syzbot


KASAN: slab-out-of-bounds Read in squashfs_get_id

Status: fixed on 2021/02/19 15:06
Reported-by: syzbot+5024636e8b5fd19f0f19@syzkaller.appspotmail.com
Fix commit: e5099c0e851a squashfs: add more sanity checks in id lookup
First crash: 1521d, last: 1377d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.4 00/35] 4.4.258-rc1 review 43 (43) 2021/02/25 08:47
[PATCH 4.9 00/49] 4.9.258-rc1 review 54 (54) 2021/02/23 21:19
[PATCH 4.14 00/57] 4.14.222-rc1 review 60 (60) 2021/02/23 11:53
[PATCH 5.10 00/54] 5.10.16-rc1 review 68 (68) 2021/02/17 22:45
[PATCH 5.4 00/24] 5.4.98-rc1 review 31 (31) 2021/02/13 03:17
[PATCH 4.19 00/24] 4.19.176-rc1 review 34 (34) 2021/02/12 16:18
[patch 02/14] squashfs: add more sanity checks in id lookup 1 (1) 2021/02/09 21:41
[PATCH V2 2/4] Squashfs: add more sanity checks in id lookup 1 (1) 2021/02/08 07:36
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in squashfs_get_id squashfs C error done 77 1383d 1520d 20/28 fixed on 2021/03/11 23:45
linux-4.14 KASAN: slab-out-of-bounds Read in squashfs_get_id C 11 1370d 1523d 1/1 fixed on 2021/02/23 13:44

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:51
Read of size 8 at addr ffff8880a9101698 by task syz-executor533/8104

CPU: 1 PID: 8104 Comm: syz-executor533 Not tainted 4.19.166-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:51
 squashfs_new_inode fs/squashfs/inode.c:68 [inline]
 squashfs_read_inode+0x1ee/0x1b40 fs/squashfs/inode.c:133
 squashfs_fill_super+0x1655/0x1c00 fs/squashfs/super.c:318
 mount_bdev+0x2fc/0x3b0 fs/super.c:1158
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x113c/0x2f10 fs/namespace.c:2799
 ksys_mount+0xcf/0x130 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3026
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446d2a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffc6644bf98 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc6644bff0 RCX: 0000000000446d2a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc6644bfb0
RBP: 00007ffc6644bfb0 R08: 00007ffc6644bff0 R09: 00007ffc00000015
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

Allocated by task 8104:
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 squashfs_read_table+0x42/0x1e3 fs/squashfs/cache.c:426
 squashfs_read_id_index_table+0xab/0x120 fs/squashfs/id.c:90
 squashfs_fill_super+0xcfb/0x1c00 fs/squashfs/super.c:246
 mount_bdev+0x2fc/0x3b0 fs/super.c:1158
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x113c/0x2f10 fs/namespace.c:2799
 ksys_mount+0xcf/0x130 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3026
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 1:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 rh_call_control drivers/usb/core/hcd.c:728 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:838 [inline]
 usb_hcd_submit_urb+0xb93/0x23c0 drivers/usb/core/hcd.c:1651
 usb_submit_urb+0xb2f/0x13b0 drivers/usb/core/urb.c:571
 usb_start_wait_urb+0x108/0x4c0 drivers/usb/core/message.c:57
 usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
 usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
 get_hub_status drivers/usb/core/hub.c:553 [inline]
 hub_hub_status+0xd5/0x380 drivers/usb/core/hub.c:904
 hub_configure drivers/usb/core/hub.c:1574 [inline]
 hub_probe+0x1b0a/0x2e10 drivers/usb/core/hub.c:1849
 usb_probe_interface+0x317/0x9d0 drivers/usb/core/driver.c:361
 really_probe+0x622/0xbd0 drivers/base/dd.c:504
 driver_probe_device+0x218/0x340 drivers/base/dd.c:665
 __device_attach_driver+0x29e/0x370 drivers/base/dd.c:752
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:464
 __device_attach+0x226/0x470 drivers/base/dd.c:820
 bus_probe_device+0x1ea/0x2a0 drivers/base/bus.c:524
 device_add+0xb37/0x16d0 drivers/base/core.c:2154
 usb_set_configuration+0x1016/0x18c0 drivers/usb/core/message.c:2016
 generic_probe+0xcb/0x130 drivers/usb/core/generic.c:174
 usb_probe_device+0xb8/0x150 drivers/usb/core/driver.c:266
 really_probe+0x622/0xbd0 drivers/base/dd.c:504
 driver_probe_device+0x218/0x340 drivers/base/dd.c:665
 __device_attach_driver+0x29e/0x370 drivers/base/dd.c:752
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:464
 __device_attach+0x226/0x470 drivers/base/dd.c:820
 bus_probe_device+0x1ea/0x2a0 drivers/base/bus.c:524
 device_add+0xb37/0x16d0 drivers/base/core.c:2154
 usb_new_device+0xa06/0x1930 drivers/usb/core/hub.c:2519
 register_root_hub drivers/usb/core/hcd.c:1105 [inline]
 usb_add_hcd+0xd0b/0x1ce0 drivers/usb/core/hcd.c:2882
 vhci_hcd_probe+0x1c0/0x3a0 drivers/usb/usbip/vhci_hcd.c:1369
 platform_drv_probe+0xd4/0x1b0 drivers/base/platform.c:584
 really_probe+0x622/0xbd0 drivers/base/dd.c:504
 driver_probe_device+0x218/0x340 drivers/base/dd.c:665
 __device_attach_driver+0x29e/0x370 drivers/base/dd.c:752
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:464
 __device_attach+0x226/0x470 drivers/base/dd.c:820
 bus_probe_device+0x1ea/0x2a0 drivers/base/bus.c:524
 device_add+0xb37/0x16d0 drivers/base/core.c:2154
 platform_device_add+0x364/0x830 drivers/base/platform.c:420
 vhci_hcd_init+0x341/0x485 drivers/usb/usbip/vhci_hcd.c:1539
 do_one_initcall+0xf1/0x734 init/main.c:884
 do_initcall_level init/main.c:952 [inline]
 do_initcalls init/main.c:960 [inline]
 do_basic_setup init/main.c:978 [inline]
 kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
 kernel_init+0xd/0x1c0 init/main.c:1062
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff8880a9101680
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 24 bytes inside of
 32-byte region [ffff8880a9101680, ffff8880a91016a0)
The buggy address belongs to the page:
page:ffffea0002a44040 count:1 mapcount:0 mapping:ffff88813bff01c0 index:0xffff8880a9101fc1
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002a40f08 ffff88813bff1248 ffff88813bff01c0
raw: ffff8880a9101fc1 ffff8880a9101000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a9101580: 00 04 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc
 ffff8880a9101600: 00 04 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc
>ffff8880a9101680: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
                            ^
 ffff8880a9101700: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
 ffff8880a9101780: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
==================================================================

Crashes (58):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/12 04:34 linux-4.19.y 610bdbf6a174 2c1f2513 .config console log report syz C ci2-linux-4-19
2020/10/16 07:53 linux-4.19.y a1b977b49b66 6e262c73 .config console log report syz C ci2-linux-4-19
2020/10/11 13:49 linux-4.19.y a1b977b49b66 4a77ae0b .config console log report syz C ci2-linux-4-19
2020/10/08 04:46 linux-4.19.y a1b977b49b66 1880b4a9 .config console log report syz C ci2-linux-4-19
2020/10/01 00:48 linux-4.19.y 10ad6cfd5736 a9767fb2 .config console log report syz C ci2-linux-4-19
2020/09/24 08:32 linux-4.19.y d09b80172c22 54289b08 .config console log report syz C ci2-linux-4-19
2021/02/15 07:58 linux-4.19.y 811218eceeaa 98682e5e .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/09 04:54 linux-4.19.y 811218eceeaa 2bd9619f .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/07 20:53 linux-4.19.y 811218eceeaa 2ce644fc .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/07 04:03 linux-4.19.y 811218eceeaa 0655e081 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/03 17:09 linux-4.19.y 811218eceeaa 624dad51 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/03 10:35 linux-4.19.y 811218eceeaa 624dad51 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/02/02 00:24 linux-4.19.y 811218eceeaa e6b95f32 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/29 13:09 linux-4.19.y c4ff839de17f 6593fd32 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/29 11:03 linux-4.19.y c4ff839de17f 6593fd32 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/29 06:10 linux-4.19.y c4ff839de17f 7df34f59 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/21 11:16 linux-4.19.y 43d555d83c3f d4f4eca5 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/19 00:57 linux-4.19.y c110fed0e606 63631df1 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in squashfs_get_id
2021/01/15 17:45 linux-4.19.y 675cc038067f 65a7a854 .config console log report info ci2-linux-4-19
2021/01/13 01:51 linux-4.19.y 675cc038067f 0cdd6185 .config console log report info ci2-linux-4-19
2021/01/12 14:47 linux-4.19.y 610bdbf6a174 2c1f2513 .config console log report info ci2-linux-4-19
2021/01/11 19:18 linux-4.19.y 610bdbf6a174 2c1f2513 .config console log report info ci2-linux-4-19
2021/01/07 19:57 linux-4.19.y 4143d798313f c104d4a3 .config console log report info ci2-linux-4-19
2021/01/05 21:38 linux-4.19.y 3207316b3bee a0234d98 .config console log report info ci2-linux-4-19
2021/01/05 19:13 linux-4.19.y 3207316b3bee a0234d98 .config console log report info ci2-linux-4-19
2021/01/05 12:36 linux-4.19.y 3207316b3bee a0234d98 .config console log report info ci2-linux-4-19
2021/01/02 20:03 linux-4.19.y 3207316b3bee 79264ae3 .config console log report info ci2-linux-4-19
2020/12/17 16:47 linux-4.19.y 13d2ce42de8c 04201c06 .config console log report info ci2-linux-4-19
2020/12/12 22:36 linux-4.19.y 13d2ce42de8c bca53db9 .config console log report info ci2-linux-4-19
2020/12/12 10:30 linux-4.19.y 13d2ce42de8c bca53db9 .config console log report info ci2-linux-4-19
2020/12/05 06:20 linux-4.19.y daefdc9eb24b 20366b87 .config console log report info ci2-linux-4-19
2020/11/28 01:05 linux-4.19.y 0c88e405c97e 486f93ef .config console log report info ci2-linux-4-19
2020/11/26 21:31 linux-4.19.y 0c88e405c97e 2f1cec62 .config console log report info ci2-linux-4-19
2020/11/23 02:11 linux-4.19.y 76bda503e640 0d27f508 .config console log report info ci2-linux-4-19
2020/11/19 10:38 linux-4.19.y 2c746135a12e 0767f13f .config console log report info ci2-linux-4-19
2020/11/15 05:24 linux-4.19.y 31acccdc8774 1bf9a662 .config console log report info ci2-linux-4-19
2020/11/12 19:40 linux-4.19.y 31acccdc8774 77a55c8e .config console log report info ci2-linux-4-19
2020/11/06 07:41 linux-4.19.y b94de4d19498 cba33199 .config console log report info ci2-linux-4-19
2020/11/05 22:39 linux-4.19.y b94de4d19498 cba33199 .config console log report info ci2-linux-4-19
2020/11/04 06:40 linux-4.19.y f5d8eef067ac cba33199 .config console log report info ci2-linux-4-19
2020/10/31 20:17 linux-4.19.y f5d8eef067ac 8bc4594f .config console log report info ci2-linux-4-19
2020/10/30 06:18 linux-4.19.y 79524e8c64bd a0c7169a .config console log report info ci2-linux-4-19
2020/10/29 21:34 linux-4.19.y 79524e8c64bd a0c7169a .config console log report info ci2-linux-4-19
2020/10/26 02:20 linux-4.19.y ad326970d25c a1839e81 .config console log report info ci2-linux-4-19
2020/10/25 20:40 linux-4.19.y ad326970d25c a1839e81 .config console log report info ci2-linux-4-19
2020/10/20 23:59 linux-4.19.y ad326970d25c ff4a3345 .config console log report info ci2-linux-4-19
2020/10/18 08:34 linux-4.19.y ad326970d25c fea47c01 .config console log report info ci2-linux-4-19
2020/10/17 23:58 linux-4.19.y ad326970d25c fea47c01 .config console log report info ci2-linux-4-19
2020/10/09 16:50 linux-4.19.y a1b977b49b66 fa79ed2a .config console log report info ci2-linux-4-19
2020/10/07 17:33 linux-4.19.y a1b977b49b66 1880b4a9 .config console log report info ci2-linux-4-19
2020/10/05 14:49 linux-4.19.y b09c34517e1a 1880b4a9 .config console log report info ci2-linux-4-19
2020/10/01 04:39 linux-4.19.y 10ad6cfd5736 a9767fb2 .config console log report info ci2-linux-4-19
2020/09/27 10:02 linux-4.19.y 10ad6cfd5736 5dd8aee8 .config console log report info ci2-linux-4-19
2020/09/26 06:49 linux-4.19.y d09b80172c22 4a006f63 .config console log report info ci2-linux-4-19
2020/09/26 03:04 linux-4.19.y d09b80172c22 4a006f63 .config console log report info ci2-linux-4-19
2020/09/25 08:29 linux-4.19.y d09b80172c22 54289b08 .config console log report info ci2-linux-4-19
2020/09/24 18:56 linux-4.19.y d09b80172c22 54289b08 .config console log report info ci2-linux-4-19
2020/09/24 08:20 linux-4.19.y d09b80172c22 54289b08 .config console log report info ci2-linux-4-19
* Struck through repros no longer work on HEAD.