[moderation] [ntfs3?] KASAN: stack-out-of-bounds Write in ntfs_get_ea (2)
5 views
Skip to first unread message
syzbot
Jun 27, 2025, 8:57:25 PM6/27/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9aa9b43d689e Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14336dd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=27f179c74d5c35cd
dashboard link: https://syzkaller.appspot.com/bug?extid=b7cb0cd838e61fe3eea6
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
CC: [almaz.ale...@paragon-software.com linux-...@vger.kernel.org nt...@lists.linux.dev]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/974f3ac1c6a5/disk-9aa9b43d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5b5075d317f/vmlinux-9aa9b43d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f0ba7fec19b/Image-9aa9b43d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b7cb0c...@syzkaller.appspotmail.com
ntfs3(loop2): ino=3, ntfs_set_state failed, -22.
ntfs3(loop2): Failed to load $Extend (-22).
ntfs3(loop2): Failed to initialize $Extend.
==================================================================
BUG: KASAN: stack-out-of-bounds in stack_trace_consume_entry+0xf0/0x208 kernel/stacktrace.c:93
Write of size 8 at addr ffff80009e276f58 by task syz.2.396/8486
CPU: 0 UID: 0 PID: 8486 Comm: syz.2.396 Not tainted 6.16.0-rc2-syzkaller-g9aa9b43d689e #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386
stack_trace_consume_entry+0xf0/0x208 kernel/stacktrace.c:93
arch_kunwind_consume_entry arch/arm64/kernel/stacktrace.c:380 [inline]
do_kunwind arch/arm64/kernel/stacktrace.c:293 [inline]
kunwind_stack_walk arch/arm64/kernel/stacktrace.c:368 [inline]
arch_stack_walk+0x1dc/0x368 arch/arm64/kernel/stacktrace.c:392
stack_trace_save+0x94/0xd8 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x17c/0x474 mm/slub.c:4842
ntfs_get_ea+0x2bc/0x430 fs/ntfs3/xattr.c:306
ntfs_getxattr+0x1b4/0x540 fs/ntfs3/xattr.c:827
__vfs_getxattr+0x394/0x3c0 fs/xattr.c:423
cap_inode_need_killpriv+0x50/0x78 security/commoncap.c:331
security_inode_need_killpriv+0x90/0x298 security/security.c:2638
dentry_needs_remove_privs fs/inode.c:2172 [inline]
file_remove_privs_flags+0x1d4/0x4ac fs/inode.c:2203
file_modified_flags+0x5c/0x450 fs/inode.c:2363
file_modified+0x24/0x34 fs/inode.c:2392
ntfs_file_write_iter+0x2ac/0x66c fs/ntfs3/file.c:1180
iter_file_splice_write+0x718/0xca4 fs/splice.c:738
ntfs_file_splice_write+0x128/0x198 fs/ntfs3/file.c:1311
do_splice_from fs/splice.c:935 [inline]
direct_splice_actor+0xec/0x14c fs/splice.c:1158
splice_direct_to_actor+0x414/0x994 fs/splice.c:1102
do_splice_direct_actor fs/splice.c:1201 [inline]
do_splice_direct+0x130/0x210 fs/splice.c:1227
do_sendfile+0x3cc/0x658 fs/read_write.c:1370
__do_sys_sendfile64 fs/read_write.c:1431 [inline]
__se_sys_sendfile64 fs/read_write.c:1417 [inline]
__arm64_sys_sendfile64+0x1b4/0x274 fs/read_write.c:1417
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
The buggy address belongs to stack of task syz.2.396/8486
and is located at offset 344 in frame:
stack_trace_save+0x0/0xd8 kernel/stacktrace.c:52
This frame has 1 object:
[32, 56) 'c'
The buggy address belongs to the virtual mapping at
[ffff80009e270000, ffff80009e279000) created by:
copy_process+0x480/0x31ec kernel/fork.c:1999
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x25 pfn:0x133200
memcg:ffff0000cc2b1102
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000025 0000000000000000 00000001ffffffff ffff0000cc2b1102
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80009e276e00: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
ffff80009e276e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80009e276f00: 00 00 00 00 00 00 00 00 00 00 00 f3 00 00 00 00
^
ffff80009e276f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80009e277000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9aa9b43d689e Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14336dd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=27f179c74d5c35cd
dashboard link: https://syzkaller.appspot.com/bug?extid=b7cb0cd838e61fe3eea6
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
CC: [almaz.ale...@paragon-software.com linux-...@vger.kernel.org nt...@lists.linux.dev]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/974f3ac1c6a5/disk-9aa9b43d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5b5075d317f/vmlinux-9aa9b43d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f0ba7fec19b/Image-9aa9b43d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b7cb0c...@syzkaller.appspotmail.com
ntfs3(loop2): ino=3, ntfs_set_state failed, -22.
