syzbot


KASAN: null-ptr-deref Write in udf_write_fi

Status: upstream: reported C repro on 2023/05/29 04:55
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+29af8562a899a5d033ec@syzkaller.appspotmail.com
First crash: 323d, last: 35d
Bug presence (2)
Date Name Commit Repro Result
2023/05/29 linux-6.1.y (ToT) a343b0dd87b4 C [report] KASAN: null-ptr-deref Write in udf_write_fi
2023/05/29 upstream (ToT) 8b817fded42d C Didn't crash
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: out-of-bounds Write in udf_write_fi origin:lts-only C done 17 131d 378d 0/3 upstream: reported C repro on 2023/04/03 11:46
linux-4.19 KASAN: out-of-bounds Write in udf_write_fi udf C error 9 419d 800d 0/1 upstream: reported C repro on 2022/02/06 00:22
upstream KASAN: null-ptr-deref Write in udf_write_fi udf C inconclusive done 51 444d 567d 22/26 fixed on 2023/06/08 14:41
linux-4.14 KASAN: out-of-bounds Write in udf_write_fi C 1 418d 418d 0/1 upstream: reported C repro on 2023/02/23 05:38
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/11/25 03:02 1h42m fix candidate upstream job log (0)
2023/10/10 09:20 12h31m fix candidate upstream error job log (0)

Sample crash report:
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
==================================================================
BUG: KASAN: null-ptr-deref in udf_write_fi+0x3e4/0x920
Write of size 18446744073709551572 at addr 0000000000000020 by task syz-executor239/4225

CPU: 0 PID: 4225 Comm: syz-executor239 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_report+0xe4/0x4c0 mm/kasan/report.c:398
 kasan_report+0xd4/0x130 mm/kasan/report.c:495
 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
 memset+0x40/0x70 mm/kasan/shadow.c:44
 udf_write_fi+0x3e4/0x920
 udf_delete_entry fs/udf/namei.c:577 [inline]
 udf_rename+0x90c/0x10b0 fs/udf/namei.c:1173
 vfs_rename+0x9e0/0xe80 fs/namei.c:4779
 do_renameat2+0x980/0x1040 fs/namei.c:4930
 __do_sys_renameat fs/namei.c:4970 [inline]
 __se_sys_renameat fs/namei.c:4967 [inline]
 __arm64_sys_renameat+0xc8/0xe4 fs/namei.c:4967
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000003
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000003] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4225 Comm: syz-executor239 Tainted: G    B              6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : crc_itu_t+0x5c/0x108 lib/crc-itu-t.c:60
lr : crc_itu_t+0x38/0x108 lib/crc-itu-t.c:59
sp : ffff80001da17520
x29: ffff80001da17530 x28: 0000000000000000 x27: 00000000fffffff0
x26: ffff80001da176e8 x25: 1ffff00003b42edd x24: ffff800012722200
x23: 000000000000ffd9 x22: dfff800000000000 x21: 000000000000001a
x20: 000000000000001a x19: 00000000a79d5f14 x18: 1fffe000368b6176
x17: 0000000000000000 x16: ffff8000120fc834 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
x11: ff8080000aacd0e4 x10: 0000000000000000 x9 : 0000000000000002
x8 : 0000000000000003 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001da16d58 x4 : ffff800015692ac0 x3 : ffff8000081ae34c
x2 : 000000000000ffda x1 : 000000000000ffda x0 : 0000000000000000
Call trace:
 crc_itu_t+0x5c/0x108 lib/crc-itu-t.c:60
 udf_write_fi+0x4cc/0x920 fs/udf/namei.c:103
 udf_delete_entry fs/udf/namei.c:577 [inline]
 udf_rename+0x90c/0x10b0 fs/udf/namei.c:1173
 vfs_rename+0x9e0/0xe80 fs/namei.c:4779
 do_renameat2+0x980/0x1040 fs/namei.c:4930
 __do_sys_renameat fs/namei.c:4970 [inline]
 __se_sys_renameat fs/namei.c:4967 [inline]
 __arm64_sys_renameat+0xc8/0xe4 fs/namei.c:4967
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: b003e2b8 91080318 d343fea8 12000aa9 (38f66908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	b003e2b8 	adrp	x24, 0x7c55000
   4:	91080318 	add	x24, x24, #0x200
   8:	d343fea8 	lsr	x8, x21, #3
   c:	12000aa9 	and	w9, w21, #0x7
* 10:	38f66908 	ldrsb	w8, [x8, x22] <-- trapping instruction

Crashes (16):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/29 08:01 linux-6.1.y a343b0dd87b4 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/07/02 21:26 linux-6.1.y 0f4ac6b4c5f0 bfc47836 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/12/07 01:27 linux-6.1.y c6114c845984 e3299f55 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan general protection fault in udf_write_fi
2024/03/11 21:53 linux-6.1.y 61adba85cc40 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/09/16 03:04 linux-6.1.y 09045dae0d90 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/08/21 12:19 linux-6.1.y 6c44e13dc284 d216d8a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/08/10 07:29 linux-6.1.y 0a4a7855302d 13ca4cd6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/06/27 22:07 linux-6.1.y e84a4e368abe 4cd5bb25 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/05/29 04:54 linux-6.1.y a343b0dd87b4 cf184559 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/12/23 20:22 linux-6.1.y 4aa6747d9352 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in udf_write_fi
2023/12/07 00:02 linux-6.1.y c6114c845984 e3299f55 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in udf_write_fi
2024/02/21 23:05 linux-6.1.y 8b4118fabd6e 345111b5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2023/07/06 17:25 linux-6.1.y 61fd484b2cf6 1a2f6297 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in udf_write_fi
2023/06/18 15:09 linux-6.1.y ca87e77a2ef8 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in udf_write_fi
2023/06/18 14:54 linux-6.1.y ca87e77a2ef8 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in udf_write_fi
2023/08/14 23:39 linux-6.1.y 1321ab403b38 39990d51 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
* Struck through repros no longer work on HEAD.