[v6.1] KASAN: slab-out-of-bounds Read in dtSearch
0 views
Skip to first unread message
syzbot
Jun 23, 2024, 11:42:19 PMJun 23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: eb44d83053d6 Linux 6.1.94
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1659e22a980000
kernel config: https://syzkaller.appspot.com/x/.config?x=485614fd53648699
dashboard link: https://syzkaller.appspot.com/bug?extid=0999ae476eb112f48b0a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/afed7237b37c/disk-eb44d830.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b9b899645df5/vmlinux-eb44d830.xz
kernel image: https://storage.googleapis.com/syzbot-assets/83347623a9ea/Image-eb44d830.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0999ae...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in ciCompare fs/jfs/jfs_dtree.c:3398 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x12c0/0x1f34 fs/jfs/jfs_dtree.c:644
Read of size 1 at addr ffff0000dedff7f4 by task syz-executor.1/4607
CPU: 0 PID: 4607 Comm: syz-executor.1 Not tainted 6.1.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348
ciCompare fs/jfs/jfs_dtree.c:3398 [inline]
dtSearch+0x12c0/0x1f34 fs/jfs/jfs_dtree.c:644
jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0xd3c/0x2548 fs/namei.c:3782
do_filp_open+0x1bc/0x3cc fs/namei.c:3812
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4614:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x1ac/0x2f8 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3193 [inline]
jfs_alloc_inode+0x2c/0x68 fs/jfs/super.c:105
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x170/0x708 fs/inode.c:1330
jfs_iget+0x30/0x364 fs/jfs/inode.c:29
jfs_fill_super+0x644/0x9f0 fs/jfs/super.c:580
mount_bdev+0x274/0x370 fs/super.c:1432
jfs_do_mount+0x44/0x58 fs/jfs/super.c:670
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x278/0x8fc fs/namespace.c:3051
path_mount+0x590/0xe5c fs/namespace.c:3381
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount fs/namespace.c:3579 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000dedfef00
which belongs to the cache jfs_ip of size 2240
The buggy address is located 52 bytes to the right of
2240-byte region [ffff0000dedfef00, ffff0000dedff7c0)
The buggy address belongs to the physical page:
page:00000000d813a53a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11edf8
head:00000000d813a53a order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff0000f22a9301
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c7410d80
raw: 0000000000000000 00000000800d000d 00000001ffffffff ffff0000f22a9301
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dedff680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000dedff700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000dedff780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff0000dedff800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dedff880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: eb44d83053d6 Linux 6.1.94
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1659e22a980000
kernel config: https://syzkaller.appspot.com/x/.config?x=485614fd53648699
dashboard link: https://syzkaller.appspot.com/bug?extid=0999ae476eb112f48b0a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/afed7237b37c/disk-eb44d830.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b9b899645df5/vmlinux-eb44d830.xz
kernel image: https://storage.googleapis.com/syzbot-assets/83347623a9ea/Image-eb44d830.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0999ae...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in ciCompare fs/jfs/jfs_dtree.c:3398 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x12c0/0x1f34 fs/jfs/jfs_dtree.c:644
Read of size 1 at addr ffff0000dedff7f4 by task syz-executor.1/4607
CPU: 0 PID: 4607 Comm: syz-executor.1 Not tainted 6.1.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348
ciCompare fs/jfs/jfs_dtree.c:3398 [inline]
dtSearch+0x12c0/0x1f34 fs/jfs/jfs_dtree.c:644
jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3552 [inline]
path_openat+0xd3c/0x2548 fs/namei.c:3782
do_filp_open+0x1bc/0x3cc fs/namei.c:3812
do_sys_openat2+0x128/0x3d8 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4614:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x1ac/0x2f8 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3193 [inline]
jfs_alloc_inode+0x2c/0x68 fs/jfs/super.c:105
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x170/0x708 fs/inode.c:1330
jfs_iget+0x30/0x364 fs/jfs/inode.c:29
jfs_fill_super+0x644/0x9f0 fs/jfs/super.c:580
mount_bdev+0x274/0x370 fs/super.c:1432
jfs_do_mount+0x44/0x58 fs/jfs/super.c:670
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1562
do_new_mount+0x278/0x8fc fs/namespace.c:3051
path_mount+0x590/0xe5c fs/namespace.c:3381
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount fs/namespace.c:3579 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3579
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000dedfef00
which belongs to the cache jfs_ip of size 2240
The buggy address is located 52 bytes to the right of
2240-byte region [ffff0000dedfef00, ffff0000dedff7c0)
The buggy address belongs to the physical page:
page:00000000d813a53a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11edf8
head:00000000d813a53a order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff0000f22a9301
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c7410d80
raw: 0000000000000000 00000000800d000d 00000001ffffffff ffff0000f22a9301
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dedff680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000dedff700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000dedff780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff0000dedff800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000dedff880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages