KASAN: use-after-free Read in ext4_xattr_set_entry (2)
8 views
Skip to first unread message
syzbot
Mar 22, 2020, 11:20:18 PM3/22/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 01364dad Linux 4.14.174
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=126045b1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=664dd71881ab2b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=001dd339ee946331c255
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+001dd3...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #17230: comm syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #17230: comm syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_ibody_find:2191: inode #17231: comm restorecond: corrupted in-inode xattr
==================================================================
EXT4-fs error (device sda1): ext4_xattr_ibody_get:590: inode #17231: comm syz-fuzzer: corrupted in-inode xattr
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x2ed2/0x2fc0 fs/ext4/xattr.c:1602
Read of size 4 at addr ffff888079481002 by task syz-fuzzer/7361
CPU: 1 PID: 7361 Comm: syz-fuzzer Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
ext4_xattr_set_entry+0x2ed2/0x2fc0 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x73/0x280 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xb5/0x110 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x236/0x320 security/security.c:465
__ext4_new_inode+0x353a/0x4e90 fs/ext4/ialloc.c:1171
ext4_mkdir+0x2e4/0xb60 fs/ext4/namei.c:2665
vfs_mkdir+0x3af/0x620 fs/namei.c:3849
SYSC_mkdirat fs/namei.c:3872 [inline]
SyS_mkdirat+0x1bc/0x210 fs/namei.c:3856
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x47c530
RSP: 002b:000000c43f397990 EFLAGS: 00000206 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047c530
RDX: 00000000000001c0 RSI: 000000c4236b81e0 RDI: ffffffffffffff9c
RBP: 000000c43f3979f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffffff
R13: 0000000000000010 R14: 000000000000000f R15: 0000000000000100
The buggy address belongs to the page:
page:ffffea0001e52040 count:0 mapcount:-127 mapping: (null) index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea00017536e0 ffffea00018711a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888079480f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888079480f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888079481000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888079481080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888079481100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 01364dad Linux 4.14.174
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=126045b1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=664dd71881ab2b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=001dd339ee946331c255
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+001dd3...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #17230: comm syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #17230: comm syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_ibody_find:2191: inode #17231: comm restorecond: corrupted in-inode xattr
==================================================================
EXT4-fs error (device sda1): ext4_xattr_ibody_get:590: inode #17231: comm syz-fuzzer: corrupted in-inode xattr
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x2ed2/0x2fc0 fs/ext4/xattr.c:1602
Read of size 4 at addr ffff888079481002 by task syz-fuzzer/7361
CPU: 1 PID: 7361 Comm: syz-fuzzer Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
ext4_xattr_set_entry+0x2ed2/0x2fc0 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x73/0x280 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xb5/0x110 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x236/0x320 security/security.c:465
__ext4_new_inode+0x353a/0x4e90 fs/ext4/ialloc.c:1171
ext4_mkdir+0x2e4/0xb60 fs/ext4/namei.c:2665
vfs_mkdir+0x3af/0x620 fs/namei.c:3849
SYSC_mkdirat fs/namei.c:3872 [inline]
SyS_mkdirat+0x1bc/0x210 fs/namei.c:3856
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x47c530
RSP: 002b:000000c43f397990 EFLAGS: 00000206 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047c530
RDX: 00000000000001c0 RSI: 000000c4236b81e0 RDI: ffffffffffffff9c
RBP: 000000c43f3979f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffffff
R13: 0000000000000010 R14: 000000000000000f R15: 0000000000000100
The buggy address belongs to the page:
page:ffffea0001e52040 count:0 mapcount:-127 mapping: (null) index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea00017536e0 ffffea00018711a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888079480f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888079480f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888079481000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888079481080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888079481100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 20, 2020, 11:20:11 PM7/20/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages