syzbot


KASAN: use-after-free Read in __ext4_check_dir_entry

Status: upstream: reported C repro on 2020/06/12 02:23
Reported-by: syzbot+b525c860dd8b07d5903f@syzkaller.appspotmail.com
First crash: 1468d, last: 1364d
Fix bisection the fix commit could be any of (bisect log):
  b850307b279c Linux 4.14.184
  56dfe6252c68 Linux 4.14.188
  
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in __ext4_check_dir_entry (2) ext4 C error 1 25d 35d 0/27 upstream: reported C repro on 2024/05/14 14:09
linux-5.15 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 8 10d 16d 0/3 upstream: reported C repro on 2024/06/03 01:15
android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry 1 4d13h 4d13h 0/2 premoderation: reported on 2024/06/14 16:50
upstream KASAN: use-after-free Read in __ext4_check_dir_entry ext4 C 8 2268d 2271d 22/27 closed as dup on 2018/03/31 22:38
android-5-10 KASAN: use-after-free Read in __ext4_check_dir_entry C 1 25d 39d 0/2 upstream: reported C repro on 2024/05/10 09:19
android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 4 18d 38d 0/2 upstream: reported C repro on 2024/05/11 11:53
linux-6.1 KASAN: use-after-free Read in __ext4_check_dir_entry 6 10d 16d 0/3 upstream: reported on 2024/06/03 01:12
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/02/03 17:32 12m retest repro linux-4.14.y report log
2022/09/13 05:27 7m retest repro linux-4.14.y error OK

Sample crash report:
audit: type=1400 audit(1592406889.731:8): avc:  denied  { execmem } for  pid=6342 comm="syz-executor293" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff8880902be001 by task syz-executor293/6343

CPU: 0 PID: 6343 Comm: syz-executor293 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393
 __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
 ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240
 iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
 SYSC_getdents64 fs/readdir.c:355 [inline]
 SyS_getdents64+0x130/0x240 fs/readdir.c:336
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x441369
RSP: 002b:00007ffc66332028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007ffc663320a0 RCX: 0000000000441369
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007ffc66332040 R08: 00000000bb1414ac R09: 00000000bb1414ac
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 4799:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc_track_caller+0x155/0x400 mm/slab.c:3735
 kmemdup_nul+0x2d/0xa0 mm/util.c:138
 security_context_to_sid_core+0x94/0x3d0 security/selinux/ss/services.c:1420
 selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377
 selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152
 security_inode_notifysecctx+0x76/0xb0 security/security.c:1314
 kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195
 kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302
 do_inode_permission fs/namei.c:384 [inline]
 __inode_permission+0x1f1/0x2f0 fs/namei.c:426
 inode_permission+0x23/0x100 fs/namei.c:476
 may_lookup fs/namei.c:1717 [inline]
 link_path_walk+0x851/0x1080 fs/namei.c:2097
 path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342
 filename_lookup+0x18e/0x380 fs/namei.c:2377
 user_path_at include/linux/namei.h:57 [inline]
 vfs_statx+0xd1/0x160 fs/stat.c:185
 vfs_lstat include/linux/fs.h:3066 [inline]
 SYSC_newlstat fs/stat.c:350 [inline]
 SyS_newlstat+0x83/0xe0 fs/stat.c:344
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 4799:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcb/0x260 mm/slab.c:3815
 security_context_to_sid_core+0x284/0x3d0 security/selinux/ss/services.c:1460
 selinux_inode_setsecurity+0x155/0x350 security/selinux/hooks.c:3377
 selinux_inode_notifysecctx+0x2b/0x50 security/selinux/hooks.c:6152
 security_inode_notifysecctx+0x76/0xb0 security/security.c:1314
 kernfs_refresh_inode+0x328/0x4a0 fs/kernfs/inode.c:195
 kernfs_iop_permission+0x59/0x90 fs/kernfs/inode.c:302
 do_inode_permission fs/namei.c:384 [inline]
 __inode_permission+0x1f1/0x2f0 fs/namei.c:426
 inode_permission+0x23/0x100 fs/namei.c:476
 may_lookup fs/namei.c:1717 [inline]
 link_path_walk+0x851/0x1080 fs/namei.c:2097
 path_lookupat.isra.0+0xcb/0x7b0 fs/namei.c:2342
 filename_lookup+0x18e/0x380 fs/namei.c:2377
 user_path_at include/linux/namei.h:57 [inline]
 vfs_statx+0xd1/0x160 fs/stat.c:185
 vfs_lstat include/linux/fs.h:3066 [inline]
 SYSC_newlstat fs/stat.c:350 [inline]
 SyS_newlstat+0x83/0xe0 fs/stat.c:344
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880902be000
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 1 bytes inside of
 32-byte region [ffff8880902be000, ffff8880902be020)
The buggy address belongs to the page:
page:ffffea000240af80 count:1 mapcount:0 mapping:ffff8880902be000 index:0xffff8880902befc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880902be000 ffff8880902befc1 000000010000003f
raw: ffffea00024079e0 ffffea0002aa6720 ffff8880aa8001c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880902bdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880902bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880902be000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
                   ^
 ffff8880902be080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8880902be100: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/17 15:16 linux-4.14.y b850307b279c b6c46f43 .config console log report syz C ci2-linux-4-14
2020/09/23 19:18 linux-4.14.y cbfa1702aaf6 54289b08 .config console log report info ci2-linux-4-14
2020/08/19 19:28 linux-4.14.y 14b58326976d db787902 .config console log report ci2-linux-4-14
2020/06/21 07:11 linux-4.14.y b850307b279c c655ec77 .config console log report ci2-linux-4-14
2020/06/16 04:50 linux-4.14.y b850307b279c baca2611 .config console log report ci2-linux-4-14
2020/06/12 02:22 linux-4.14.y b850307b279c 1beaee21 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.