KASAN: use-after-free Write in udf_close_lvid
9 views
Skip to first unread message
syzbot
Dec 7, 2022, 4:30:48 PM12/7/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 179ef7fe8677 Linux 4.14.300
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10c75783880000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa85f51ec321d5a9
dashboard link: https://syzkaller.appspot.com/bug?extid=8f0b5d9c11b806b5ad2e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1624206d880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ed9f5880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d311ef57b59a/disk-179ef7fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25bf5d729f69/vmlinux-179ef7fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db9b96571e69/bzImage-179ef7fe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/940a81d63768/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f0b5d...@syzkaller.appspotmail.com
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
audit: type=1800 audit(1670448487.603:2): pid=7973 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor369" name="bus" dev="loop0" ino=1367 res=0
==================================================================
BUG: KASAN: use-after-free in udf_close_lvid.isra.0+0x5a1/0x630 fs/udf/super.c:2044
Write of size 1 at addr ffff8881ae741f08 by task syz-executor369/7973
CPU: 1 PID: 7973 Comm: syz-executor369 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_store1_noabort+0x68/0x70 mm/kasan/report.c:432
udf_close_lvid.isra.0+0x5a1/0x630 fs/udf/super.c:2044
udf_put_super+0x211/0x2a0 fs/udf/super.c:2354
generic_shutdown_super+0x144/0x370 fs/super.c:446
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
SYSC_exit_group kernel/exit.c:976 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:974
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
The buggy address belongs to the page:
page:ffffea0006b9d040 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x57ff00000000000()
raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0006b9d060 ffffea0006b9d060 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ae741e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881ae741e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881ae741f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881ae741f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881ae742000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 179ef7fe8677 Linux 4.14.300
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10c75783880000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa85f51ec321d5a9
dashboard link: https://syzkaller.appspot.com/bug?extid=8f0b5d9c11b806b5ad2e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1624206d880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ed9f5880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d311ef57b59a/disk-179ef7fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25bf5d729f69/vmlinux-179ef7fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db9b96571e69/bzImage-179ef7fe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/940a81d63768/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f0b5d...@syzkaller.appspotmail.com
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
audit: type=1800 audit(1670448487.603:2): pid=7973 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor369" name="bus" dev="loop0" ino=1367 res=0
==================================================================
BUG: KASAN: use-after-free in udf_close_lvid.isra.0+0x5a1/0x630 fs/udf/super.c:2044
Write of size 1 at addr ffff8881ae741f08 by task syz-executor369/7973
CPU: 1 PID: 7973 Comm: syz-executor369 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_store1_noabort+0x68/0x70 mm/kasan/report.c:432
udf_close_lvid.isra.0+0x5a1/0x630 fs/udf/super.c:2044
udf_put_super+0x211/0x2a0 fs/udf/super.c:2354
generic_shutdown_super+0x144/0x370 fs/super.c:446
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
SYSC_exit_group kernel/exit.c:976 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:974
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
The buggy address belongs to the page:
page:ffffea0006b9d040 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x57ff00000000000()
raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0006b9d060 ffffea0006b9d060 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ae741e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881ae741e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881ae741f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881ae741f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881ae742000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages