KASAN: use-after-free Read in udf_get

Kernel	Title	Rank 🛈	Repro	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in udf_get_filelongad	19	C	2	1170d	1259d	0/1	upstream: reported C repro on 2022/12/03 02:46
linux-6.1	KASAN: slab-out-of-bounds Read in udf_get_filelongad	17		2	2d22h	2d22h	0/3	upstream: reported on 2026/05/12 16:09
upstream	KASAN: slab-out-of-bounds Read in udf_get_filelongad (2) udf	17	C	4	605d	619d	28/29	fixed on 2024/11/12 23:31
upstream	KASAN: slab-out-of-bounds Read in udf_get_filelongad udf	17	C	2	1250d	1250d	22/29	fixed on 2023/06/08 14:41

UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) ================================================================== BUG: KASAN: use-after-free in udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235 Read of size 4 at addr ffff8880b0c4c298 by task syz-executor355/8085 CPU: 1 PID: 8085 Comm: syz-executor355 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443 udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235 udf_current_aext+0x198/0x900 fs/udf/inode.c:2168 udf_next_aext+0x200/0x3a0 fs/udf/inode.c:2104 udf_extend_file fs/udf/inode.c:658 [inline] udf_setsize+0x7ca/0x1030 fs/udf/inode.c:1251 udf_setattr+0x33d/0x430 fs/udf/file.c:278 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 do_sys_ftruncate+0x492/0x560 fs/open.c:194 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7eff30b16939 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe899f6d58 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007eff30b16939 RDX: 00007eff30b16939 RSI: 0100000000000000 RDI: 0000000000000005 RBP: 00007eff30ad61d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007eff30ad6260 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 4698: __do_kmalloc_node mm/slab.c:3689 [inline] __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703 __kmalloc_reserve net/core/skbuff.c:137 [inline] __alloc_skb+0xae/0x560 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:995 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1197 [inline] netlink_sendmsg+0x9f6/0xc50 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227 __sys_sendmsg net/socket.c:2265 [inline] __do_sys_sendmsg net/socket.c:2274 [inline] __se_sys_sendmsg net/socket.c:2272 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6439: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 skb_free_head net/core/skbuff.c:563 [inline] skb_release_data+0x6de/0x920 net/core/skbuff.c:583 skb_release_all net/core/skbuff.c:640 [inline] __kfree_skb net/core/skbuff.c:654 [inline] consume_skb+0x113/0x3d0 net/core/skbuff.c:714 skb_free_datagram+0x16/0xf0 net/core/datagram.c:329 netlink_recvmsg+0x627/0xea0 net/netlink/af_netlink.c:1996 sock_recvmsg_nosec net/socket.c:859 [inline] sock_recvmsg net/socket.c:866 [inline] sock_recvmsg+0xca/0x110 net/socket.c:862 ___sys_recvmsg+0x255/0x570 net/socket.c:2389 __sys_recvmsg net/socket.c:2438 [inline] __do_sys_recvmsg net/socket.c:2448 [inline] __se_sys_recvmsg net/socket.c:2445 [inline] __x64_sys_recvmsg+0x12f/0x220 net/socket.c:2445 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880b0c4c0c0 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 472 bytes inside of 512-byte region [ffff8880b0c4c0c0, ffff8880b0c4c2c0) The buggy address belongs to the page: page:ffffea0002c31300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880b0c4c0c0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002605608 ffffea0002c31388 ffff88813bff0940 raw: ffff8880b0c4c0c0 ffff8880b0c4c0c0 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b0c4c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b0c4c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880b0c4c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8880b0c4c300: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff8880b0c4c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2022/11/29 09:35	linux-4.19.y	3f8a27f9e27b	ca9683b8	.config	console log	report	syz	C		[disk image] [vmlinux] [mounted in repro]	ci2-linux-4-19	KASAN: use-after-free Read in udf_get_filelongad
2022/11/26 07:37	linux-4.19.y	3f8a27f9e27b	f4470a7b	.config	console log	report	syz	C		[disk image] [vmlinux] [mounted in repro]	ci2-linux-4-19	KASAN: use-after-free Read in udf_get_filelongad

Crashes (2):

Assets (help?)