syzbot

 sign-in | mailing list | source | docs
🐞 Open [698]
🐞 Fixed [97]
🐞 Invalid [561]
Missing Backports [40]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ntfs_read_folio

Status: upstream: reported C repro on 2023/03/18 10:25
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+2fec743e48dcebd0fdc3@syzkaller.appspotmail.com
First crash: 644d, last: 104d
Fix bisection: failed (error log, bisect log)
  
Bug presence (3)
Date Name Commit Repro Result
2024/03/17 linux-6.1.y (ToT) d7543167affd C [report] KASAN: use-after-free Read in ntfs_read_folio
2023/05/05 upstream (ToT) 78b421b6a7c6 C [report] KASAN: use-after-free Read in ntfs_read_folio
2024/03/17 upstream (ToT) 741e9d668aa5 C Didn't crash
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ntfs_read_folio ntfs3 C error done 12 337d 644d 25/28 fixed on 2024/03/20 11:33
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2024/10/15 01:05 0m bisect fix linux-6.1.y error job log
2024/09/07 15:57 1h34m bisect fix linux-6.1.y OK (0) job log log
2024/03/20 17:24 1h40m fix candidate upstream OK (0) job log
2023/10/02 23:43 11m bisect fix linux-6.1.y error job log
2023/07/11 09:09 2h10m bisect fix linux-6.1.y OK (0) job log log
marked invalid by web-security-scanner@google.com
2023/06/06 19:38 33m bisect fix linux-6.1.y OK (0) job log log
2023/04/17 10:25 57m bisect fix linux-6.1.y OK (0) job log log

Sample crash report:
ntfs: (device loop0): load_system_files(): Failed to determine if Windows is hibernated.  Will not be able to remount read-write.  Run chkdsk.
==================================================================
BUG: KASAN: use-after-free in ntfs_read_folio+0x6c0/0x1d70 fs/ntfs/aops.c:489
Read of size 285212680 at addr ffff0000e2ec8a9a by task syz-executor264/4222

CPU: 1 PID: 4222 Comm: syz-executor264 Not tainted 6.1.90-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:395
 kasan_report+0xd4/0x130 mm/kasan/report.c:495
 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
 memcpy+0x48/0x90 mm/kasan/shadow.c:65
 ntfs_read_folio+0x6c0/0x1d70 fs/ntfs/aops.c:489
 filemap_read_folio+0x14c/0x39c mm/filemap.c:2461
 do_read_cache_folio+0x24c/0x544 mm/filemap.c:3598
 do_read_cache_page mm/filemap.c:3640 [inline]
 read_cache_page+0x6c/0x180 mm/filemap.c:3649
 read_mapping_page include/linux/pagemap.h:791 [inline]
 ntfs_map_page fs/ntfs/aops.h:75 [inline]
 ntfs_readdir+0x564/0x2be8 fs/ntfs/dir.c:1243
 iterate_dir+0x1f4/0x4e4
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the physical page:
page:000000001cb9128d refcount:3 mapcount:0 mapping:00000000615e5686 index:0x2 pfn:0x122ec8
memcg:ffff0000c0940000
aops:ntfs_mst_aops ino:0
flags: 0x5ffd60000002056(referenced|uptodate|lru|workingset|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffd60000002056 fffffc0003819448 fffffc00037d1148 ffff0000e2468548
raw: 0000000000000002 ffff0000e250d3a0 00000003ffffffff ffff0000c0940000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e2ed0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000e2ed0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e2ed1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff0000e2ed1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e2ed1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/13 10:08 linux-6.1.y 909ba1f1b414 9026e142 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2023/03/18 10:25 linux-6.1.y 7eaef76fbc46 7939252e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2023/05/07 12:41 linux-6.1.y ca48fc16c493 90c93c40 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2023/12/29 08:15 linux-6.1.y 4aa6747d9352 fb427a07 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: out-of-bounds Read in ntfs_read_folio
2023/12/29 07:55 linux-6.1.y 4aa6747d9352 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2024/05/13 09:53 linux-6.1.y 909ba1f1b414 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2023/08/05 21:38 linux-6.1.y 52a953d0934b 4ffcc9ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Write in ntfs_read_folio
* Struck through repros no longer work on HEAD.