KASAN: slab-out-of-bounds Read in udf_get_fileident
7 views
Skip to first unread message
syzbot
Feb 6, 2022, 1:37:21 AM2/6/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10496008700000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=8212af8784ef05e7e829
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cbb908700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161f9b8fb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8212af...@syzkaller.appspotmail.com
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000)
==================================================================
BUG: KASAN: slab-out-of-bounds in udf_get_fileident+0x233/0x250 fs/udf/directory.c:176
Read of size 2 at addr ffff8880977b9ffc by task syz-executor721/8110
CPU: 0 PID: 8110 Comm: syz-executor721 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443
udf_get_fileident+0x233/0x250 fs/udf/directory.c:176
udf_fileident_read+0x550/0x1930 fs/udf/directory.c:37
udf_readdir+0x559/0x1350 fs/udf/dir.c:129
iterate_dir+0x473/0x5c0 fs/readdir.c:51
ksys_getdents64+0x175/0x2b0 fs/readdir.c:357
__do_sys_getdents64 fs/readdir.c:376 [inline]
__se_sys_getdents64 fs/readdir.c:373 [inline]
__x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f173bc1b219
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffec75c0be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f173bc1b219
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f173bbd3000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f173bbd3090
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6152:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
shmem_alloc_inode+0x18/0x40 mm/shmem.c:3609
alloc_inode+0x5d/0x180 fs/inode.c:211
new_inode_pseudo fs/inode.c:911 [inline]
new_inode+0x1d/0xf0 fs/inode.c:940
shmem_get_inode+0x96/0x8d0 mm/shmem.c:2196
shmem_mknod+0x5a/0x1f0 mm/shmem.c:2843
lookup_open+0x893/0x1a20 fs/namei.c:3235
do_last fs/namei.c:3327 [inline]
path_openat+0x1094/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8880977b9a60
which belongs to the cache shmem_inode_cache of size 1200
The buggy address is located 236 bytes to the right of
1200-byte region [ffff8880977b9a60, ffff8880977b9f10)
The buggy address belongs to the page:
page:ffffea00025dee40 count:1 mapcount:0 mapping:ffff8880b59c36c0 index:0xffff8880977b9ffd
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea000260f208 ffffea000262d5c8 ffff8880b59c36c0
raw: ffff8880977b9ffd ffff8880977b9000 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880977b9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880977b9f00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880977b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880977ba000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880977ba080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10496008700000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=8212af8784ef05e7e829
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cbb908700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161f9b8fb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8212af...@syzkaller.appspotmail.com
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000)
==================================================================
BUG: KASAN: slab-out-of-bounds in udf_get_fileident+0x233/0x250 fs/udf/directory.c:176
Read of size 2 at addr ffff8880977b9ffc by task syz-executor721/8110
CPU: 0 PID: 8110 Comm: syz-executor721 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443
udf_get_fileident+0x233/0x250 fs/udf/directory.c:176
udf_fileident_read+0x550/0x1930 fs/udf/directory.c:37
udf_readdir+0x559/0x1350 fs/udf/dir.c:129
iterate_dir+0x473/0x5c0 fs/readdir.c:51
ksys_getdents64+0x175/0x2b0 fs/readdir.c:357
__do_sys_getdents64 fs/readdir.c:376 [inline]
__se_sys_getdents64 fs/readdir.c:373 [inline]
__x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f173bc1b219
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffec75c0be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f173bc1b219
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f173bbd3000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f173bbd3090
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6152:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
shmem_alloc_inode+0x18/0x40 mm/shmem.c:3609
alloc_inode+0x5d/0x180 fs/inode.c:211
new_inode_pseudo fs/inode.c:911 [inline]
new_inode+0x1d/0xf0 fs/inode.c:940
shmem_get_inode+0x96/0x8d0 mm/shmem.c:2196
shmem_mknod+0x5a/0x1f0 mm/shmem.c:2843
lookup_open+0x893/0x1a20 fs/namei.c:3235
do_last fs/namei.c:3327 [inline]
path_openat+0x1094/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8880977b9a60
which belongs to the cache shmem_inode_cache of size 1200
The buggy address is located 236 bytes to the right of
1200-byte region [ffff8880977b9a60, ffff8880977b9f10)
The buggy address belongs to the page:
page:ffffea00025dee40 count:1 mapcount:0 mapping:ffff8880b59c36c0 index:0xffff8880977b9ffd
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea000260f208 ffffea000262d5c8 ffff8880b59c36c0
raw: ffff8880977b9ffd ffff8880977b9000 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880977b9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880977b9f00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880977b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880977ba000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880977ba080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages