KASAN: use-after-free Read in ext4_xattr_set_entry (2)
12 views
Skip to first unread message
syzbot
Sep 5, 2019, 5:31:09 PM9/5/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 38733bad ANDROID: sched: Disallow WALT with CFS bandwidth ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=154b7f89600000
kernel config: https://syzkaller.appspot.com/x/.config?x=56a11d56cc83fc65
dashboard link: https://syzkaller.appspot.com/bug?extid=760383f25b4a8f05bb3d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+760383...@syzkaller.appspotmail.com
EXT4-fs (sda1): Unrecognized mount option "func=MODULE_CHECK" or missing
value
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x2e28/0x2f00
fs/ext4/xattr.c:1602
Read of size 4 at addr ffff888192b8b184 by task syz-executor.3/23660
CPU: 0 PID: 23660 Comm: syz-executor.3 Not tainted 4.14.141+ #0
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
ext4_xattr_set_entry+0x2e28/0x2f00 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x73/0x280 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x508/0xdd0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xb5/0x110 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:493 [inline]
security_inode_init_security+0x246/0x330 security/security.c:466
__ext4_new_inode+0x336f/0x4850 fs/ext4/ialloc.c:1166
ext4_symlink+0x352/0xa30 fs/ext4/namei.c:3152
vfs_symlink2+0x32a/0x560 fs/namei.c:4292
SYSC_symlinkat fs/namei.c:4325 [inline]
SyS_symlinkat+0x116/0x1e0 fs/namei.c:4305
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4595a7
RSP: 002b:00007ffc37b6c1e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004595a7
RDX: 00007ffc37b6c287 RSI: 00000000004bf0f0 RDI: 00007ffc37b6c270
RBP: 0000000000000000 R08: 0000000000000800 R09: 0000000000000017
R10: 0000000000000075 R11: 0000000000000206 R12: 0000000000000001
R13: 00007ffc37b6c220 R14: 0000000000000000 R15: 00007ffc37b6c230
The buggy address belongs to the page:
page:ffffea00064ae2c0 count:0 mapcount:0 mapping: (null) index:0x1
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888192b8b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888192b8b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888192b8b180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888192b8b200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888192b8b280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs (sda1): Unrecognized mount option "func=MODULE_CHECK" or missing
value
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 38733bad ANDROID: sched: Disallow WALT with CFS bandwidth ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=154b7f89600000
kernel config: https://syzkaller.appspot.com/x/.config?x=56a11d56cc83fc65
dashboard link: https://syzkaller.appspot.com/bug?extid=760383f25b4a8f05bb3d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+760383...@syzkaller.appspotmail.com
EXT4-fs (sda1): Unrecognized mount option "func=MODULE_CHECK" or missing
value
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x2e28/0x2f00
fs/ext4/xattr.c:1602
Read of size 4 at addr ffff888192b8b184 by task syz-executor.3/23660
CPU: 0 PID: 23660 Comm: syz-executor.3 Not tainted 4.14.141+ #0
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
ext4_xattr_set_entry+0x2e28/0x2f00 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x73/0x280 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x508/0xdd0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xb5/0x110 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:493 [inline]
security_inode_init_security+0x246/0x330 security/security.c:466
__ext4_new_inode+0x336f/0x4850 fs/ext4/ialloc.c:1166
ext4_symlink+0x352/0xa30 fs/ext4/namei.c:3152
vfs_symlink2+0x32a/0x560 fs/namei.c:4292
SYSC_symlinkat fs/namei.c:4325 [inline]
SyS_symlinkat+0x116/0x1e0 fs/namei.c:4305
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4595a7
RSP: 002b:00007ffc37b6c1e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004595a7
RDX: 00007ffc37b6c287 RSI: 00000000004bf0f0 RDI: 00007ffc37b6c270
RBP: 0000000000000000 R08: 0000000000000800 R09: 0000000000000017
R10: 0000000000000075 R11: 0000000000000206 R12: 0000000000000001
R13: 00007ffc37b6c220 R14: 0000000000000000 R15: 00007ffc37b6c230
The buggy address belongs to the page:
page:ffffea00064ae2c0 count:0 mapcount:0 mapping: (null) index:0x1
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888192b8b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888192b8b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888192b8b180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888192b8b200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888192b8b280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs (sda1): Unrecognized mount option "func=MODULE_CHECK" or missing
value
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 28, 2020, 8:35:13 AM2/28/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages