KASAN: use-after-free Read in udf_update

Title	Replies (including bot)	Last reply
[syzbot] Monthly udf report (Nov 2024)	0 (1)	2024/11/18 10:47
[syzbot] [udf?] KASAN: use-after-free Read in udf_update_tag	0 (3)	2024/10/22 00:23
[syzbot] Monthly udf report (Oct 2024)	0 (1)	2024/10/17 07:41
[syzbot] Monthly udf report (Sep 2024)	0 (1)	2024/09/16 12:28

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in udf_update_tag udf	C			877	162d	328d	27/28	fixed on 2024/08/14 03:44

upstream

KMSAN: uninit-value in udf_update_tag udf

877

162d

328d

27/28

fixed on 2024/08/14 03:44

Created	Duration	User	Patch	Repo	Result
2024/10/22 00:23	19m	gianf.trad@gmail.com		upstream	OK log

Created

Duration

User

Patch

Repo

Result

2024/10/22 00:23

19m

gianf.trad@gmail.com

upstream

OK log

UDF-fs: warning (device loop0): udf_truncate_tail_extent: Too long extent after EOF in inode 818: i_size: 134220898 lbcount: 141077504 extent 0+14745600 ================================================================== BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ffbbd1e9f09 Code: Unable to access opcode bytes at 0x7ffbbd1e9edf. RSP: 002b:00007fff6e953b08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffbbd1e9f09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007ffbbd286310 R08: ffffffffffffffb8 R09: 000055558cebc4c0 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007ffbbd286310 R13: 0000000000000000 R14: 00007ffbbd287080 R15: 00007ffbbd1b8100 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x55558cebb pfn:0x41e7d flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 ffffea000118ba08 ffffea000118d7c8 0000000000000000 raw: 000000055558cebb 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5309, tgid 5309 (syz-executor317), ts 70568771998, free_ts 70739898657 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 folio_alloc_mpol_noprof mm/mempolicy.c:2283 [inline] vma_alloc_folio_noprof+0x12e/0x230 mm/mempolicy.c:2314 folio_prealloc+0x31/0x170 wp_page_copy mm/memory.c:3353 [inline] do_wp_page+0x11c4/0x52d0 mm/memory.c:3745 handle_pte_fault+0x10e3/0x6800 mm/memory.c:5771 __handle_mm_fault mm/memory.c:5898 [inline] handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6066 do_user_addr_fault arch/x86/mm/fault.c:1389 [inline] handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x2b9/0x8c0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 page last free pid 5309 tgid 5309 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686 folios_put_refs+0x76c/0x860 mm/swap.c:1007 free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465 exit_mmap+0x496/0xc40 mm/mmap.c:1887 __mmput+0x115/0x390 kernel/fork.c:1347 exit_mm+0x220/0x310 kernel/exit.c:571 do_exit+0x9b2/0x28e0 kernel/exit.c:926 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888041e7cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888041e7cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888041e7d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888041e7d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888041e7d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2024/10/27 18:11	upstream	850925a8133c	65e8686b	.config	console log	report	syz / log	C		[disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/10/02 18:27	upstream	e32cde8d2bd7	02f9582a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in udf_update_tag
2024/11/07 20:43	upstream	ff7afaeca1a1	867e44df	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/10/27 16:57	upstream	850925a8133c	65e8686b	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/10/13 21:30	upstream	36c254515dc6	084d8178	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/09/29 14:15	upstream	3efc57369a0c	ba29ff75	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/09/21 11:38	upstream	1868f9d0260e	6f888b75	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/09/15 19:20	upstream	d42f7708e27c	08d8a733	.config	console log	report	syz / log	C		[disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2]	ci-snapshot-upstream-root	KASAN: use-after-free Read in udf_update_tag
2024/08/16 20:09	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	5c43d43bad35	76120936	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: use-after-free Read in udf_update_tag
2024/09/15 18:11	upstream	d42f7708e27c	08d8a733	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: slab-out-of-bounds Read in udf_update_tag