syzbot


KASAN: out-of-bounds Read in hfsplus_bnode_move

Status: upstream: reported C repro on 2024/01/22 09:48
Subsystems: hfs
[Documentation on labels]
Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
First crash: 91d, last: 30d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: wild-memory-access Read in hfsplus_bnode_move (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move 0 (1) 2024/01/22 09:48
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/02/20 12:32 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/02/05 18:02 11m retest repro upstream report log
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2024/03/21 13:50 1h48m bisect fix upstream job log (0) log

Sample crash report:
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: out-of-bounds in hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
Read of size 18446744073709551602 at addr 000508800000104e by task syz-executor353/5048

CPU: 0 PID: 5048 Comm: syz-executor353 Not tainted 6.7.0-syzkaller-12829-g125514880ddd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_report+0xe6/0x540 mm/kasan/report.c:491
 kasan_report+0x142/0x170 mm/kasan/report.c:601
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
 __asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
 hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
 hfsplus_brec_insert+0x61c/0xdd0 fs/hfsplus/brec.c:128
 hfsplus_create_attr+0x49e/0x630 fs/hfsplus/attributes.c:252
 __hfsplus_setxattr+0x6fe/0x22d0 fs/hfsplus/xattr.c:354
 hfsplus_initxattrs+0x158/0x220 fs/hfsplus/xattr_security.c:59
 security_inode_init_security+0x2a7/0x470 security/security.c:1752
 hfsplus_fill_super+0x14d3/0x1c90 fs/hfsplus/super.c:567
 mount_bdev+0x206/0x2d0 fs/super.c:1663
 legacy_get_tree+0xef/0x190 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x2a0 fs/super.c:1784
 do_new_mount+0x2be/0xb40 fs/namespace.c:3352
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fd7936b4d3a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff572a70a8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff572a70c0 RCX: 00007fd7936b4d3a
RDX: 0000000020000040 RSI: 0000000020000240 RDI: 00007fff572a70c0
RBP: 0000000000000004 R08: 00007fff572a7100 R09: 00000000000006c8
R10: 0000000000800000 R11: 0000000000000286 R12: 0000000000800000
R13: 00007fff572a7100 R14: 0000000000000003 R15: 0000000000080000
 </TASK>
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/21 05:19 upstream 125514880ddd 9bd8dcda .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in hfsplus_bnode_move
2024/01/21 06:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 0802e17d9aca 9bd8dcda .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: out-of-bounds Read in hfsplus_bnode_move
2024/01/21 05:05 upstream 125514880ddd 9bd8dcda .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: out-of-bounds Read in hfsplus_bnode_move
* Struck through repros no longer work on HEAD.