KASAN: out-of-bounds Write in udf_write_fi
6 views
Skip to first unread message
syzbot
Feb 23, 2023, 12:38:58 AM2/23/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1e61bd26fa2c Linux 4.14.306
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12d76d40c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1411e822b6d22b39
dashboard link: https://syzkaller.appspot.com/bug?extid=51d3ca1b8603c95ebe71
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cb1ed8c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146465b4c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/625245171cd5/disk-1e61bd26.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9facd1f0ea57/vmlinux-1e61bd26.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f2f80facb3a7/bzImage-1e61bd26.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/810c086318b8/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+51d3ca...@syzkaller.appspotmail.com
RBP: 00007ffc914fb510 R08: 0000000000000002 R09: 00007ffc914fb698
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
==================================================================
BUG: KASAN: out-of-bounds in memset include/linux/string.h:361 [inline]
BUG: KASAN: out-of-bounds in udf_write_fi+0x875/0xe80 fs/udf/namei.c:93
Write of size 18446744073709551572 at addr ffff88808aa7102c by task syz-executor428/7965
CPU: 0 PID: 7965 Comm: syz-executor428 Not tainted 4.14.306-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:251
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:350
kasan_report+0x6f/0x80 mm/kasan/report.c:408
memset+0x20/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:361 [inline]
udf_write_fi+0x875/0xe80 fs/udf/namei.c:93
udf_rename+0x3e5/0x11b0 fs/udf/namei.c:1194
vfs_rename+0x560/0x1820 fs/namei.c:4498
SYSC_renameat2 fs/namei.c:4646 [inline]
SyS_renameat2+0x95b/0xad0 fs/namei.c:4535
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7ff2fe032219
RSP: 002b:00007ffc914fb4f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff2fe032219
RDX: 0000000000000510 RSI: 0000000020000100 RDI: 0000000020000040
RBP: 00007ffc914fb510 R08: 0000000000000002 R09: 00007ffc914fb698
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00022a9c40 count:3 mapcount:0 mapping:ffff8880b1d8f4a8 index:0xa8
flags: 0xfff00000001054(referenced|dirty|active|private)
raw: 00fff00000001054 ffff8880b1d8f4a8 00000000000000a8 00000003ffffffff
raw: dead000000000100 dead000000000200 ffff88808dbc0000 ffff88823b3288c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88823b3288c0
Memory state around the buggy address:
ffff88808aa70f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808aa70f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808aa71000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff88808aa71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808aa71100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 1e61bd26fa2c Linux 4.14.306
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12d76d40c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1411e822b6d22b39
dashboard link: https://syzkaller.appspot.com/bug?extid=51d3ca1b8603c95ebe71
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cb1ed8c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=146465b4c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/625245171cd5/disk-1e61bd26.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9facd1f0ea57/vmlinux-1e61bd26.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f2f80facb3a7/bzImage-1e61bd26.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/810c086318b8/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+51d3ca...@syzkaller.appspotmail.com
RBP: 00007ffc914fb510 R08: 0000000000000002 R09: 00007ffc914fb698
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
==================================================================
BUG: KASAN: out-of-bounds in memset include/linux/string.h:361 [inline]
BUG: KASAN: out-of-bounds in udf_write_fi+0x875/0xe80 fs/udf/namei.c:93
Write of size 18446744073709551572 at addr ffff88808aa7102c by task syz-executor428/7965
CPU: 0 PID: 7965 Comm: syz-executor428 Not tainted 4.14.306-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:251
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:350
kasan_report+0x6f/0x80 mm/kasan/report.c:408
memset+0x20/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:361 [inline]
udf_write_fi+0x875/0xe80 fs/udf/namei.c:93
udf_rename+0x3e5/0x11b0 fs/udf/namei.c:1194
vfs_rename+0x560/0x1820 fs/namei.c:4498
SYSC_renameat2 fs/namei.c:4646 [inline]
SyS_renameat2+0x95b/0xad0 fs/namei.c:4535
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7ff2fe032219
RSP: 002b:00007ffc914fb4f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff2fe032219
RDX: 0000000000000510 RSI: 0000000020000100 RDI: 0000000020000040
RBP: 00007ffc914fb510 R08: 0000000000000002 R09: 00007ffc914fb698
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00022a9c40 count:3 mapcount:0 mapping:ffff8880b1d8f4a8 index:0xa8
flags: 0xfff00000001054(referenced|dirty|active|private)
raw: 00fff00000001054 ffff8880b1d8f4a8 00000000000000a8 00000003ffffffff
raw: dead000000000100 dead000000000200 ffff88808dbc0000 ffff88823b3288c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88823b3288c0
Memory state around the buggy address:
ffff88808aa70f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808aa70f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808aa71000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff88808aa71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808aa71100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages