syzbot


KASAN: slab-out-of-bounds Read in ntfs_attr_find

Status: fixed on 2020/11/16 12:12
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
Fix commit: 4f8c94022f0b ntfs: add check for mft record size in superblock
First crash: 2293d, last: 1367d
Cause bisection: introduced by (bisect log) :
commit 9dd068a4b85a68733213c874d08ef768bbec8d01
Author: Matthias Brugger <matthias.bgg@gmail.com>
Date: Fri Jul 31 15:03:13 2015 +0000

  soc: mediatek: Fix SCPSYS compilation

Crash: BUG: unable to handle kernel paging request in ntfs_attr_find (log)
Repro: C syz .config
  
Discussions (20)
Title Replies (including bot) Last reply
[PATCH 5.9 000/757] 5.9.2-rc1 review 766 (766) 2020/10/30 08:32
[PATCH 4.19 000/264] 4.19.153-rc1 review 275 (275) 2020/10/29 08:56
[PATCH 5.8 000/633] 5.8.17-rc1 review 638 (638) 2020/10/28 22:08
[PATCH 4.4 000/112] 4.4.241-rc1 review 115 (115) 2020/10/28 15:54
[PATCH 4.9 000/139] 4.9.241-rc1 review 141 (141) 2020/10/28 13:53
[PATCH 4.14 000/191] 4.14.203-rc1 review 194 (194) 2020/10/28 12:43
[PATCH 5.4 000/408] 5.4.73-rc1 review 410 (410) 2020/10/28 06:53
[PATCH AUTOSEL 5.9 001/111] md/bitmap: fix memory leak of temporary bitmap 126 (126) 2020/10/25 23:48
[PATCH AUTOSEL 4.4 01/33] media: firewire: fix memory leak 33 (33) 2020/10/18 19:27
[PATCH AUTOSEL 4.9 01/41] crypto: ccp - fix error handling 41 (41) 2020/10/18 19:26
[PATCH AUTOSEL 4.14 01/52] crypto: ccp - fix error handling 52 (52) 2020/10/18 19:25
[PATCH AUTOSEL 4.19 01/56] block: ratelimit handle_bad_sector() message 56 (56) 2020/10/18 19:24
[PATCH AUTOSEL 5.4 01/80] md/bitmap: fix memory leak of temporary bitmap 80 (80) 2020/10/18 19:22
[PATCH AUTOSEL 5.8 001/101] md/bitmap: fix memory leak of temporary bitmap 101 (101) 2020/10/18 19:20
[patch 014/181] ntfs: add check for mft record size in superblock 1 (1) 2020/10/13 23:48
[PATCH] ntfs: add check for mft record size in superblock 2 (2) 2020/08/24 02:46
[PATCH] ntfs: add check for mft record size in superblock 3 (3) 2020/08/24 02:01
KASAN: slab-out-of-bounds Read in ntfs_attr_find 0 (2) 2019/11/28 06:52
Reminder: 5 open syzbot bugs in "fs/ntfs" subsystem 1 (1) 2019/07/24 02:30
Reminder: 5 open syzbot bugs in "fs/ntfs" subsystem 1 (1) 2019/07/09 20:27
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ntfs_attr_find ntfs3 C done 74 521d 687d 22/27 fixed on 2023/02/24 13:50
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_attr_find C done 10 1360d 1388d 1/1 fixed on 2020/11/20 16:27
linux-5.15 KASAN: slab-out-of-bounds Read in ntfs_attr_find 1 446d 446d 0/3 auto-obsoleted due to no activity on 2023/08/22 04:27
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_attr_find (2) C 31 502d 687d 0/1 upstream: reported C repro on 2022/08/25 11:21
linux-4.19 KASAN: slab-out-of-bounds Read in ntfs_attr_find C done 10 1328d 1385d 1/1 fixed on 2020/12/23 11:20
Last patch testing requests (2)
Created Duration User Patch Repo Result
2020/08/22 22:56 14m rkovhaev@gmail.com patch upstream report log
2020/08/08 01:21 8m rkovhaev@gmail.com upstream report log
Fix bisection attempts (9)
Created Duration User Patch Repo Result
2020/07/26 14:13 21m bisect fix upstream OK (0) job log log
2020/06/15 15:01 16m bisect fix upstream OK (0) job log log
2020/05/16 13:54 15m bisect fix upstream OK (0) job log log
2020/04/16 13:37 16m bisect fix upstream OK (0) job log log
2020/03/16 22:52 17m bisect fix upstream OK (0) job log log
2020/02/11 21:52 17m bisect fix upstream OK (0) job log log
2020/01/12 21:32 16m bisect fix upstream OK (0) job log log
2019/12/10 14:33 16m bisect fix upstream OK (0) job log log
2019/08/01 03:31 17m bisect fix upstream OK (0) job log log

Sample crash report:
ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker.
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0x99a/0xa00 fs/ntfs/attrib.c:613
Read of size 4 at addr ffff8801d96bfbb5 by task syzkaller786329/4469

CPU: 0 PID: 4469 Comm: syzkaller786329 Not tainted 4.16.0+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
 ntfs_attr_find+0x99a/0xa00 fs/ntfs/attrib.c:613
 ntfs_attr_lookup+0x10e1/0x22a0 fs/ntfs/attrib.c:1203
 ntfs_read_inode_mount+0x6cd/0x20f0 fs/ntfs/inode.c:1858
 ntfs_fill_super+0x13df/0x2fb0 fs/ntfs/super.c:2871
 mount_bdev+0x2b7/0x370 fs/super.c:1119
 ntfs_mount+0x34/0x40 fs/ntfs/super.c:3065
 mount_fs+0x66/0x2d0 fs/super.c:1222
 vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0xea4/0x2bb0 fs/namespace.c:2842
 SYSC_mount fs/namespace.c:3058 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3035
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x442eca
RSP: 002b:00007ffce22e1a98 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442eca
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffce22e1aa0
RBP: 00000000006cb018 R08: 000000002007e200 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004
R13: 0000000000401dc0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2834:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 __do_kmalloc_node mm/slab.c:3670 [inline]
 __kmalloc_node+0x47/0x70 mm/slab.c:3677
 kmalloc_node include/linux/slab.h:554 [inline]
 kvmalloc_node+0x99/0xd0 mm/util.c:419
 kvmalloc include/linux/mm.h:541 [inline]
 seq_buf_alloc fs/seq_file.c:29 [inline]
 seq_read+0x7fc/0x1410 fs/seq_file.c:208
 __vfs_read+0xef/0xa00 fs/read_write.c:411
 vfs_read+0x11e/0x350 fs/read_write.c:447
 SYSC_read fs/read_write.c:573 [inline]
 SyS_read+0xef/0x220 fs/read_write.c:566
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 2834:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3486 [inline]
 kfree+0xd9/0x260 mm/slab.c:3801
 kvfree+0x36/0x60 mm/util.c:438
 seq_release fs/seq_file.c:368 [inline]
 single_release+0x78/0xb0 fs/seq_file.c:605
 __fput+0x327/0x7e0 fs/file_table.c:209
 ____fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x199/0x270 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801d96be180
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2613 bytes to the right of
 4096-byte region [ffff8801d96be180, ffff8801d96bf180)
The buggy address belongs to the page:
page:ffffea000765af80 count:1 mapcount:0 mapping:ffff8801d96be180 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d96be180 0000000000000000 0000000100000001
raw: ffffea0006b1b820 ffffea0007622ba0 ffff8801dac00dc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d96bfa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d96bfb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801d96bfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff8801d96bfc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d96bfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/02 08:04 upstream 0adb32858b0b dc889257 .config console log report syz C ci-upstream-kasan-gce-root
2020/10/14 07:35 upstream 029f56db6ac2 fc7735a2 .config console log report info ci-upstream-kasan-gce-root
2020/09/30 15:36 upstream 02de58b24d2e 8516f6d3 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/29 22:22 upstream ccc1d052eff9 5abc3f1a .config console log report info ci-upstream-kasan-gce-root
2020/09/28 01:31 upstream a1bffa48745a 5dd8aee8 .config console log report info ci-upstream-kasan-gce-root
2020/09/27 15:15 upstream a1bffa48745a 5dd8aee8 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/23 13:47 upstream 805c6d3c1921 287cd75a .config console log report info ci-upstream-kasan-gce-root
2020/09/22 06:50 upstream 98477740630f 9e1fa68e .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/21 12:01 upstream ba4f184e126b 9e1fa68e .config console log report info ci-upstream-kasan-gce-selinux-root
* Struck through repros no longer work on HEAD.