea00027b8388 ffffea000275ec08 0000000000000000
vhci_hcd: stop threads
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
vhci_hcd: release socket
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809d78cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809d78cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809d78d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88809d78d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88809d78d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
usb 13-1: new full-speed USB device number 2 using vhci_hcd
vhci_hcd: disconnect device
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=157c42ea880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=53390df14fd653c557fd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+53390d...@syzkaller.appspotmail.com
audit: type=1804 audit(1667225732.042:72): pid=16787 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir1393698535/syzkaller.NXb3r0/2393/file0/file3" dev="loop1" ino=5 res=1
vhci_hcd: release socket
vhci_hcd: vhci_device speed not set
==================================================================
BUG: KASAN: use-after-free in dbAdjTree+0x265/0x2c0 fs/jfs/jfs_dmap.c:2936
vhci_hcd: disconnect device
Read of size 1 at addr ffff88809d78d021 by task jfsCommit/1985
CPU: 0 PID: 1985 Comm: jfsCommit Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
dbAdjTree+0x265/0x2c0 fs/jfs/jfs_dmap.c:2936
dbJoin+0x1d0/0x220 fs/jfs/jfs_dmap.c:2877
dbFreeBits+0xf0/0x710 fs/jfs/jfs_dmap.c:2378
dbFreeDmap+0x61/0x1a0 fs/jfs/jfs_dmap.c:2127
dbFree+0x252/0x500 fs/jfs/jfs_dmap.c:385
txFreeMap+0x7a4/0xb20 fs/jfs/jfs_txnmgr.c:2579
txUpdateMap+0x369/0x1000 fs/jfs/jfs_txnmgr.c:2375
txLazyCommit fs/jfs/jfs_txnmgr.c:2709 [inline]
jfs_lazycommit+0x525/0x9d0 fs/jfs/jfs_txnmgr.c:2777
vhci_hcd: stop threads
vhci_hcd: release socket
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
vhci_hcd: disconnect device
The buggy address belongs to the page:
page:ffffea000275e340 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea00027b8388 ffffea000275ec08 0000000000000000
vhci_hcd: stop threads
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
vhci_hcd: release socket
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809d78cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809d78cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809d78d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88809d78d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88809d78d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
usb 13-1: new full-speed USB device number 2 using vhci_hcd
vhci_hcd: disconnect device
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 6, 2022, 1:59:44 PM11/6/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13ade4fa880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17446fb1880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/eee787192d4b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+53390d...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
BUG: unable to handle kernel paging request at ffffed1018b41204
PGD 23fff3067 P4D 23fff3067 PUD 13fff8067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1984 Comm: jfsCommit Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:dbAdjTree+0x202/0x2c0 fs/jfs/jfs_dmap.c:2936
Code: 00 41 0f b6 55 01 44 38 f8 4c 63 eb 41 0f 4c c7 4a 8d 7c 2d 11 38 d0 48 89 f9 0f 4d d0 83 e1 07 41 89 d7 48 89 fa 48 c1 ea 03 <42> 0f b6 14 22 38 ca 7f 04 84 d2 75 51 42 0f b6 54 2d 11 44 89 fe
RSP: 0018:ffff8880b0b4f760 EFLAGS: 00010a02
RAX: 0000000000000004 RBX: 0000000015400000 RCX: 0000000000000001
RDX: 1ffff11018b41204 RSI: 0000000000000003 RDI: ffff8880c5a09021
RBP: ffff8880b0609010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000015400000 R14: 0000000000000000 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1018b41204 CR3: 000000009c16c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
xtTruncate+0x1bea/0x25b0 fs/jfs/jfs_xtree.c:3441
jfs_free_zero_link+0x2ea/0x440 fs/jfs/namei.c:770
jfs_evict_inode+0x1d2/0x210 fs/jfs/inode.c:162
evict+0x2ed/0x760 fs/inode.c:559
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
txUpdateMap+0xd88/0x1000 fs/jfs/jfs_txnmgr.c:2412
CR2: ffffed1018b41204
---[ end trace 33de24460b35a9ee ]---
RIP: 0010:dbAdjTree+0x202/0x2c0 fs/jfs/jfs_dmap.c:2936
Code: 00 41 0f b6 55 01 44 38 f8 4c 63 eb 41 0f 4c c7 4a 8d 7c 2d 11 38 d0 48 89 f9 0f 4d d0 83 e1 07 41 89 d7 48 89 fa 48 c1 ea 03 <42> 0f b6 14 22 38 ca 7f 04 84 d2 75 51 42 0f b6 54 2d 11 44 89 fe
