syzbot


KASAN: use-after-free Read in crc_itu_t

Status: upstream: reported C repro on 2022/12/03 10:52
Subsystems: udf
[Documentation on labels]
Reported-by: syzbot+61dc8a985ba563bda1a0@syzkaller.appspotmail.com
First crash: 672d, last: 630d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in crc_itu_t udf C inconclusive done 50 284d 734d 25/28 fixed on 2024/01/30 23:26
linux-6.1 KASAN: use-after-free Read in crc_itu_t origin:upstream C 5 25d 494d 0/3 upstream: reported C repro on 2023/05/30 07:40
linux-4.14 general protection fault in crc_itu_t udf C 2 580d 645d 0/1 upstream: reported C repro on 2022/12/29 23:30
linux-5.15 KASAN: use-after-free Read in crc_itu_t origin:upstream C 4 34d 555d 0/3 upstream: reported C repro on 2023/03/29 16:09

Sample crash report:
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
audit: type=1800 audit(1673668096.604:2): pid=8092 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor107" name="bus" dev="loop0" ino=861 res=0
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0xce/0xe0 lib/crc-itu-t.c:62
Read of size 1 at addr ffff8880abe7c000 by task syz-executor107/8092

CPU: 1 PID: 8092 Comm: syz-executor107 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
 crc_itu_t+0xce/0xe0 lib/crc-itu-t.c:62
 udf_close_lvid+0x47a/0x770 fs/udf/super.c:2064
 udf_put_super+0x217/0x290 fs/udf/super.c:2361
 generic_shutdown_super+0x144/0x370 fs/super.c:456
 kill_block_super+0x97/0xf0 fs/super.c:1185
 deactivate_locked_super+0x94/0x160 fs/super.c:329
 deactivate_super+0x174/0x1a0 fs/super.c:360
 cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xbf3/0x2be0 kernel/exit.c:870
 do_group_exit+0x125/0x310 kernel/exit.c:967
 __do_sys_exit_group kernel/exit.c:978 [inline]
 __se_sys_exit_group kernel/exit.c:976 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f1c881c7e99
Code: Bad RIP value.
RSP: 002b:00007fff19fc78f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f1c8823d410 RCX: 00007f1c881c7e99
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f1c88237e40
R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f1c8823d410
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001

Allocated by task 6218:
 kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
 prepare_creds+0x39/0x510 kernel/cred.c:255
 do_faccessat+0x94/0x7a0 fs/open.c:359
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6218:
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x7f/0x260 mm/slab.c:3765
 __put_cred+0x1de/0x250 kernel/cred.c:151
 put_cred include/linux/cred.h:279 [inline]
 do_faccessat+0x64e/0x7a0 fs/open.c:438
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880abe7c000
 which belongs to the cache cred_jar of size 184
The buggy address is located 0 bytes inside of
 184-byte region [ffff8880abe7c000, ffff8880abe7c0b8)
The buggy address belongs to the page:
page:ffffea0002af9f00 count:1 mapcount:0 mapping:ffff88813be45b00 index:0xffff8880abe7c400
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ac1148 ffffea0002afe4c8 ffff88813be45b00
raw: ffff8880abe7c400 ffff8880abe7c000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880abe7bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880abe7bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880abe7c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880abe7c080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff8880abe7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/14 03:49 linux-4.19.y 3f8a27f9e27b 529798b0 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in crc_itu_t
2023/01/09 06:54 linux-4.19.y 3f8a27f9e27b 1dac8c7a .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in crc_itu_t
2022/12/03 10:52 linux-4.19.y 3f8a27f9e27b e080de16 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 KASAN: use-after-free Read in crc_itu_t
2023/01/01 06:52 linux-4.19.y 3f8a27f9e27b ab32d508 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-19 general protection fault in crc_itu_t
* Struck through repros no longer work on HEAD.