[Android 5.15] KASAN: use-after-free Read in __ext4_check_dir_entry
0 views
Skip to first unread message
syzbot
Jun 28, 2024, 9:26:35 AMJun 28
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9044d25b8ff5 Revert "net: dev: Convert sa_data to flexible..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17fba705980000
kernel config: https://syzkaller.appspot.com/x/.config?x=9cac2a3f133ab837
dashboard link: https://syzkaller.appspot.com/bug?extid=949ce2b0353c996c1882
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d5c5a6980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1427fcd1980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2e30c2b6b993/disk-9044d25b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3d70a04f3d64/vmlinux-9044d25b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/81476c392e7d/bzImage-9044d25b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0d3fde04dcfd/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+949ce2...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): make_indexed_dir:2284: inode #2: block 255: comm syz-executor242: bad entry in directory: rec_len is smaller than minimal - offset=1024, inode=5120, rec_len=0, size=993 fake=0
EXT4-fs warning (device loop0): dx_probe:832: inode #2: comm syz-executor242: Unrecognised inode hash code 49
EXT4-fs warning (device loop0): dx_probe:965: inode #2: comm syz-executor242: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
Read of size 2 at addr ffff88811d6ca003 by task syz-executor242/298
CPU: 1 PID: 298 Comm: syz-executor242 Not tainted 5.15.150-syzkaller-00330-g9044d25b8ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
__ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
ext4_readdir+0x1490/0x38d0 fs/ext4/dir.c:258
iterate_dir+0x265/0x610
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
__x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3d06e270e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4f057368 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3d06e270e9
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000000 R08: 00007fff4f05739c R09: 00007fff4f05739c
R10: 00007fff4f05739c R11: 0000000000000246 R12: 00007fff4f05739c
R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007fff4f0573d0
</TASK>
The buggy address belongs to the page:
page:ffffea000475b280 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11d6ca
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000475b2c8 ffffea000478a008 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 236, ts 16085646426, free_ts 16087143754
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
__alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
__alloc_pages_node include/linux/gfp.h:591 [inline]
alloc_pages_node include/linux/gfp.h:605 [inline]
alloc_pages include/linux/gfp.h:618 [inline]
do_anonymous_page mm/memory.c:4032 [inline]
handle_pte_fault+0xea0/0x24d0 mm/memory.c:4869
do_handle_mm_fault+0x1ea9/0x23a0 mm/memory.c:5293
handle_mm_fault include/linux/mm.h:1836 [inline]
do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
handle_page_fault arch/x86/mm/fault.c:1549 [inline]
exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1471 [inline]
free_pcp_prepare mm/page_alloc.c:1543 [inline]
free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533
free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670
release_pages+0x1310/0x1370 mm/swap.c:1009
free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2691
__do_munmap+0x1421/0x1a90 mm/mmap.c:2925
__vm_munmap+0x166/0x2a0 mm/mmap.c:2948
__do_sys_munmap mm/mmap.c:2974 [inline]
__se_sys_munmap mm/mmap.c:2970 [inline]
__x64_sys_munmap+0x6b/0x80 mm/mmap.c:2970
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff88811d6c9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88811d6c9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88811d6ca000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88811d6ca080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811d6ca100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_readdir:260: inode #2: block 255: comm syz-executor242: path /root/syzkaller.foR9l2/1/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9044d25b8ff5 Revert "net: dev: Convert sa_data to flexible..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17fba705980000
kernel config: https://syzkaller.appspot.com/x/.config?x=9cac2a3f133ab837
dashboard link: https://syzkaller.appspot.com/bug?extid=949ce2b0353c996c1882
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d5c5a6980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1427fcd1980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2e30c2b6b993/disk-9044d25b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3d70a04f3d64/vmlinux-9044d25b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/81476c392e7d/bzImage-9044d25b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0d3fde04dcfd/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+949ce2...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): make_indexed_dir:2284: inode #2: block 255: comm syz-executor242: bad entry in directory: rec_len is smaller than minimal - offset=1024, inode=5120, rec_len=0, size=993 fake=0
EXT4-fs warning (device loop0): dx_probe:832: inode #2: comm syz-executor242: Unrecognised inode hash code 49
EXT4-fs warning (device loop0): dx_probe:965: inode #2: comm syz-executor242: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
Read of size 2 at addr ffff88811d6ca003 by task syz-executor242/298
CPU: 1 PID: 298 Comm: syz-executor242 Not tainted 5.15.150-syzkaller-00330-g9044d25b8ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
__ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
ext4_readdir+0x1490/0x38d0 fs/ext4/dir.c:258
iterate_dir+0x265/0x610
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
__x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3d06e270e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4f057368 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3d06e270e9
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000000 R08: 00007fff4f05739c R09: 00007fff4f05739c
R10: 00007fff4f05739c R11: 0000000000000246 R12: 00007fff4f05739c
R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007fff4f0573d0
</TASK>
The buggy address belongs to the page:
page:ffffea000475b280 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11d6ca
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000475b2c8 ffffea000478a008 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 236, ts 16085646426, free_ts 16087143754
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
__alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
__alloc_pages_node include/linux/gfp.h:591 [inline]
alloc_pages_node include/linux/gfp.h:605 [inline]
alloc_pages include/linux/gfp.h:618 [inline]
do_anonymous_page mm/memory.c:4032 [inline]
handle_pte_fault+0xea0/0x24d0 mm/memory.c:4869
do_handle_mm_fault+0x1ea9/0x23a0 mm/memory.c:5293
handle_mm_fault include/linux/mm.h:1836 [inline]
do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
handle_page_fault arch/x86/mm/fault.c:1549 [inline]
exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1471 [inline]
free_pcp_prepare mm/page_alloc.c:1543 [inline]
free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533
free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670
release_pages+0x1310/0x1370 mm/swap.c:1009
free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2691
__do_munmap+0x1421/0x1a90 mm/mmap.c:2925
__vm_munmap+0x166/0x2a0 mm/mmap.c:2948
__do_sys_munmap mm/mmap.c:2974 [inline]
__se_sys_munmap mm/mmap.c:2970 [inline]
__x64_sys_munmap+0x6b/0x80 mm/mmap.c:2970
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff88811d6c9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88811d6c9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88811d6ca000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88811d6ca080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811d6ca100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_readdir:260: inode #2: block 255: comm syz-executor242: path /root/syzkaller.foR9l2/1/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages