syzbot


KASAN: use-after-free Read in get_max_inline_xattr_value_size

Status: fixed on 2023/06/07 17:22
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+b3bf4746131622e759a4@syzkaller.appspotmail.com
Fix commit: 89eccb84959f ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
First crash: 465d, last: 386d
Cause bisection: failed (error log, bisect log)
  
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size ext4 C error 4 385d 465d 2/2 fixed on 2023/06/07 17:22
upstream KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size ext4 C 21 344d 382d 22/26 fixed on 2023/07/01 16:05
android-54 KASAN: use-after-free Read in get_max_inline_xattr_value_size ext4 C 20 386d 465d 2/2 fixed on 2023/06/07 17:22
android-54 KASAN: use-after-free Read in get_max_inline_xattr_value_size (2) C 3 267d 275d 0/2 auto-obsoleted due to no activity on 2023/10/31 04:10
android-6-1 KASAN: use-after-free Read in get_max_inline_xattr_value_size origin:lts C error done 10 186d 275d 0/2 auto-obsoleted due to no activity on 2024/01/19 14:48
linux-4.19 KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size ext4 C error 1 444d 444d 0/1 upstream: reported C repro on 2023/01/27 02:26

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62
Read of size 4 at addr ffff88810ce0c084 by task syz-executor348/325

CPU: 1 PID: 325 Comm: syz-executor348 Not tainted 5.15.94-syzkaller-03204-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62
 ext4_get_max_inline_size+0x13d/0x1f0 fs/ext4/inline.c:113
 ext4_da_write_inline_data_begin+0x1f6/0xc40 fs/ext4/inline.c:948
 ext4_da_write_begin+0x527/0xc30 fs/ext4/inode.c:3003
 generic_perform_write+0x2bc/0x5a0 mm/filemap.c:3830
 ext4_buffered_write_iter+0x49c/0x630 fs/ext4/file.c:271
 ext4_file_write_iter+0x443/0x1cc0
 call_write_iter include/linux/fs.h:2157 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0xd8a/0x1160 fs/read_write.c:594
 ksys_write+0x199/0x2c0 fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __x64_sys_write+0x7b/0x90 fs/read_write.c:656
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f5b04d67a99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff322f57e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b04d67a99
RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007fff322f5810 R09: 00007fff322f5810
R10: 00007fff322f5810 R11: 0000000000000246 R12: 00007f5b04d26960
R13: 00007fff322f5840 R14: 00007fff322f5820 R15: 0000000000000000
 </TASK>

Allocated by task 212:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0xb1/0xe0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:217 [inline]
 slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:550
 slab_alloc_node mm/slub.c:3238 [inline]
 slab_alloc mm/slub.c:3246 [inline]
 kmem_cache_alloc+0xf5/0x200 mm/slub.c:3251
 vm_area_alloc+0x24/0x130 kernel/fork.c:359
 mmap_region+0xb5d/0x1b60 mm/mmap.c:1780
 do_mmap+0x776/0xe50 mm/mmap.c:1584
 vm_mmap_pgoff+0x1dd/0x450 mm/util.c:554
 vm_mmap+0x8d/0xb0 mm/util.c:574
 elf_map+0x19c/0x240 fs/binfmt_elf.c:392
 load_elf_binary+0xfe0/0x2750 fs/binfmt_elf.c:1141
 search_binary_handler fs/exec.c:1739 [inline]
 exec_binprm fs/exec.c:1780 [inline]
 bprm_execve+0x7ae/0x14a0 fs/exec.c:1849
 do_execveat_common+0x565/0x710 fs/exec.c:1954
 do_execve fs/exec.c:2024 [inline]
 __do_sys_execve fs/exec.c:2100 [inline]
 __se_sys_execve fs/exec.c:2095 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2095
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 25:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3517 [inline]
 kmem_cache_free+0x116/0x2e0 mm/slub.c:3533
 __free_vm_area_struct+0x1c/0x20 kernel/fork.c:389
 rcu_do_batch+0x57a/0xc10 kernel/rcu/tree.c:2509
 rcu_core+0x517/0x1020 kernel/rcu/tree.c:2749
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2762
 __do_softirq+0x26d/0x5bf kernel/softirq.c:565

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2993 [inline]
 call_rcu+0x133/0x12a0 kernel/rcu/tree.c:3073
 free_vm_area_struct kernel/fork.c:394 [inline]
 vm_area_free_no_check+0xff/0x130 kernel/fork.c:408
 vm_area_free+0x53/0x60 kernel/fork.c:418
 remove_vma mm/mmap.c:190 [inline]
 exit_mmap+0x50d/0x6f0 mm/mmap.c:3217
 __mmput+0x95/0x310 kernel/fork.c:1171
 mmput+0x5b/0x170 kernel/fork.c:1194
 exit_mm kernel/exit.c:551 [inline]
 do_exit+0xbb4/0x2b60 kernel/exit.c:862
 do_group_exit+0x141/0x310 kernel/exit.c:997
 __do_sys_exit_group kernel/exit.c:1008 [inline]
 __se_sys_exit_group kernel/exit.c:1006 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1006
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88810ce0c000
 which belongs to the cache vm_area_struct of size 232
The buggy address is located 132 bytes inside of
 232-byte region [ffff88810ce0c000, ffff88810ce0c0e8)
The buggy address belongs to the page:
page:ffffea0004338300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ce0c
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881001b4000
raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 207, ts 11411162682, free_ts 7165237345
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2502
 prep_new_page mm/page_alloc.c:2508 [inline]
 get_page_from_freelist+0x2c14/0x2cf0 mm/page_alloc.c:4291
 __alloc_pages+0x386/0x7b0 mm/page_alloc.c:5569
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x92/0x490 mm/slub.c:1993
 ___slab_alloc+0x39e/0x830 mm/slub.c:3026
 __slab_alloc+0x4a/0x90 mm/slub.c:3113
 slab_alloc_node mm/slub.c:3204 [inline]
 slab_alloc mm/slub.c:3246 [inline]
 kmem_cache_alloc+0x134/0x200 mm/slub.c:3251
 vm_area_dup+0x26/0x230 kernel/fork.c:367
 dup_mmap kernel/fork.c:600 [inline]
 dup_mm+0x81b/0x12c0 kernel/fork.c:1513
 copy_mm+0x107/0x1b0 kernel/fork.c:1565
 copy_process+0x12bc/0x3260 kernel/fork.c:2256
 kernel_clone+0x21e/0x9e0 kernel/fork.c:2659
 __do_sys_clone kernel/fork.c:2785 [inline]
 __se_sys_clone kernel/fork.c:2769 [inline]
 __x64_sys_clone+0x23f/0x290 kernel/fork.c:2769
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1370 [inline]
 free_pcp_prepare mm/page_alloc.c:1442 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3441
 free_unref_page+0xac/0x2c0 mm/page_alloc.c:3521
 free_the_page mm/page_alloc.c:711 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5645
 __vunmap+0x7bc/0x8f0 mm/vmalloc.c:2652
 free_work+0x5b/0x80 mm/vmalloc.c:96
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2313
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2460
 kthread+0x421/0x510 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 <unknown>:298

Memory state around the buggy address:
 ffff88810ce0bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88810ce0c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810ce0c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                   ^
 ffff88810ce0c100: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
 ffff88810ce0c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/03/26 12:56 android13-5.15-lts 5448b2fda85f fbf0499a .config strace log report syz C [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/03/26 12:17 android13-5.15-lts 5448b2fda85f fbf0499a .config console log report syz C [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/16 07:26 android13-5.15-lts c73b4619ad86 a63719e7 .config strace log report syz C [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/06 08:17 android13-5.15-lts c73b4619ad86 1dac8c7a .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in get_max_inline_xattr_value_size
* Struck through repros no longer work on HEAD.