KASAN: use-after-free Read in udf_get_filelongad

Status: upstream: reported C repro on 2022/11/26 07:38
First crash: 299d, last: 296d
Fix bisection: failed (error log, bisect log)
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in udf_get_filelongad C 2 203d 292d 0/1 upstream: reported C repro on 2022/12/03 02:46
upstream KASAN: slab-out-of-bounds Read in udf_get_filelongad udf C 2 283d 283d 24/25 fixed on 2023/06/08 14:41

Sample crash report:
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
BUG: KASAN: use-after-free in udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235
Read of size 4 at addr ffff8880b0c4c298 by task syz-executor355/8085

CPU: 1 PID: 8085 Comm: syz-executor355 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443
 udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235
 udf_current_aext+0x198/0x900 fs/udf/inode.c:2168
 udf_next_aext+0x200/0x3a0 fs/udf/inode.c:2104
 udf_extend_file fs/udf/inode.c:658 [inline]
 udf_setsize+0x7ca/0x1030 fs/udf/inode.c:1251
 udf_setattr+0x33d/0x430 fs/udf/file.c:278
 notify_change+0x70b/0xfc0 fs/attr.c:334
 do_truncate+0x134/0x1f0 fs/open.c:63
 do_sys_ftruncate+0x492/0x560 fs/open.c:194
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
RIP: 0033:0x7eff30b16939
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe899f6d58 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007eff30b16939
RDX: 00007eff30b16939 RSI: 0100000000000000 RDI: 0000000000000005
RBP: 00007eff30ad61d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007eff30ad6260
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 4698:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0xae/0x560 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1197 [inline]
 netlink_sendmsg+0x9f6/0xc50 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293

Freed by task 6439:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 skb_free_head net/core/skbuff.c:563 [inline]
 skb_release_data+0x6de/0x920 net/core/skbuff.c:583
 skb_release_all net/core/skbuff.c:640 [inline]
 __kfree_skb net/core/skbuff.c:654 [inline]
 consume_skb+0x113/0x3d0 net/core/skbuff.c:714
 skb_free_datagram+0x16/0xf0 net/core/datagram.c:329
 netlink_recvmsg+0x627/0xea0 net/netlink/af_netlink.c:1996
 sock_recvmsg_nosec net/socket.c:859 [inline]
 sock_recvmsg net/socket.c:866 [inline]
 sock_recvmsg+0xca/0x110 net/socket.c:862
 ___sys_recvmsg+0x255/0x570 net/socket.c:2389
 __sys_recvmsg net/socket.c:2438 [inline]
 __do_sys_recvmsg net/socket.c:2448 [inline]
 __se_sys_recvmsg net/socket.c:2445 [inline]
 __x64_sys_recvmsg+0x12f/0x220 net/socket.c:2445
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293

The buggy address belongs to the object at ffff8880b0c4c0c0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 472 bytes inside of
 512-byte region [ffff8880b0c4c0c0, ffff8880b0c4c2c0)
The buggy address belongs to the page:
page:ffffea0002c31300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880b0c4c0c0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002605608 ffffea0002c31388 ffff88813bff0940
raw: ffff8880b0c4c0c0 ffff8880b0c4c0c0 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b0c4c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b0c4c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b0c4c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880b0c4c300: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8880b0c4c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/11/29 09:35 linux-4.19.y 3f8a27f9e27b ca9683b8 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in udf_get_filelongad
2022/11/26 07:37 linux-4.19.y 3f8a27f9e27b f4470a7b .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in udf_get_filelongad
* Struck through repros no longer work on HEAD.