syzbot


KASAN: use-after-free Read in udf_get_filelongad

Status: upstream: reported C repro on 2022/12/03 02:46
Reported-by: syzbot+71309098e18549147e83@syzkaller.appspotmail.com
First crash: 563d, last: 474d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in udf_get_filelongad C error 2 566d 569d 0/1 upstream: reported C repro on 2022/11/26 07:38
upstream KASAN: slab-out-of-bounds Read in udf_get_filelongad udf C 2 554d 553d 22/27 fixed on 2023/06/08 14:41
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/03/02 03:57 30m bisect fix linux-4.14.y job log (0) log
2023/01/29 23:48 39m bisect fix linux-4.14.y job log (0) log

Sample crash report:
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in udf_get_filelongad+0x111/0x120 fs/udf/directory.c:237
Read of size 4 at addr ffff888094231a18 by task syz-executor833/7967

CPU: 1 PID: 7967 Comm: syz-executor833 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
 udf_get_filelongad+0x111/0x120 fs/udf/directory.c:237
 udf_current_aext+0x183/0x8b0 fs/udf/inode.c:2179
 udf_next_aext+0x1f5/0x360 fs/udf/inode.c:2115
 udf_extend_file fs/udf/inode.c:657 [inline]
 udf_setsize+0x69f/0xe90 fs/udf/inode.c:1251
 udf_setattr+0xd2/0x130 fs/udf/file.c:268
 notify_change+0x56b/0xd10 fs/attr.c:315
 do_truncate+0xff/0x1a0 fs/open.c:63
 do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Allocated by task 6061:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0x96/0x510 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 kobject_uevent_env+0x882/0xf30 lib/kobject_uevent.c:480
 kobject_synth_uevent+0x5b6/0x6d0 lib/kobject_uevent.c:205
 uevent_store+0x21/0x60 drivers/base/core.c:1020
 dev_attr_store+0x56/0x80 drivers/base/core.c:738
 sysfs_kf_write+0x106/0x160 fs/sysfs/file.c:142
 kernfs_fop_write+0x289/0x440 fs/kernfs/file.c:316
 __vfs_write+0xe4/0x630 fs/read_write.c:480
 vfs_write+0x17f/0x4d0 fs/read_write.c:544
 SYSC_write fs/read_write.c:590 [inline]
 SyS_write+0xf2/0x210 fs/read_write.c:582
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Freed by task 4628:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 skb_free_head net/core/skbuff.c:563 [inline]
 skb_release_data+0x5f6/0x820 net/core/skbuff.c:583
 skb_release_all net/core/skbuff.c:640 [inline]
 __kfree_skb net/core/skbuff.c:654 [inline]
 consume_skb+0xe0/0x380 net/core/skbuff.c:714
 skb_free_datagram+0x16/0xe0 net/core/datagram.c:331
 netlink_recvmsg+0x535/0xce0 net/netlink/af_netlink.c:1971
 sock_recvmsg_nosec net/socket.c:819 [inline]
 sock_recvmsg net/socket.c:826 [inline]
 sock_recvmsg+0xc0/0x100 net/socket.c:822
 ___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
 __sys_recvmsg+0xa0/0x120 net/socket.c:2266
 SYSC_recvmsg net/socket.c:2278 [inline]
 SyS_recvmsg+0x27/0x40 net/socket.c:2273
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the object at ffff888094231840
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 472 bytes inside of
 512-byte region [ffff888094231840, ffff888094231a40)
The buggy address belongs to the page:
page:ffffea0002508c40 count:1 mapcount:0 mapping:ffff8880942310c0 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880942310c0 0000000000000000 0000000100000006
raw: ffffea00028ec6e0 ffffea00028c3520 ffff88813fe74940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888094231900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888094231980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888094231a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                            ^
 ffff888094231a80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff888094231b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/05 13:57 linux-4.14.y 179ef7fe8677 e080de16 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in udf_get_filelongad
2022/12/03 02:46 linux-4.14.y 179ef7fe8677 e080de16 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in udf_get_filelongad
* Struck through repros no longer work on HEAD.