ntfs3(loop2): Failed to load $Extend (-22).
ntfs3(loop2): Failed to initialize $Extend.
==================================================================
BUG: KASAN: stack-out-of-bounds in stack_trace_consume_entry+0xf0/0x208 kernel/stacktrace.c:93
Write of size 8 at addr ffff80009e276f58 by task syz.2.396/8486
CPU: 0 UID: 0 PID: 8486 Comm: syz.2.396 Not tainted 6.16.0-rc2-syzkaller-g9aa9b43d689e #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386
stack_trace_consume_entry+0xf0/0x208 kernel/stacktrace.c:93
arch_kunwind_consume_entry arch/arm64/kernel/stacktrace.c:380 [inline]
do_kunwind arch/arm64/kernel/stacktrace.c:293 [inline]
kunwind_stack_walk arch/arm64/kernel/stacktrace.c:368 [inline]
arch_stack_walk+0x1dc/0x368 arch/arm64/kernel/stacktrace.c:392
stack_trace_save+0x94/0xd8 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x17c/0x474 mm/slub.c:4842
ntfs_get_ea+0x2bc/0x430 fs/ntfs3/xattr.c:306
ntfs_getxattr+0x1b4/0x540 fs/ntfs3/xattr.c:827
__vfs_getxattr+0x394/0x3c0 fs/xattr.c:423
cap_inode_need_killpriv+0x50/0x78 security/commoncap.c:331
security_inode_need_killpriv+0x90/0x298 security/security.c:2638
dentry_needs_remove_privs fs/inode.c:2172 [inline]
file_remove_privs_flags+0x1d4/0x4ac fs/inode.c:2203
file_modified_flags+0x5c/0x450 fs/inode.c:2363
file_modified+0x24/0x34 fs/inode.c:2392
ntfs_file_write_iter+0x2ac/0x66c fs/ntfs3/file.c:1180
iter_file_splice_write+0x718/0xca4 fs/splice.c:738
ntfs_file_splice_write+0x128/0x198 fs/ntfs3/file.c:1311
do_splice_from fs/splice.c:935 [inline]
direct_splice_actor+0xec/0x14c fs/splice.c:1158
splice_direct_to_actor+0x414/0x994 fs/splice.c:1102
do_splice_direct_actor fs/splice.c:1201 [inline]
do_splice_direct+0x130/0x210 fs/splice.c:1227
do_sendfile+0x3cc/0x658 fs/read_write.c:1370
__do_sys_sendfile64 fs/read_write.c:1431 [inline]
__se_sys_sendfile64 fs/read_write.c:1417 [inline]
__arm64_sys_sendfile64+0x1b4/0x274 fs/read_write.c:1417
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
The buggy address belongs to stack of task syz.2.396/8486
and is located at offset 344 in frame:
stack_trace_save+0x0/0xd8 kernel/stacktrace.c:52
This frame has 1 object:
[32, 56) 'c'
The buggy address belongs to the virtual mapping at
[ffff80009e270000, ffff80009e279000) created by:
copy_process+0x480/0x31ec kernel/fork.c:1999
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x25 pfn:0x133200
memcg:ffff0000cc2b1102
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000025 0000000000000000 00000001ffffffff ffff0000cc2b1102
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80009e276e00: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
ffff80009e276e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80009e276f00: 00 00 00 00 00 00 00 00 00 00 00 f3 00 00 00 00
^
ffff80009e276f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80009e277000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 21, 2025, 8:47:19 PM9/21/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages