syzbot


KASAN: use-after-free Read in crc_itu_t

Status: upstream: reported C repro on 2023/05/30 07:40
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+5cf976404e004598be30@syzkaller.appspotmail.com
First crash: 391d, last: 36d
Bug presence (1)
Date Name Commit Repro Result
2023/05/30 upstream (ToT) 8b817fded42d C [report] KASAN: use-after-free Read in crc_itu_t
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in crc_itu_t udf C inconclusive done 50 181d 632d 26/27 fixed on 2024/01/30 23:26
linux-4.14 general protection fault in crc_itu_t udf C 2 477d 542d 0/1 upstream: reported C repro on 2022/12/29 23:30
linux-4.19 KASAN: use-after-free Read in crc_itu_t udf C error 4 527d 569d 0/1 upstream: reported C repro on 2022/12/03 10:52
linux-5.15 KASAN: use-after-free Read in crc_itu_t origin:upstream C 4 14d 453d 0/3 upstream: reported C repro on 2023/03/29 16:09
Fix bisection attempts (9)
Created Duration User Patch Repo Result
2024/05/19 01:12 1h24m bisect fix linux-6.1.y job log (0) log
2024/04/13 13:20 1h46m bisect fix linux-6.1.y job log (0) log
2024/03/11 12:54 1h08m bisect fix linux-6.1.y job log (0) log
2024/02/03 07:12 1h03m bisect fix linux-6.1.y job log (0) log
2023/12/30 21:28 1h08m bisect fix linux-6.1.y job log (0) log
2023/11/30 19:37 1h07m bisect fix linux-6.1.y job log (0) log
2023/10/30 10:09 1h32m bisect fix linux-6.1.y job log (0) log
2023/09/28 15:45 1h26m bisect fix linux-6.1.y job log (0) log
2023/07/25 18:02 2h34m bisect fix linux-6.1.y job log (0) log

Sample crash report:
UDF-fs: error (device loop0): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0
UDF-fs: warning (device loop0): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff8880713dc000 by task syz-executor159/3543

CPU: 0 PID: 3543 Comm: syz-executor159 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
 udf_finalize_lvid fs/udf/super.c:2022 [inline]
 udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2378
 sync_filesystem+0xe8/0x220 fs/sync.c:56
 generic_shutdown_super+0x6b/0x340 fs/super.c:474
 kill_block_super+0x7a/0xe0 fs/super.c:1450
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x6fb/0x2300 kernel/exit.c:869
 do_group_exit+0x202/0x2b0 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f32f6dca4e9
Code: Unable to access opcode bytes at 0x7f32f6dca4bf.
RSP: 002b:00007ffd883df788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f32f6e69450 RCX: 00007f32f6dca4e9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f32f6e69450
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001c4f700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x713dc
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c09f48 ffffea0001c4eb08 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 3542, tgid 3542 (sh), ts 64109654106, free_ts 64434310084
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
 prep_new_page mm/page_alloc.c:2540 [inline]
 get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
 __folio_alloc+0xf/0x30 mm/page_alloc.c:5591
 vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2241
 alloc_page_vma include/linux/gfp.h:284 [inline]
 do_anonymous_page mm/memory.c:4123 [inline]
 handle_pte_fault mm/memory.c:4962 [inline]
 __handle_mm_fault mm/memory.c:5106 [inline]
 handle_mm_fault+0x2e85/0x5330 mm/memory.c:5227
 faultin_page mm/gup.c:1009 [inline]
 __get_user_pages+0x4f3/0x1190 mm/gup.c:1233
 __get_user_pages_locked mm/gup.c:1437 [inline]
 __get_user_pages_remote+0x1cd/0x750 mm/gup.c:2190
 get_arg_page+0x147/0x370 fs/exec.c:220
 copy_string_kernel+0x144/0x1e0 fs/exec.c:637
 do_execveat_common+0x3ba/0x720 fs/exec.c:1916
 do_execve fs/exec.c:2016 [inline]
 __do_sys_execve fs/exec.c:2092 [inline]
 __se_sys_execve fs/exec.c:2087 [inline]
 __x64_sys_execve+0x8e/0xa0 fs/exec.c:2087
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1460 [inline]
 free_pcp_prepare mm/page_alloc.c:1510 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
 free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
 release_pages+0x2836/0x2b40 mm/swap.c:1055
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu+0xfc/0x210 mm/mmu_gather.c:261
 tlb_finish_mmu+0xce/0x1f0 mm/mmu_gather.c:361
 exit_mmap+0x3c3/0x9f0 mm/mmap.c:3139
 __mmput+0x115/0x3c0 kernel/fork.c:1191
 exit_mm+0x226/0x300 kernel/exit.c:563
 do_exit+0x67e/0x2300 kernel/exit.c:856
 do_group_exit+0x202/0x2b0 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8880713dbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880713dbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880713dc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8880713dc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880713dc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/30 07:39 linux-6.1.y a343b0dd87b4 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan KASAN: use-after-free Read in crc_itu_t
2023/06/12 06:26 linux-6.1.y 2f3918bc53fb 49519f06 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan KASAN: use-after-free Read in crc_itu_t
2023/06/04 07:39 linux-6.1.y d2869ace6eeb a4ae4f42 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan KASAN: use-after-free Read in crc_itu_t
2023/06/03 20:51 linux-6.1.y d2869ace6eeb a4ae4f42 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan KASAN: use-after-free Read in crc_itu_t
2023/06/03 17:05 linux-6.1.y d2869ace6eeb a4ae4f42 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan KASAN: use-after-free Read in crc_itu_t
* Struck through repros no longer work on HEAD.