syzbot


KASAN: use-after-free Read in ntfs_lookup_inode_by_name

Status: fixed on 2024/03/20 11:33
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+3625b78845a725e80f61@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 509d, last: 69d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_lookup_inode_by_name 1 (3) 2024/03/14 09:04
[syzbot] Monthly ntfs report (May 2023) 0 (1) 2023/05/02 07:18
[syzbot] Monthly ntfs report 0 (1) 2023/03/31 15:00
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream missing-backport C 4 23d 370d 0/3 upstream: reported C repro on 2023/05/14 03:12
linux-5.15 KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream missing-backport C error 8 46d 402d 0/3 upstream: reported C repro on 2023/04/12 03:50
linux-4.19 KASAN: use-after-free Read in ntfs_lookup_inode_by_name ntfs C error 1 497d 497d 0/1 upstream: reported C repro on 2023/01/07 03:24
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/03/08 14:27 23m retest repro upstream OK log
2024/03/08 08:37 20m retest repro upstream OK log
2024/03/08 08:37 22m retest repro upstream OK log
2024/02/18 05:52 25m retest repro upstream OK log
2024/02/04 01:08 25m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/02/02 01:51 41m retest repro upstream OK log
2024/02/02 01:51 19m retest repro upstream OK log
2023/12/29 06:34 15m retest repro upstream report log
2023/12/29 06:34 16m retest repro upstream report log
2023/12/29 06:34 14m retest repro upstream report log
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2024/02/26 20:13 4h55m bisect fix upstream job log (1)
2023/06/12 11:21 46m bisect fix upstream job log (0) log
2023/03/20 16:54 47m bisect fix upstream job log (0) log
2023/02/01 20:05 46m bisect fix upstream job log (0) log

Sample crash report:
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
Read of size 8 at addr ffff0000de9fc968 by task syz-executor318/6190

CPU: 1 PID: 6190 Comm: syz-executor318 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x178/0x518 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 sle64_to_cpup fs/ntfs/endian.h:46 [inline]
 ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
 check_windows_hibernation_status+0xe4/0x630 fs/ntfs/super.c:1282
 load_system_files+0x34a0/0x4740 fs/ntfs/super.c:1997
 ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2900
 mount_bdev+0x1d4/0x2a0 fs/super.c:1658
 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
 vfs_get_tree+0x90/0x288 fs/super.c:1779
 do_new_mount+0x278/0x900 fs/namespace.c:3352
 path_mount+0x590/0xe04 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3875
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The buggy address belongs to the physical page:
page:000000002a6c09c4 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11e9fc
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000000 fffffdffc37a7f48 fffffdffc37777c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000de9fc800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000de9fc880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000de9fc900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff0000de9fc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000de9fca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/09 22:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 6ee49f2e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2024/03/09 22:24 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 6ee49f2e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/12/15 06:10 upstream c7402612e2e6 3222d10c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/09/30 21:58 upstream 9f3ebbef746f 8e26a358 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/21 19:50 upstream e660abd551f1 09ffe269 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/18 10:52 upstream 1b29d271614a f3921d4d .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:19 upstream cc3c44c9fda2 ecca8a24 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2022/12/26 07:18 upstream 1b929c02afd3 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/01 03:09 linux-next ec8939156379 2a0d0f29 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:22 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 14f8db1c0f9a ecca8a24 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2024/01/19 01:34 upstream 86c4d58a99ab 21772ce4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/18 19:55 upstream 0e8860d2125f acb1ba71 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/29 15:58 upstream b19edac5992d 134ddc02 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/25 03:11 upstream 1a0beef98b58 65320f8e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/02/18 16:53 upstream 38f8ccde04a3 d02e9a70 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/04 13:07 linux-next bdffb18b5dd8 74621247 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/05 21:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 59caa87f9dfb 8b834965 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
* Struck through repros no longer work on HEAD.