[v5.15] KASAN: use-after-free Read in hfsplus_releasepage
0 views
Skip to first unread message
syzbot
Mar 9, 2023, 7:52:56 AM3/9/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d9b4a0c83a2d Linux 5.15.98
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15339908c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b57cfa804330c3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=ca08526be49ab156e8b8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1280b868c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=169e75cac80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8088989394e3/disk-d9b4a0c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2651d6753959/vmlinux-d9b4a0c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f3fa3f994f9a/Image-d9b4a0c8.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6227675ed834/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ca0852...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: use-after-free in hfsplus_releasepage+0x40c/0x4a8 fs/hfsplus/inode.c:92
Read of size 4 at addr ffff0000da23e038 by task syz-executor939/4052
CPU: 0 PID: 4052 Comm: syz-executor939 Not tainted 5.15.98-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
hfsplus_releasepage+0x40c/0x4a8 fs/hfsplus/inode.c:92
try_to_release_page+0x204/0x2d0 mm/filemap.c:3970
block_invalidatepage+0x408/0x4bc fs/buffer.c:1545
do_invalidatepage mm/truncate.c:157 [inline]
truncate_cleanup_page+0x15c/0x414 mm/truncate.c:176
truncate_inode_pages_range+0x254/0xbe0 mm/truncate.c:325
truncate_inode_pages mm/truncate.c:425 [inline]
truncate_inode_pages_final+0x94/0xd0 mm/truncate.c:464
hfsplus_evict_inode+0x2c/0xc0 fs/hfsplus/super.c:168
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1663 [inline]
iput+0x8cc/0x9ac fs/inode.c:1689
hfsplus_put_super+0x1b0/0x2ec fs/hfsplus/super.c:302
generic_shutdown_super+0x130/0x29c fs/super.c:466
kill_block_super+0x70/0xdc fs/super.c:1396
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x55c/0x1c20 kernel/exit.c:872
do_group_exit+0x110/0x268 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1003
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Allocated by task 4052:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x248/0x3b4 mm/slub.c:3247
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
hfsplus_btree_open+0x6c/0xd10 fs/hfsplus/btree.c:142
hfsplus_fill_super+0x914/0x167c fs/hfsplus/super.c:485
mount_bdev+0x26c/0x368 fs/super.c:1369
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1499
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Freed by task 4052:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kfree+0x1a8/0x478 mm/slub.c:4559
hfsplus_btree_close+0x25c/0x288 fs/hfsplus/btree.c:279
hfsplus_put_super+0x140/0x2ec fs/hfsplus/super.c:298
generic_shutdown_super+0x130/0x29c fs/super.c:466
kill_block_super+0x70/0xdc fs/super.c:1396
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x55c/0x1c20 kernel/exit.c:872
do_group_exit+0x110/0x268 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1003
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
The buggy address belongs to the object at ffff0000da23e000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 56 bytes inside of
4096-byte region [ffff0000da23e000, ffff0000da23f000)
The buggy address belongs to the page:
page:00000000805e355b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a238
head:00000000805e355b order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000da23df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000da23df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000da23e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000da23e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000da23e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: d9b4a0c83a2d Linux 5.15.98
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15339908c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b57cfa804330c3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=ca08526be49ab156e8b8
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1280b868c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=169e75cac80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8088989394e3/disk-d9b4a0c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2651d6753959/vmlinux-d9b4a0c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f3fa3f994f9a/Image-d9b4a0c8.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6227675ed834/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ca0852...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: use-after-free in hfsplus_releasepage+0x40c/0x4a8 fs/hfsplus/inode.c:92
Read of size 4 at addr ffff0000da23e038 by task syz-executor939/4052
CPU: 0 PID: 4052 Comm: syz-executor939 Not tainted 5.15.98-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
hfsplus_releasepage+0x40c/0x4a8 fs/hfsplus/inode.c:92
try_to_release_page+0x204/0x2d0 mm/filemap.c:3970
block_invalidatepage+0x408/0x4bc fs/buffer.c:1545
do_invalidatepage mm/truncate.c:157 [inline]
truncate_cleanup_page+0x15c/0x414 mm/truncate.c:176
truncate_inode_pages_range+0x254/0xbe0 mm/truncate.c:325
truncate_inode_pages mm/truncate.c:425 [inline]
truncate_inode_pages_final+0x94/0xd0 mm/truncate.c:464
hfsplus_evict_inode+0x2c/0xc0 fs/hfsplus/super.c:168
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1663 [inline]
iput+0x8cc/0x9ac fs/inode.c:1689
hfsplus_put_super+0x1b0/0x2ec fs/hfsplus/super.c:302
generic_shutdown_super+0x130/0x29c fs/super.c:466
kill_block_super+0x70/0xdc fs/super.c:1396
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x55c/0x1c20 kernel/exit.c:872
do_group_exit+0x110/0x268 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1003
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Allocated by task 4052:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x248/0x3b4 mm/slub.c:3247
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
hfsplus_btree_open+0x6c/0xd10 fs/hfsplus/btree.c:142
hfsplus_fill_super+0x914/0x167c fs/hfsplus/super.c:485
mount_bdev+0x26c/0x368 fs/super.c:1369
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1499
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
Freed by task 4052:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kfree+0x1a8/0x478 mm/slub.c:4559
hfsplus_btree_close+0x25c/0x288 fs/hfsplus/btree.c:279
hfsplus_put_super+0x140/0x2ec fs/hfsplus/super.c:298
generic_shutdown_super+0x130/0x29c fs/super.c:466
kill_block_super+0x70/0xdc fs/super.c:1396
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x55c/0x1c20 kernel/exit.c:872
do_group_exit+0x110/0x268 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1003
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 <unknown>:584
The buggy address belongs to the object at ffff0000da23e000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 56 bytes inside of
4096-byte region [ffff0000da23e000, ffff0000da23f000)
The buggy address belongs to the page:
page:00000000805e355b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a238
head:00000000805e355b order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000da23df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000da23df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000da23e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000da23e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000da23e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 8, 2023, 8:30:22 PM4/8/23
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 05103d88482dc3757db108415342fdd86821a79b
Author: Dongliang Mu <mudongl...@gmail.com>
Date: Sun Feb 26 12:49:47 2023 +0000
fs: hfsplus: fix UAF issue in hfsplus_put_super
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11eada53c80000
start commit: d9b4a0c83a2d Linux 5.15.98
git tree: linux-5.15.y
#syz fix: fs: hfsplus: fix UAF issue in hfsplus_put_super
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 05103d88482dc3757db108415342fdd86821a79b
Author: Dongliang Mu <mudongl...@gmail.com>
Date: Sun Feb 26 12:49:47 2023 +0000
fs: hfsplus: fix UAF issue in hfsplus_put_super
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11eada53c80000
start commit: d9b4a0c83a2d Linux 5.15.98
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b57cfa804330c3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=ca08526be49ab156e8b8
dashboard link: https://syzkaller.appspot.com/bug?extid=ca08526be49ab156e8b8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1280b868c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=169e75cac80000
If the result looks correct, please mark the issue as fixed by replying with:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1280b868c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=169e75cac80000
#syz fix: fs: hfsplus: fix UAF issue in hfsplus_put_super
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages