[ext4?] KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size
5 views
Skip to first unread message
syzbot
Jan 26, 2023, 9:26:49 PM1/26/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15d814e1480000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=49c13794f111572a1514
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ea0835480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13f4a085480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bcca9fe351e4/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+49c137...@syzkaller.appspotmail.com
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
==================================================================
BUG: KASAN: slab-out-of-bounds in get_max_inline_xattr_value_size+0x46a/0x4d0 fs/ext4/inline.c:57
Read of size 4 at addr ffff8880aab02084 by task kworker/1:2/3531
CPU: 1 PID: 3531 Comm: kworker/1:2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: events p9_write_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
get_max_inline_xattr_value_size+0x46a/0x4d0 fs/ext4/inline.c:57
ext4_get_max_inline_size.part.0+0xa8/0x170 fs/ext4/inline.c:108
ext4_get_max_inline_size fs/ext4/inline.c:96 [inline]
ext4_try_to_write_inline_data+0xf2/0x1a20 fs/ext4/inline.c:656
ext4_write_begin+0xe41/0x1610 fs/ext4/inode.c:1294
ext4_da_write_begin+0x737/0x10e0 fs/ext4/inode.c:3051
generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170
__generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295
ext4_file_write_iter+0x2fe/0xf20 fs/ext4/file.c:272
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
kernel_write+0xa6/0x110 fs/read_write.c:526
p9_fd_write net/9p/trans_fd.c:443 [inline]
p9_write_work+0x23f/0xb90 net/9p/trans_fd.c:494
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880aab02100
which belongs to the cache names_cache of size 4096
The buggy address is located 124 bytes to the left of
4096-byte region [ffff8880aab02100, ffff8880aab03100)
The buggy address belongs to the page:
page:ffffea0002aac080 count:1 mapcount:0 mapping:ffff88823b843380 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea00024bbe88 ffffea0002a5ce08 ffff88823b843380
raw: 0000000000000000 ffff8880aab02100 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880aab01f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880aab02000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880aab02080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880aab02100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880aab02180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15d814e1480000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=49c13794f111572a1514
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ea0835480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13f4a085480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bcca9fe351e4/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+49c137...@syzkaller.appspotmail.com
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
==================================================================
BUG: KASAN: slab-out-of-bounds in get_max_inline_xattr_value_size+0x46a/0x4d0 fs/ext4/inline.c:57
Read of size 4 at addr ffff8880aab02084 by task kworker/1:2/3531
CPU: 1 PID: 3531 Comm: kworker/1:2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: events p9_write_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
get_max_inline_xattr_value_size+0x46a/0x4d0 fs/ext4/inline.c:57
ext4_get_max_inline_size.part.0+0xa8/0x170 fs/ext4/inline.c:108
ext4_get_max_inline_size fs/ext4/inline.c:96 [inline]
ext4_try_to_write_inline_data+0xf2/0x1a20 fs/ext4/inline.c:656
ext4_write_begin+0xe41/0x1610 fs/ext4/inode.c:1294
ext4_da_write_begin+0x737/0x10e0 fs/ext4/inode.c:3051
generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170
__generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295
ext4_file_write_iter+0x2fe/0xf20 fs/ext4/file.c:272
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
kernel_write+0xa6/0x110 fs/read_write.c:526
p9_fd_write net/9p/trans_fd.c:443 [inline]
p9_write_work+0x23f/0xb90 net/9p/trans_fd.c:494
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880aab02100
which belongs to the cache names_cache of size 4096
The buggy address is located 124 bytes to the left of
4096-byte region [ffff8880aab02100, ffff8880aab03100)
The buggy address belongs to the page:
page:ffffea0002aac080 count:1 mapcount:0 mapping:ffff88823b843380 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea00024bbe88 ffffea0002a5ce08 ffff88823b843380
raw: 0000000000000000 ffff8880aab02100 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880aab01f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880aab02000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880aab02080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880aab02100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880aab02180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages