syzbot

 sign-in | mailing list | source | docs
🐞 Open [711]
🐞 Fixed [60]
🐞 Invalid [634]
Missing Backports [62]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in crc_itu_t

Status: upstream: reported C repro on 2023/03/29 16:09
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+a2296f1483a9201c63a3@syzkaller.appspotmail.com
First crash: 632d, last: 111d
Fix bisection: failed (error log, bisect log)
  
Bug presence (1)
Date Name Commit Repro Result
2023/05/24 upstream (ToT) 9d646009f65d C [report] KASAN: use-after-free Read in crc_itu_t
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in crc_itu_t udf C inconclusive done 50 361d 811d 25/28 fixed on 2024/01/30 23:26
linux-6.1 KASAN: use-after-free Read in crc_itu_t origin:upstream C error 5 102d 571d 0/3 upstream: reported C repro on 2023/05/30 07:40
linux-4.14 general protection fault in crc_itu_t udf C 2 657d 722d 0/1 upstream: reported C repro on 2022/12/29 23:30
linux-4.19 KASAN: use-after-free Read in crc_itu_t udf C error 4 707d 749d 0/1 upstream: reported C repro on 2022/12/03 10:52
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/12/19 05:55 10m retest repro linux-5.15.y report log
2024/11/11 11:38 8m retest repro linux-5.15.y report log
2024/10/09 14:32 11m retest repro linux-5.15.y report log
2024/10/09 14:32 8m retest repro linux-5.15.y report log
Fix bisection attempts (13)
Created Duration User Patch Repo Result
2024/10/14 23:58 0m bisect fix linux-5.15.y error job log
2024/09/01 05:38 56m bisect fix linux-5.15.y OK (0) job log log
2024/07/27 10:32 2h02m bisect fix linux-5.15.y OK (0) job log log
2024/06/10 08:30 1h20m bisect fix linux-5.15.y OK (0) job log log
2024/05/10 18:22 55m bisect fix linux-5.15.y OK (0) job log log
2024/04/07 02:39 2h07m bisect fix linux-5.15.y OK (0) job log log
2024/03/07 09:28 55m bisect fix linux-5.15.y OK (0) job log log
2024/02/01 12:45 1h11m bisect fix linux-5.15.y OK (0) job log log
2023/12/30 13:10 1h27m bisect fix linux-5.15.y OK (0) job log log
2023/11/29 22:34 1h02m bisect fix linux-5.15.y OK (0) job log log
2023/10/29 14:08 1h00m bisect fix linux-5.15.y OK (0) job log log
2023/09/28 05:19 1h09m bisect fix linux-5.15.y OK (0) job log log
2023/07/23 16:42 1h58m bisect fix linux-5.15.y OK (0) job log log

Sample crash report:
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x218/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888072c44000 by task syz-executor176/3498

CPU: 0 PID: 3498 Comm: syz-executor176 Not tainted 5.15.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 crc_itu_t+0x218/0x2a0 lib/crc-itu-t.c:60
 udf_finalize_lvid fs/udf/super.c:2025 [inline]
 udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2381
 sync_filesystem+0xe8/0x220 fs/sync.c:56
 generic_shutdown_super+0x6e/0x2c0 fs/super.c:448
 kill_block_super+0x7a/0xe0 fs/super.c:1405
 deactivate_locked_super+0xa0/0x110 fs/super.c:335
 cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
 task_work_run+0x129/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0x6a3/0x2480 kernel/exit.c:872
 do_group_exit+0x144/0x310 kernel/exit.c:994
 __do_sys_exit_group kernel/exit.c:1005 [inline]
 __se_sys_exit_group kernel/exit.c:1003 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1003
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7efc76ecd3d9
Code: Unable to access opcode bytes at RIP 0x7efc76ecd3af.
RSP: 002b:00007ffcee5c4b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007efc76f6b450 RCX: 00007efc76ecd3d9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 00007ffcee5c4bf0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007efc76f6b450
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

The buggy address belongs to the page:
page:ffffea0001cb1100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x72c44
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001ca2488 ffffea0001cb9b48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 3354, ts 36740772760, free_ts 36815645841
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5421
 alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
 do_anonymous_page mm/memory.c:3795 [inline]
 handle_pte_fault mm/memory.c:4606 [inline]
 __handle_mm_fault mm/memory.c:4743 [inline]
 handle_mm_fault+0x2f49/0x5950 mm/memory.c:4841
 do_user_addr_fault arch/x86/mm/fault.c:1397 [inline]
 handle_page_fault arch/x86/mm/fault.c:1485 [inline]
 exc_page_fault+0x271/0x740 arch/x86/mm/fault.c:1541
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
 release_pages+0x1bb9/0x1f40 mm/swap.c:963
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
 unmap_region+0x304/0x350 mm/mmap.c:2668
 __do_munmap+0x12db/0x1740 mm/mmap.c:2899
 __vm_munmap+0x134/0x230 mm/mmap.c:2922
 __do_sys_munmap mm/mmap.c:2948 [inline]
 __se_sys_munmap mm/mmap.c:2944 [inline]
 __x64_sys_munmap+0x67/0x70 mm/mmap.c:2944
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff888072c43f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888072c43f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888072c44000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888072c44080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888072c44100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/11 23:45 linux-5.15.y 7349e40704a0 49519f06 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-5-15-kasan KASAN: use-after-free Read in crc_itu_t
2023/06/08 14:18 linux-5.15.y d7af3e5ba454 058b3a5a .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-5-15-kasan KASAN: use-after-free Read in crc_itu_t
2023/05/24 09:17 linux-5.15.y 9d6bde853685 4bce1a3e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-5-15-kasan KASAN: use-after-free Read in crc_itu_t
2023/03/29 16:09 linux-5.15.y 115472395b0a f325deb0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in crc_itu_t
* Struck through repros no longer work on HEAD.