KASAN: use-after-free Read in udf_get_filelongad
10 views
Skip to first unread message
syzbot
Nov 26, 2022, 2:38:49 AM11/26/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14512353880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=1ce8cefa8656ce81641d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169bcd9b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f6203880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c2228e478881/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1ce8ce...@syzkaller.appspotmail.com
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235
Read of size 4 at addr ffff888095d0c458 by task syz-executor160/8108
CPU: 0 PID: 8108 Comm: syz-executor160 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443
udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235
udf_current_aext+0x198/0x900 fs/udf/inode.c:2168
udf_next_aext+0x200/0x3a0 fs/udf/inode.c:2104
udf_extend_file fs/udf/inode.c:658 [inline]
udf_setsize+0x7ca/0x1030 fs/udf/inode.c:1251
udf_setattr+0x33d/0x430 fs/udf/file.c:278
notify_change+0x70b/0xfc0 fs/attr.c:334
do_truncate+0x134/0x1f0 fs/open.c:63
do_sys_ftruncate+0x492/0x560 fs/open.c:194
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f5440ffa929
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd62686c98 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5440ffa929
RDX: 00007f5440ffa929 RSI: 0100000000000000 RDI: 0000000000000005
RBP: 00007f5440fba1c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5440fba250
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6200:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
ep_alloc.constprop.0+0xae/0x2d0 fs/eventpoll.c:1019
do_epoll_create+0x97/0x1c0 fs/eventpoll.c:1950
__do_sys_epoll_create1 fs/eventpoll.c:1981 [inline]
__se_sys_epoll_create1 fs/eventpoll.c:1979 [inline]
__x64_sys_epoll_create1+0x2d/0x40 fs/eventpoll.c:1979
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 6200:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
ep_eventpoll_release+0x41/0x60 fs/eventpoll.c:867
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888095d0c280
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 472 bytes inside of
512-byte region [ffff888095d0c280, ffff888095d0c480)
The buggy address belongs to the page:
page:ffffea0002574300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea000257e848 ffffea0002cf2a08 ffff88813bff0940
raw: 0000000000000000 ffff888095d0c000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888095d0c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888095d0c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888095d0c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888095d0c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888095d0c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14512353880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=1ce8cefa8656ce81641d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169bcd9b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f6203880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c2228e478881/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1ce8ce...@syzkaller.appspotmail.com
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235
Read of size 4 at addr ffff888095d0c458 by task syz-executor160/8108
CPU: 0 PID: 8108 Comm: syz-executor160 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443
udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235
udf_current_aext+0x198/0x900 fs/udf/inode.c:2168
udf_next_aext+0x200/0x3a0 fs/udf/inode.c:2104
udf_extend_file fs/udf/inode.c:658 [inline]
udf_setsize+0x7ca/0x1030 fs/udf/inode.c:1251
udf_setattr+0x33d/0x430 fs/udf/file.c:278
notify_change+0x70b/0xfc0 fs/attr.c:334
do_truncate+0x134/0x1f0 fs/open.c:63
do_sys_ftruncate+0x492/0x560 fs/open.c:194
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f5440ffa929
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd62686c98 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5440ffa929
RDX: 00007f5440ffa929 RSI: 0100000000000000 RDI: 0000000000000005
RBP: 00007f5440fba1c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5440fba250
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6200:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
ep_alloc.constprop.0+0xae/0x2d0 fs/eventpoll.c:1019
do_epoll_create+0x97/0x1c0 fs/eventpoll.c:1950
__do_sys_epoll_create1 fs/eventpoll.c:1981 [inline]
__se_sys_epoll_create1 fs/eventpoll.c:1979 [inline]
__x64_sys_epoll_create1+0x2d/0x40 fs/eventpoll.c:1979
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 6200:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
ep_eventpoll_release+0x41/0x60 fs/eventpoll.c:867
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888095d0c280
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 472 bytes inside of
512-byte region [ffff888095d0c280, ffff888095d0c480)
The buggy address belongs to the page:
page:ffffea0002574300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea000257e848 ffffea0002cf2a08 ffff88813bff0940
raw: 0000000000000000 ffff888095d0c000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888095d0c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888095d0c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888095d0c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888095d0c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888095d0c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 2, 2022, 9:46:53 PM12/2/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 179ef7fe8677 Linux 4.14.300
syzbot found the following issue on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17c66825880000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa85f51ec321d5a9
dashboard link: https://syzkaller.appspot.com/bug?extid=71309098e18549147e83
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1056bea7880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100d89bd880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d311ef57b59a/disk-179ef7fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25bf5d729f69/vmlinux-179ef7fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db9b96571e69/bzImage-179ef7fe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d8cad6d1cae1/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
Read of size 4 at addr ffff8880b4371c98 by task syz-executor278/7977
CPU: 1 PID: 7977 Comm: syz-executor278 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
udf_get_filelongad+0x111/0x120 fs/udf/directory.c:237
udf_current_aext+0x183/0x8b0 fs/udf/inode.c:2179
udf_next_aext+0x1f5/0x360 fs/udf/inode.c:2115
udf_extend_file fs/udf/inode.c:657 [inline]
udf_setsize+0x69f/0xe90 fs/udf/inode.c:1251
udf_setattr+0xd2/0x130 fs/udf/file.c:268
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Allocated by task 5881:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
__kmalloc_reserve net/core/skbuff.c:137 [inline]
__alloc_skb+0x96/0x510 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
alloc_skb_with_frags+0x85/0x500 net/core/skbuff.c:5261
sock_alloc_send_pskb+0x577/0x6d0 net/core/sock.c:2101
unix_dgram_sendmsg+0x331/0x1080 net/unix/af_unix.c:1722
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
sock_write_iter+0x22c/0x370 net/socket.c:925
call_write_iter include/linux/fs.h:1780 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44c/0x630 fs/read_write.c:482
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Freed by task 4631:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
skb_free_head net/core/skbuff.c:563 [inline]
skb_release_data+0x5f6/0x820 net/core/skbuff.c:583
skb_release_all net/core/skbuff.c:640 [inline]
__kfree_skb net/core/skbuff.c:654 [inline]
consume_skb+0xe0/0x380 net/core/skbuff.c:714
skb_free_datagram+0x16/0xe0 net/core/datagram.c:331
unix_dgram_recvmsg+0x67e/0xc60 net/unix/af_unix.c:2225
sock_recvmsg_nosec net/socket.c:819 [inline]
sock_recvmsg net/socket.c:826 [inline]
sock_recvmsg+0xc0/0x100 net/socket.c:822
___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
__sys_recvmsg+0xa0/0x120 net/socket.c:2266
SYSC_recvmsg net/socket.c:2278 [inline]
SyS_recvmsg+0x27/0x40 net/socket.c:2273
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
The buggy address belongs to the object at ffff8880b4371ac0
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 472 bytes inside of
512-byte region [ffff8880b4371ac0, ffff8880b4371cc0)
The buggy address is located 472 bytes inside of
The buggy address belongs to the page:
page:ffffea0002d0dc40 count:1 mapcount:0 mapping:ffff8880b43710c0 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880b43710c0 0000000000000000 0000000100000006
raw: ffffea000257ed60 ffffea00025942e0 ffff88813fe74940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880b4371b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880b4371c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b4371c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8880b4371d00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8880b4371d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Reply all
Reply to author
Forward
0 new messages