syzbot


KASAN: use-after-free Read in udf_update_tag

Status: upstream: reported C repro on 2024/08/21 07:43
Subsystems: udf
[Documentation on labels]
Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
First crash: 112d, last: 4d13h
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] Monthly udf report (Nov 2024) 0 (1) 2024/11/18 10:47
[syzbot] [udf?] KASAN: use-after-free Read in udf_update_tag 0 (3) 2024/10/22 00:23
[syzbot] Monthly udf report (Oct 2024) 0 (1) 2024/10/17 07:41
[syzbot] Monthly udf report (Sep 2024) 0 (1) 2024/09/16 12:28
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in udf_update_tag udf C 877 178d 344d 27/28 fixed on 2024/08/14 03:44
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/11/21 20:46 13m retest repro upstream report log
2024/10/22 00:23 19m gianf.trad@gmail.com upstream OK log

Sample crash report:
UDF-fs: warning (device loop0): udf_truncate_tail_extent: Too long extent after EOF in inode 818: i_size: 134220898 lbcount: 141077504 extent 0+14745600
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309

CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
 udf_release_file+0xc1/0x120 fs/udf/file.c:185
 __fput+0x23f/0x880 fs/file_table.c:431
 task_work_run+0x24f/0x310 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xa2f/0x28e0 kernel/exit.c:939
 do_group_exit+0x207/0x2c0 kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffbbd1e9f09
Code: Unable to access opcode bytes at 0x7ffbbd1e9edf.
RSP: 002b:00007fff6e953b08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffbbd1e9f09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007ffbbd286310 R08: ffffffffffffffb8 R09: 000055558cebc4c0
R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007ffbbd286310
R13: 0000000000000000 R14: 00007ffbbd287080 R15: 00007ffbbd1b8100
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x55558cebb pfn:0x41e7d
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea000118ba08 ffffea000118d7c8 0000000000000000
raw: 000000055558cebb 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5309, tgid 5309 (syz-executor317), ts 70568771998, free_ts 70739898657
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 folio_alloc_mpol_noprof mm/mempolicy.c:2283 [inline]
 vma_alloc_folio_noprof+0x12e/0x230 mm/mempolicy.c:2314
 folio_prealloc+0x31/0x170
 wp_page_copy mm/memory.c:3353 [inline]
 do_wp_page+0x11c4/0x52d0 mm/memory.c:3745
 handle_pte_fault+0x10e3/0x6800 mm/memory.c:5771
 __handle_mm_fault mm/memory.c:5898 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6066
 do_user_addr_fault arch/x86/mm/fault.c:1389 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x2b9/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 5309 tgid 5309 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
 folios_put_refs+0x76c/0x860 mm/swap.c:1007
 free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 exit_mmap+0x496/0xc40 mm/mmap.c:1887
 __mmput+0x115/0x390 kernel/fork.c:1347
 exit_mm+0x220/0x310 kernel/exit.c:571
 do_exit+0x9b2/0x28e0 kernel/exit.c:926
 do_group_exit+0x207/0x2c0 kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888041e7cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888041e7cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888041e7d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888041e7d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888041e7d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/27 18:11 upstream 850925a8133c 65e8686b .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/10/02 18:27 upstream e32cde8d2bd7 02f9582a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in udf_update_tag
2024/12/02 17:47 upstream e70140ba0d2b b499ea68 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/11/30 07:06 upstream 2ba9f676d0a2 68914665 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/11/25 03:21 upstream 9f16d5e6f220 68da6d95 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/11/07 20:43 upstream ff7afaeca1a1 867e44df .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/10/27 16:57 upstream 850925a8133c 65e8686b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/10/13 21:30 upstream 36c254515dc6 084d8178 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/09/29 14:15 upstream 3efc57369a0c ba29ff75 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/09/21 11:38 upstream 1868f9d0260e 6f888b75 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/09/15 19:20 upstream d42f7708e27c 08d8a733 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-snapshot-upstream-root KASAN: use-after-free Read in udf_update_tag
2024/08/16 20:09 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 5c43d43bad35 76120936 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in udf_update_tag
2024/09/15 18:11 upstream d42f7708e27c 08d8a733 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in udf_update_tag
* Struck through repros no longer work on HEAD.