[v6.1] KASAN: use-after-free Read in ntfs_read_folio
5 views
Skip to first unread message
syzbot
Mar 18, 2023, 6:25:42 AM3/18/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7eaef76fbc46 Linux 6.1.20
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10288e9ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=29ad3fe3c7b61175
dashboard link: https://syzkaller.appspot.com/bug?extid=2fec743e48dcebd0fdc3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e20ad6c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17da24f2c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/34f95428f5fb/disk-7eaef76f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1bdd9b2c390d/vmlinux-7eaef76f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/419140981cfa/Image-7eaef76f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f41cbf9535e0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2fec74...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 190
==================================================================
BUG: KASAN: use-after-free in ntfs_read_folio+0x6c0/0x1d70 fs/ntfs/aops.c:489
Read of size 1 at addr ffff0000de1e717f by task syz-executor342/4312
CPU: 0 PID: 4312 Comm: syz-executor342 Not tainted 6.1.20-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x48/0x90 mm/kasan/shadow.c:65
ntfs_read_folio+0x6c0/0x1d70 fs/ntfs/aops.c:489
filemap_read_folio+0x14c/0x39c mm/filemap.c:2407
do_read_cache_folio+0x24c/0x544 mm/filemap.c:3535
do_read_cache_page mm/filemap.c:3577 [inline]
read_cache_page+0x6c/0x180 mm/filemap.c:3586
read_mapping_page include/linux/pagemap.h:756 [inline]
ntfs_map_page fs/ntfs/aops.h:75 [inline]
load_and_init_attrdef fs/ntfs/super.c:1609 [inline]
load_system_files+0x1e34/0x4734 fs/ntfs/super.c:1817
ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2892
mount_bdev+0x26c/0x368 fs/super.c:1414
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3049
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1544
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:0000000082148dbf refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11e1e7
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc00037df188 fffffc0003789048 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000de1e7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000de1e7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000de1e7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000de1e7180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000de1e7200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
ntfs: volume version 3.1.
syz-executor342: attempt to access beyond end of device
loop0: rw=0, sector=2072, nr_sectors = 8 limit=190
syz-executor342: attempt to access beyond end of device
loop0: rw=0, sector=552, nr_sectors = 8 limit=190
syz-executor342: attempt to access beyond end of device
loop0: rw=0, sector=224, nr_sectors = 8 limit=190
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 7eaef76fbc46 Linux 6.1.20
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10288e9ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=29ad3fe3c7b61175
dashboard link: https://syzkaller.appspot.com/bug?extid=2fec743e48dcebd0fdc3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e20ad6c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17da24f2c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/34f95428f5fb/disk-7eaef76f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1bdd9b2c390d/vmlinux-7eaef76f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/419140981cfa/Image-7eaef76f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f41cbf9535e0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2fec74...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 190
==================================================================
BUG: KASAN: use-after-free in ntfs_read_folio+0x6c0/0x1d70 fs/ntfs/aops.c:489
Read of size 1 at addr ffff0000de1e717f by task syz-executor342/4312
CPU: 0 PID: 4312 Comm: syz-executor342 Not tainted 6.1.20-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x48/0x90 mm/kasan/shadow.c:65
ntfs_read_folio+0x6c0/0x1d70 fs/ntfs/aops.c:489
filemap_read_folio+0x14c/0x39c mm/filemap.c:2407
do_read_cache_folio+0x24c/0x544 mm/filemap.c:3535
do_read_cache_page mm/filemap.c:3577 [inline]
read_cache_page+0x6c/0x180 mm/filemap.c:3586
read_mapping_page include/linux/pagemap.h:756 [inline]
ntfs_map_page fs/ntfs/aops.h:75 [inline]
load_and_init_attrdef fs/ntfs/super.c:1609 [inline]
load_system_files+0x1e34/0x4734 fs/ntfs/super.c:1817
ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2892
mount_bdev+0x26c/0x368 fs/super.c:1414
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3049
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1544
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:0000000082148dbf refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11e1e7
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc00037df188 fffffc0003789048 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000de1e7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000de1e7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000de1e7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000de1e7180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000de1e7200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
ntfs: volume version 3.1.
syz-executor342: attempt to access beyond end of device
loop0: rw=0, sector=2072, nr_sectors = 8 limit=190
syz-executor342: attempt to access beyond end of device
loop0: rw=0, sector=552, nr_sectors = 8 limit=190
syz-executor342: attempt to access beyond end of device
loop0: rw=0, sector=224, nr_sectors = 8 limit=190
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages