syzbot


KASAN: use-after-free Read in ntfs_attr_find (2)

Status: upstream: reported C repro on 2023/03/01 23:29
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+ef50f8eb00b54feb7ba2@syzkaller.appspotmail.com
First crash: 418d, last: 60d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 7ffa8f3d30236e0ab897c30bdb01224ff1fe1c89
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Mon Jan 15 07:20:25 2024 +0000

  fs: Remove NTFS classic

  
Discussions (6)
Title Replies (including bot) Last reply
[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_attr_find (2) 0 (2) 2024/03/19 11:03
[syzbot] Monthly ntfs report (Oct 2023) 0 (1) 2023/10/04 13:13
fs/ntfs : use-after-free Read in ntfs_attr_find 1 (1) 2023/08/22 17:44
[syzbot] Monthly ntfs report (Jun 2023) 0 (1) 2023/06/02 08:40
[syzbot] Monthly ntfs report (May 2023) 0 (1) 2023/05/02 07:18
[syzbot] Monthly ntfs report 0 (1) 2023/03/31 15:00
Similar bugs (9)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in ntfs_attr_find origin:upstream C error 3 33d 89d 0/3 upstream: reported C repro on 2024/01/20 12:39
upstream KASAN: use-after-free Read in ntfs_attr_find ntfs3 C done 74 435d 602d 22/26 fixed on 2023/02/24 13:50
linux-6.1 KASAN: use-after-free Read in ntfs_attr_find 3 361d 372d 0/3 auto-obsoleted due to no activity on 2023/08/21 05:46
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_attr_find (2) C 31 416d 602d 0/1 upstream: reported C repro on 2022/08/25 11:21
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find (2) C 1 417d 417d 0/1 upstream: reported C repro on 2023/02/26 02:15
linux-4.14 KASAN: use-after-free Read in ntfs_attr_find C done 4 1284d 1303d 1/1 fixed on 2020/11/12 10:36
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find C done 13 1268d 1299d 1/1 fixed on 2020/11/27 11:32
linux-6.1 KASAN: use-after-free Read in ntfs_attr_find (2) origin:upstream missing-backport C inconclusive 1 28d 118d 0/3 upstream: reported C repro on 2023/12/22 04:54
linux-5.15 KASAN: slab-out-of-bounds Read in ntfs_attr_find 1 360d 360d 0/3 auto-obsoleted due to no activity on 2023/08/22 04:27
Last patch testing requests (11)
Created Duration User Patch Repo Result
2024/03/22 11:51 26m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/03/22 11:51 26m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/03/07 14:18 52m retest repro upstream OK log
2024/03/03 06:46 23m retest repro upstream OK log
2024/03/03 06:46 23m retest repro upstream OK log
2024/03/03 05:55 20m retest repro upstream OK log
2024/03/03 05:53 44m retest repro upstream OK log
2024/03/03 05:55 17m retest repro upstream OK log
2024/03/03 05:55 17m retest repro upstream OK log
2024/02/05 00:42 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/08/22 13:02 28m ghandatmanas@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc6 report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/03/19 06:58 4h03m bisect fix upstream job log (1)
2023/07/24 19:42 2h22m bisect fix upstream job log (0) log

Sample crash report:
loop0: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: use-after-free in ntfs_attr_find+0x5a0/0x9d0 fs/ntfs/attrib.c:609
Read of size 2 at addr ffff0000dc87d442 by task syz-executor383/6095

CPU: 1 PID: 6095 Comm: syz-executor383 Not tainted 6.7.0-rc8-syzkaller-g0802e17d9aca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:475
 kasan_report+0xd8/0x138 mm/kasan/report.c:588
 __asan_report_load_n_noabort+0x1c/0x28 mm/kasan/report_generic.c:391
 ntfs_attr_find+0x5a0/0x9d0 fs/ntfs/attrib.c:609
 ntfs_attr_lookup+0x3dc/0x1cd8
 ntfs_read_locked_inode+0x87c/0x38dc fs/ntfs/inode.c:666
 ntfs_iget+0x110/0x19c fs/ntfs/inode.c:177
 load_and_init_mft_mirror fs/ntfs/super.c:1035 [inline]
 load_system_files+0xe4/0x4734 fs/ntfs/super.c:1780
 ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2900
 mount_bdev+0x1e8/0x2b4 fs/super.c:1650
 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
 vfs_get_tree+0x90/0x288 fs/super.c:1771
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3337
 path_mount+0x590/0xe04 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3863
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

The buggy address belongs to the physical page:
page:00000000c25f236a refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11c87d
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000000 fffffc0003721f88 ffff0001b416cbb0 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000dc87d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000dc87d380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000dc87d400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff0000dc87d480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000dc87d500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
syz-executor383: attempt to access beyond end of device
loop0: rw=0, sector=32768, nr_sectors = 2 limit=4096
syz-executor383: attempt to access beyond end of device
loop0: rw=0, sector=32770, nr_sectors = 2 limit=4096
syz-executor383: attempt to access beyond end of device
loop0: rw=0, sector=32772, nr_sectors = 2 limit=4096

Crashes (22):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/20 21:52 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 0802e17d9aca 9bd8dcda .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
2024/01/20 18:00 upstream 9d64bf433c53 9bd8dcda .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/11/30 12:11 upstream 3b47bc037bd4 f819d6f7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in ntfs_attr_find
2023/11/08 04:12 upstream 13d88ac54ddd 83211397 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in ntfs_attr_find
2023/08/25 22:50 upstream 4f9e7fabf864 03d9c195 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/08/16 06:13 upstream 4853c74bd7ab 39990d51 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_attr_find
2023/05/22 07:47 upstream e2065b8c1b01 4bce1a3e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ntfs_attr_find
2023/02/25 23:27 upstream 489fa31ea873 ee50e71c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/06/08 11:39 linux-next 715abedee4cd 7086cdb9 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_attr_find
2023/10/08 17:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 19af4a4ed414 5e837c76 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
2023/02/25 23:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2ebd1fbb946d ee50e71c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
2023/10/18 13:50 upstream 06dc10eae55b 342b9c55 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_attr_find
2023/06/19 06:25 upstream 8c1f0c38b310 f3921d4d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in ntfs_attr_find
2023/06/13 08:11 upstream fb054096aea0 749afb64 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/05/25 20:34 upstream 933174ae28ba 0513b3e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/05/05 08:21 upstream 78b421b6a7c6 518a39a6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/04/20 19:43 upstream cb0856346a60 a219f34e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/04/03 15:40 upstream 7e364e56293b 41147e3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/03/24 13:33 upstream 1e760fa3596e f94b4a29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/03/02 00:48 upstream ee3f96b16468 f8902b57 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2024/02/18 05:51 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 905b00721763 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
2023/06/10 09:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d8b213732169 7086cdb9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
* Struck through repros no longer work on HEAD.