KASAN: use-after-free Read in reiserfs_release_objectid
15 views
Skip to first unread message
syzbot
Nov 28, 2022, 12:34:33 PM11/28/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10ef3b75880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=a74ce3529387d86a422c
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140c68d5880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162a0dbb880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/2553100654ee/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a74ce3...@syzkaller.appspotmail.com
REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in memmove include/linux/string.h:392 [inline]
BUG: KASAN: use-after-free in reiserfs_release_objectid+0x47e/0x740 fs/reiserfs/objectid.c:165
Read of size 14568 at addr ffff88809006a0d0 by task syz-executor387/8181
CPU: 1 PID: 8181 Comm: syz-executor387 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
memmove+0x20/0x50 mm/kasan/kasan.c:293
memmove include/linux/string.h:392 [inline]
reiserfs_release_objectid+0x47e/0x740 fs/reiserfs/objectid.c:165
remove_save_link+0x21c/0x3f0 fs/reiserfs/super.c:542
reiserfs_evict_inode+0x489/0x540 fs/reiserfs/inode.c:91
evict+0x2ed/0x760 fs/inode.c:559
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
__dentry_kill+0x3c0/0x640 fs/dcache.c:566
dentry_kill+0xc4/0x510 fs/dcache.c:685
dput+0x55f/0x640 fs/dcache.c:846
do_renameat2+0xb69/0xc70 fs/namei.c:4633
__do_sys_rename fs/namei.c:4675 [inline]
__se_sys_rename fs/namei.c:4673 [inline]
__x64_sys_rename+0x5d/0x80 fs/namei.c:4673
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f9ed81e0989
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdaa63988 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f9ed81e0989
RDX: 00007f9ed81e0989 RSI: 0000000020000200 RDI: 0000000020000140
RBP: 0000000000000000 R08: 00007fffdaa639b0 R09: 00007fffdaa639b0
R10: 00007fffdaa639b0 R11: 0000000000000246 R12: 00007fffdaa639ac
R13: 00007fffdaa639e0 R14: 00007fffdaa639c0 R15: 000000000000000a
The buggy address belongs to the page:
page:ffffea0002401a80 count:2 mapcount:0 mapping:ffff8880addcc560 index:0x10
flags: 0xfff0000001106c(referenced|uptodate|lru|active|private|mappedtodisk)
raw: 00fff0000001106c ffffea0002290408 ffffea0002d3c848 ffff8880addcc560
raw: 0000000000000010 ffff88808ac4c498 00000002ffffffff ffff8880b59f68c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8880b59f68c0
Memory state around the buggy address:
ffff88809006af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88809006af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809006b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88809006b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88809006b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10ef3b75880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=a74ce3529387d86a422c
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140c68d5880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162a0dbb880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/2553100654ee/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a74ce3...@syzkaller.appspotmail.com
REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in memmove include/linux/string.h:392 [inline]
BUG: KASAN: use-after-free in reiserfs_release_objectid+0x47e/0x740 fs/reiserfs/objectid.c:165
Read of size 14568 at addr ffff88809006a0d0 by task syz-executor387/8181
CPU: 1 PID: 8181 Comm: syz-executor387 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
memmove+0x20/0x50 mm/kasan/kasan.c:293
memmove include/linux/string.h:392 [inline]
reiserfs_release_objectid+0x47e/0x740 fs/reiserfs/objectid.c:165
remove_save_link+0x21c/0x3f0 fs/reiserfs/super.c:542
reiserfs_evict_inode+0x489/0x540 fs/reiserfs/inode.c:91
evict+0x2ed/0x760 fs/inode.c:559
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
__dentry_kill+0x3c0/0x640 fs/dcache.c:566
dentry_kill+0xc4/0x510 fs/dcache.c:685
dput+0x55f/0x640 fs/dcache.c:846
do_renameat2+0xb69/0xc70 fs/namei.c:4633
__do_sys_rename fs/namei.c:4675 [inline]
__se_sys_rename fs/namei.c:4673 [inline]
__x64_sys_rename+0x5d/0x80 fs/namei.c:4673
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f9ed81e0989
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdaa63988 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f9ed81e0989
RDX: 00007f9ed81e0989 RSI: 0000000020000200 RDI: 0000000020000140
RBP: 0000000000000000 R08: 00007fffdaa639b0 R09: 00007fffdaa639b0
R10: 00007fffdaa639b0 R11: 0000000000000246 R12: 00007fffdaa639ac
R13: 00007fffdaa639e0 R14: 00007fffdaa639c0 R15: 000000000000000a
The buggy address belongs to the page:
page:ffffea0002401a80 count:2 mapcount:0 mapping:ffff8880addcc560 index:0x10
flags: 0xfff0000001106c(referenced|uptodate|lru|active|private|mappedtodisk)
raw: 00fff0000001106c ffffea0002290408 ffffea0002d3c848 ffff8880addcc560
raw: 0000000000000010 ffff88808ac4c498 00000002ffffffff ffff8880b59f68c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8880b59f68c0
Memory state around the buggy address:
ffff88809006af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88809006af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809006b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88809006b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88809006b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 4, 2022, 4:28:37 PM12/4/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 179ef7fe8677 Linux 4.14.300
syzbot found the following issue on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1276fa4d880000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa85f51ec321d5a9
dashboard link: https://syzkaller.appspot.com/bug?extid=9eb708b6972efff5d594
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17503997880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fefe83880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d311ef57b59a/disk-179ef7fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25bf5d729f69/vmlinux-179ef7fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db9b96571e69/bzImage-179ef7fe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4eadab6f8f54/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in reiserfs_release_objectid+0x41c/0x710 fs/reiserfs/objectid.c:165
Read of size 14568 at addr ffff88809fe060d0 by task syz-executor348/7985
CPU: 0 PID: 7985 Comm: syz-executor348 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report+0x6f/0x80 mm/kasan/report.c:409
memmove+0x20/0x50 mm/kasan/kasan.c:293
memmove include/linux/string.h:391 [inline]
reiserfs_release_objectid+0x41c/0x710 fs/reiserfs/objectid.c:165
remove_save_link+0x1e2/0x380 fs/reiserfs/super.c:542
reiserfs_evict_inode+0x3e7/0x4a0 fs/reiserfs/inode.c:91
evict+0x2c8/0x700 fs/inode.c:554
iput_final fs/inode.c:1523 [inline]
iput+0x458/0x7e0 fs/inode.c:1550
dentry_unlink_inode+0x25c/0x310 fs/dcache.c:387
__dentry_kill+0x320/0x550 fs/dcache.c:591
dentry_kill fs/dcache.c:632 [inline]
dput.part.0+0x4b5/0x710 fs/dcache.c:847
dput+0x1b/0x30 fs/dcache.c:811
SYSC_renameat2 fs/namei.c:4650 [inline]
SyS_renameat2+0x96a/0xad0 fs/namei.c:4535
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
The buggy address belongs to the page:
flags: 0xfff0000001106c(referenced|uptodate|lru|active|private|mappedtodisk)
raw: 00fff0000001106c ffff8880b1d92a68 0000000000000010 00000002ffffffff
raw: ffffea00029fe320 ffffea0002cf8c20 ffff88808cefbf18 ffff88823b3288c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88823b3288c0
Memory state around the buggy address:
ffff88809fe06f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809fe07000: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb
^
ffff88809fe07080: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
ffff88809fe07100: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb
Reply all
Reply to author
Forward
0 new messages