[v6.1] KASAN: out-of-bounds Read in ntfs_resident_attr_value_resize
0 views
Skip to first unread message
syzbot
Apr 10, 2023, 10:49:46 PM4/10/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 543aff194ab6 Linux 6.1.23
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=166511e3c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ccbc3d5467efd1
dashboard link: https://syzkaller.appspot.com/bug?extid=bccd2c29c46182fce156
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7fe538fc87bf/disk-543aff19.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8df93997601a/vmlinux-543aff19.xz
kernel image: https://storage.googleapis.com/syzbot-assets/03ad7e3bf859/Image-543aff19.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bccd2c...@syzkaller.appspotmail.com
ntfs: (device loop4): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel.
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: out-of-bounds in ntfs_attr_record_resize fs/ntfs/attrib.c:1459 [inline]
BUG: KASAN: out-of-bounds in ntfs_resident_attr_value_resize+0x14c/0x46c fs/ntfs/attrib.c:1495
Read of size 18446744073709551361 at addr ffff000135405980 by task syz-executor.4/7139
CPU: 1 PID: 7139 Comm: syz-executor.4 Not tainted 6.1.23-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memmove+0x48/0x90 mm/kasan/shadow.c:54
ntfs_attr_record_resize fs/ntfs/attrib.c:1459 [inline]
ntfs_resident_attr_value_resize+0x14c/0x46c fs/ntfs/attrib.c:1495
ntfs_truncate+0x5c0/0x2118 fs/ntfs/inode.c:2495
ntfs_truncate_vfs fs/ntfs/inode.c:2862 [inline]
ntfs_setattr+0x260/0x320 fs/ntfs/inode.c:2914
notify_change+0xc24/0xec0 fs/attr.c:482
do_truncate+0x1c0/0x28c fs/open.c:65
handle_truncate fs/namei.c:3216 [inline]
do_open fs/namei.c:3561 [inline]
path_openat+0x1fa0/0x2548 fs/namei.c:3714
do_filp_open+0x1bc/0x3cc fs/namei.c:3741
do_sys_openat2+0x128/0x3d8 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1337
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:00000000caf8e637 refcount:4 mapcount:0 mapping:0000000069999f6a index:0x21 pfn:0x175405
memcg:ffff00012ca10000
aops:ntfs_mst_aops ino:0
flags: 0x5ffc00000002046(referenced|uptodate|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002046 0000000000000000 dead000000000122 ffff00012b66d7c8
raw: 0000000000000021 ffff0000dd6b6488 00000004ffffffff ffff00012ca10000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000135405880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff000135405900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff000135405980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff000135405a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff000135405a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 543aff194ab6 Linux 6.1.23
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=166511e3c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ccbc3d5467efd1
dashboard link: https://syzkaller.appspot.com/bug?extid=bccd2c29c46182fce156
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7fe538fc87bf/disk-543aff19.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8df93997601a/vmlinux-543aff19.xz
kernel image: https://storage.googleapis.com/syzbot-assets/03ad7e3bf859/Image-543aff19.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bccd2c...@syzkaller.appspotmail.com
ntfs: (device loop4): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel.
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: out-of-bounds in ntfs_attr_record_resize fs/ntfs/attrib.c:1459 [inline]
BUG: KASAN: out-of-bounds in ntfs_resident_attr_value_resize+0x14c/0x46c fs/ntfs/attrib.c:1495
Read of size 18446744073709551361 at addr ffff000135405980 by task syz-executor.4/7139
CPU: 1 PID: 7139 Comm: syz-executor.4 Not tainted 6.1.23-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memmove+0x48/0x90 mm/kasan/shadow.c:54
ntfs_attr_record_resize fs/ntfs/attrib.c:1459 [inline]
ntfs_resident_attr_value_resize+0x14c/0x46c fs/ntfs/attrib.c:1495
ntfs_truncate+0x5c0/0x2118 fs/ntfs/inode.c:2495
ntfs_truncate_vfs fs/ntfs/inode.c:2862 [inline]
ntfs_setattr+0x260/0x320 fs/ntfs/inode.c:2914
notify_change+0xc24/0xec0 fs/attr.c:482
do_truncate+0x1c0/0x28c fs/open.c:65
handle_truncate fs/namei.c:3216 [inline]
do_open fs/namei.c:3561 [inline]
path_openat+0x1fa0/0x2548 fs/namei.c:3714
do_filp_open+0x1bc/0x3cc fs/namei.c:3741
do_sys_openat2+0x128/0x3d8 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1337
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:00000000caf8e637 refcount:4 mapcount:0 mapping:0000000069999f6a index:0x21 pfn:0x175405
memcg:ffff00012ca10000
aops:ntfs_mst_aops ino:0
flags: 0x5ffc00000002046(referenced|uptodate|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000002046 0000000000000000 dead000000000122 ffff00012b66d7c8
raw: 0000000000000021 ffff0000dd6b6488 00000004ffffffff ffff00012ca10000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000135405880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff000135405900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff000135405980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff000135405a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff000135405a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 8, 2023, 10:49:55 PM8/8/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages