KASAN: use-after-free Read in __ext4_check_dir_entry
21 views
Skip to first unread message
syzbot
Jun 11, 2020, 10:23:15 PM6/11/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14c2543e100000
kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=b525c860dd8b07d5903f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b525c8...@syzkaller.appspotmail.com
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7902 comm=syz-executor.0
==================================================================
netlink: 124 bytes leftover after parsing attributes in process `syz-executor.0'.
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff88808cf3f003 by task syz-executor.1/7912
CPU: 0 PID: 7912 Comm: syz-executor.1 Not tainted 4.14.184-syzkaller #0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7914 comm=syz-executor.0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45ca69
RSP: 002b:00007fbffbbe4c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00000000004dcec0 RCX: 000000000045ca69
RDX: 00000000c0002521 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000000f7 R14: 00000000004c3a1c R15: 00007fbffbbe56d4
The buggy address belongs to the page:
page:ffffea000233cfc0 count:0 mapcount:-127 mapping: (null) index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea00022f83a0 ffffea00024ba320 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808cf3ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808cf3ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808cf3f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808cf3f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808cf3f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7903 comm=syz-executor.5
netlink: 148 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7926 comm=syz-executor.5
netlink: 124 bytes leftover after parsing attributes in process `syz-executor.0'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7936 comm=syz-executor.0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14c2543e100000
kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=b525c860dd8b07d5903f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b525c8...@syzkaller.appspotmail.com
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7902 comm=syz-executor.0
==================================================================
netlink: 124 bytes leftover after parsing attributes in process `syz-executor.0'.
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff88808cf3f003 by task syz-executor.1/7912
CPU: 0 PID: 7912 Comm: syz-executor.1 Not tainted 4.14.184-syzkaller #0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7914 comm=syz-executor.0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45ca69
RSP: 002b:00007fbffbbe4c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00000000004dcec0 RCX: 000000000045ca69
RDX: 00000000c0002521 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000000f7 R14: 00000000004c3a1c R15: 00007fbffbbe56d4
The buggy address belongs to the page:
page:ffffea000233cfc0 count:0 mapcount:-127 mapping: (null) index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea00022f83a0 ffffea00024ba320 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808cf3ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808cf3ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808cf3f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808cf3f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808cf3f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7903 comm=syz-executor.5
netlink: 148 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7926 comm=syz-executor.5
netlink: 124 bytes leftover after parsing attributes in process `syz-executor.0'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=7936 comm=syz-executor.0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 17, 2020, 11:17:20 AM6/17/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=144243f5100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b2ccf1100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b525c8...@syzkaller.appspotmail.com
audit: type=1400 audit(1592406889.731:8): avc: denied { execmem } for pid=6342 comm="syz-executor293" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
CPU: 0 PID: 6343 Comm: syz-executor293 Not tainted 4.14.184-syzkaller #0
RSP: 002b:00007ffc66332028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007ffc663320a0 RCX: 0000000000441369
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007ffc66332040 R08: 00000000bb1414ac R09: 00000000bb1414ac
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4799:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc_track_caller+0x155/0x400 mm/slab.c:3735
kmemdup_nul+0x2d/0xa0 mm/util.c:138
security_context_to_sid_core+0x94/0x3d0 security/selinux/ss/services.c:1420
selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377
selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152
security_inode_notifysecctx+0x76/0xb0 security/security.c:1314
kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195
kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302
do_inode_permission fs/namei.c:384 [inline]
__inode_permission+0x1f1/0x2f0 fs/namei.c:426
inode_permission+0x23/0x100 fs/namei.c:476
may_lookup fs/namei.c:1717 [inline]
link_path_walk+0x851/0x1080 fs/namei.c:2097
path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342
filename_lookup+0x18e/0x380 fs/namei.c:2377
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat fs/stat.c:350 [inline]
SyS_newlstat+0x83/0xe0 fs/stat.c:344
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 4799:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
security_context_to_sid_core+0x284/0x3d0 security/selinux/ss/services.c:1460
selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377
selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152
security_inode_notifysecctx+0x76/0xb0 security/security.c:1314
kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195
kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302
do_inode_permission fs/namei.c:384 [inline]
__inode_permission+0x1f1/0x2f0 fs/namei.c:426
inode_permission+0x23/0x100 fs/namei.c:476
may_lookup fs/namei.c:1717 [inline]
link_path_walk+0x851/0x1080 fs/namei.c:2097
path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342
filename_lookup+0x18e/0x380 fs/namei.c:2377
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat fs/stat.c:350 [inline]
SyS_newlstat+0x83/0xe0 fs/stat.c:344
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880902be000
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 1 bytes inside of
32-byte region [ffff8880902be000, ffff8880902be020)
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880902be000 ffff8880902befc1 000000010000003f
raw: ffffea00024079e0 ffffea0002aa6720 ffff8880aa8001c0 0000000000000000
ffff8880902bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880902be000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8880902be080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880902be100: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc
==================================================================
HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=b525c860dd8b07d5903f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1109bfa9100000
dashboard link: https://syzkaller.appspot.com/bug?extid=b525c860dd8b07d5903f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b2ccf1100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b525c8...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff8880902be001 by task syz-executor293/6343
CPU: 0 PID: 6343 Comm: syz-executor293 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x441369
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffc66332028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007ffc663320a0 RCX: 0000000000441369
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007ffc66332040 R08: 00000000bb1414ac R09: 00000000bb1414ac
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4799:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc_track_caller+0x155/0x400 mm/slab.c:3735
kmemdup_nul+0x2d/0xa0 mm/util.c:138
security_context_to_sid_core+0x94/0x3d0 security/selinux/ss/services.c:1420
selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377
selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152
security_inode_notifysecctx+0x76/0xb0 security/security.c:1314
kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195
kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302
do_inode_permission fs/namei.c:384 [inline]
__inode_permission+0x1f1/0x2f0 fs/namei.c:426
inode_permission+0x23/0x100 fs/namei.c:476
may_lookup fs/namei.c:1717 [inline]
link_path_walk+0x851/0x1080 fs/namei.c:2097
path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342
filename_lookup+0x18e/0x380 fs/namei.c:2377
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat fs/stat.c:350 [inline]
SyS_newlstat+0x83/0xe0 fs/stat.c:344
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 4799:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
security_context_to_sid_core+0x284/0x3d0 security/selinux/ss/services.c:1460
selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377
selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152
security_inode_notifysecctx+0x76/0xb0 security/security.c:1314
kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195
kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302
do_inode_permission fs/namei.c:384 [inline]
__inode_permission+0x1f1/0x2f0 fs/namei.c:426
inode_permission+0x23/0x100 fs/namei.c:476
may_lookup fs/namei.c:1717 [inline]
link_path_walk+0x851/0x1080 fs/namei.c:2097
path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342
filename_lookup+0x18e/0x380 fs/namei.c:2377
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xd1/0x160 fs/stat.c:185
vfs_lstat include/linux/fs.h:3066 [inline]
SYSC_newlstat fs/stat.c:350 [inline]
SyS_newlstat+0x83/0xe0 fs/stat.c:344
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880902be000
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 1 bytes inside of
32-byte region [ffff8880902be000, ffff8880902be020)
The buggy address belongs to the page:
page:ffffea000240af80 count:1 mapcount:0 mapping:ffff8880902be000 index:0xffff8880902befc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880902be000 ffff8880902befc1 000000010000003f
raw: ffffea00024079e0 ffffea0002aa6720 ffff8880aa8001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880902bdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8880902bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880902be000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8880902be080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880902be100: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc
==================================================================
Reply all
Reply to author
Forward
0 new messages