RSP: 0018:ffff8880b0b4f760 EFLAGS: 00010a02
RAX: 0000000000000004 RBX: 0000000015400000 RCX: 0000000000000001
RDX: 1ffff11018b41204 RSI: 0000000000000003 RDI: ffff8880c5a09021
RBP: ffff8880b0609010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000015400000 R14: 0000000000000000 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1018b41204 CR3: 000000009c16c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 41 0f add %al,0xf(%rcx)
3: b6 55 mov $0x55,%dh
5: 01 44 38 f8 add %eax,-0x8(%rax,%rdi,1)
9: 4c 63 eb movslq %ebx,%r13
c: 41 0f 4c c7 cmovl %r15d,%eax
10: 4a 8d 7c 2d 11 lea 0x11(%rbp,%r13,1),%rdi
15: 38 d0 cmp %dl,%al
17: 48 89 f9 mov %rdi,%rcx
1a: 0f 4d d0 cmovge %eax,%edx
1d: 83 e1 07 and $0x7,%ecx
20: 41 89 d7 mov %edx,%r15d
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 42 0f b6 14 22 movzbl (%rdx,%r12,1),%edx <-- trapping instruction
2f: 38 ca cmp %cl,%dl
31: 7f 04 jg 0x37
33: 84 d2 test %dl,%dl
35: 75 51 jne 0x88
37: 42 0f b6 54 2d 11 movzbl 0x11(%rbp,%r13,1),%edx
3d: 44 89 fe mov %r15d,%esi
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=53390df14fd653c557fd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e84c99880000
dashboard link: https://syzkaller.appspot.com/bug?extid=53390df14fd653c557fd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17446fb1880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+53390d...@syzkaller.appspotmail.com
BUG: unable to handle kernel paging request at ffffed1018b41204
PGD 23fff3067 P4D 23fff3067 PUD 13fff8067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1984 Comm: jfsCommit Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:dbAdjTree+0x202/0x2c0 fs/jfs/jfs_dmap.c:2936
Code: 00 41 0f b6 55 01 44 38 f8 4c 63 eb 41 0f 4c c7 4a 8d 7c 2d 11 38 d0 48 89 f9 0f 4d d0 83 e1 07 41 89 d7 48 89 fa 48 c1 ea 03 <42> 0f b6 14 22 38 ca 7f 04 84 d2 75 51 42 0f b6 54 2d 11 44 89 fe
RSP: 0018:ffff8880b0b4f760 EFLAGS: 00010a02
RAX: 0000000000000004 RBX: 0000000015400000 RCX: 0000000000000001
RDX: 1ffff11018b41204 RSI: 0000000000000003 RDI: ffff8880c5a09021
RBP: ffff8880b0609010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000015400000 R14: 0000000000000000 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1018b41204 CR3: 000000009c16c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
dbJoin+0x1d0/0x220 fs/jfs/jfs_dmap.c:2877
dbFreeBits+0xf0/0x710 fs/jfs/jfs_dmap.c:2378
dbFreeDmap+0x61/0x1a0 fs/jfs/jfs_dmap.c:2127
dbFree+0x252/0x500 fs/jfs/jfs_dmap.c:385
txFreeMap+0x60e/0xb20 fs/jfs/jfs_txnmgr.c:2560
dbFreeBits+0xf0/0x710 fs/jfs/jfs_dmap.c:2378
dbFreeDmap+0x61/0x1a0 fs/jfs/jfs_dmap.c:2127
dbFree+0x252/0x500 fs/jfs/jfs_dmap.c:385
xtTruncate+0x1bea/0x25b0 fs/jfs/jfs_xtree.c:3441
jfs_free_zero_link+0x2ea/0x440 fs/jfs/namei.c:770
jfs_evict_inode+0x1d2/0x210 fs/jfs/inode.c:162
evict+0x2ed/0x760 fs/inode.c:559
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
txUpdateMap+0xd88/0x1000 fs/jfs/jfs_txnmgr.c:2412
txLazyCommit fs/jfs/jfs_txnmgr.c:2709 [inline]
jfs_lazycommit+0x525/0x9d0 fs/jfs/jfs_txnmgr.c:2777
jfs_lazycommit+0x525/0x9d0 fs/jfs/jfs_txnmgr.c:2777
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
CR2: ffffed1018b41204
---[ end trace 33de24460b35a9ee ]---
RIP: 0010:dbAdjTree+0x202/0x2c0 fs/jfs/jfs_dmap.c:2936
Code: 00 41 0f b6 55 01 44 38 f8 4c 63 eb 41 0f 4c c7 4a 8d 7c 2d 11 38 d0 48 89 f9 0f 4d d0 83 e1 07 41 89 d7 48 89 fa 48 c1 ea 03 <42> 0f b6 14 22 38 ca 7f 04 84 d2 75 51 42 0f b6 54 2d 11 44 89 fe
RSP: 0018:ffff8880b0b4f760 EFLAGS: 00010a02
RAX: 0000000000000004 RBX: 0000000015400000 RCX: 0000000000000001
RDX: 1ffff11018b41204 RSI: 0000000000000003 RDI: ffff8880c5a09021
RBP: ffff8880b0609010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000015400000 R14: 0000000000000000 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1018b41204 CR3: 000000009c16c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 41 0f add %al,0xf(%rcx)
3: b6 55 mov $0x55,%dh
5: 01 44 38 f8 add %eax,-0x8(%rax,%rdi,1)
9: 4c 63 eb movslq %ebx,%r13
c: 41 0f 4c c7 cmovl %r15d,%eax
10: 4a 8d 7c 2d 11 lea 0x11(%rbp,%r13,1),%rdi
15: 38 d0 cmp %dl,%al
17: 48 89 f9 mov %rdi,%rcx
1a: 0f 4d d0 cmovge %eax,%edx
1d: 83 e1 07 and $0x7,%ecx
20: 41 89 d7 mov %edx,%r15d
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 42 0f b6 14 22 movzbl (%rdx,%r12,1),%edx <-- trapping instruction
2f: 38 ca cmp %cl,%dl
31: 7f 04 jg 0x37
33: 84 d2 test %dl,%dl
35: 75 51 jne 0x88
37: 42 0f b6 54 2d 11 movzbl 0x11(%rbp,%r13,1),%edx
3d: 44 89 fe mov %r15d,%esi
Reply all
Reply to author
Forward
0 new messages