syzbot


KASAN: use-after-free Read in ntfs_attr_find (2)

Status: upstream: reported C repro on 2023/03/01 23:29
Subsystems: ntfs
[Documentation on labels]
Reported-by: syzbot+ef50f8eb00b54feb7ba2@syzkaller.appspotmail.com
First crash: 284d, last: 6d21h
Cause bisection: failed (error log, bisect log)
  
Discussions (6)
Title Replies (including bot) Last reply
[syzbot] Monthly ntfs report (Oct 2023) 0 (1) 2023/10/04 13:13
fs/ntfs : use-after-free Read in ntfs_attr_find 1 (1) 2023/08/22 17:44
[syzbot] Monthly ntfs report (Jun 2023) 0 (1) 2023/06/02 08:40
[syzbot] Monthly ntfs report (May 2023) 0 (1) 2023/05/02 07:18
[syzbot] Monthly ntfs report 0 (1) 2023/03/31 15:00
[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_attr_find (2) 0 (1) 2023/03/01 23:29
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ntfs_attr_find ntfs C done 74 302d 468d 24/25 fixed on 2023/02/24 13:50
linux-6.1 KASAN: use-after-free Read in ntfs_attr_find 3 228d 239d 0/3 auto-obsoleted due to no activity on 2023/08/21 05:46
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_attr_find (2) C 31 283d 468d 0/1 upstream: reported C repro on 2022/08/25 11:21
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find (2) C 1 284d 284d 0/1 upstream: reported C repro on 2023/02/26 02:15
linux-4.14 KASAN: use-after-free Read in ntfs_attr_find C done 4 1150d 1169d 1/1 fixed on 2020/11/12 10:36
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find C done 13 1135d 1166d 1/1 fixed on 2020/11/27 11:32
linux-5.15 KASAN: slab-out-of-bounds Read in ntfs_attr_find 1 227d 227d 0/3 auto-obsoleted due to no activity on 2023/08/22 04:27
Last patch testing requests (10)
Created Duration User Patch Repo Result
2023/11/22 04:16 13m retest repro upstream report log
2023/11/22 04:16 38m retest repro upstream report log
2023/11/22 04:13 26m retest repro linux-next OK log
2023/11/01 16:52 19m retest repro upstream report log
2023/11/01 16:52 22m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/10/07 01:17 13m retest repro upstream report log
2023/09/22 23:19 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/09/08 22:57 9m retest repro upstream report log
2023/09/08 22:57 10m retest repro upstream report log
2023/08/22 13:02 28m ghandatmanas@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc6 report log
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2023/07/24 19:42 2h22m bisect fix upstream job log (0) log

Sample crash report:
loop0: detected capacity change from 0 to 4096
ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker.
==================================================================
BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 fs/ntfs/attrib.c:609
Read of size 2 at addr ffff888052d77042 by task syz-executor391/5068

CPU: 1 PID: 5068 Comm: syz-executor391 Not tainted 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 ntfs_attr_find+0xaa4/0xbe0 fs/ntfs/attrib.c:609
 ntfs_attr_lookup+0x10e0/0x2100 fs/ntfs/attrib.c:1213
 ntfs_read_locked_inode+0x9bf/0x5860 fs/ntfs/inode.c:666
 ntfs_read_inode_mount+0xef9/0x2730 fs/ntfs/inode.c:2098
 ntfs_fill_super+0x185c/0x9100 fs/ntfs/super.c:2863
 mount_bdev+0x1f3/0x2e0 fs/super.c:1650
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x370 fs/super.c:1771
 do_new_mount fs/namespace.c:3337 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3863
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f3fcba44daa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa
RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0
RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d
R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004
R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00014b5dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x52d77
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea00014d2f88 ffff8880b9942630 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5068, tgid 5068 (syz-executor391), ts 54959981955, free_ts 55030976425
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36d0 mm/page_alloc.c:3312
 __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4568
 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
 vma_alloc_folio+0xad/0x220 mm/mempolicy.c:2172
 wp_page_copy mm/memory.c:3114 [inline]
 do_wp_page+0x13be/0x36b0 mm/memory.c:3510
 handle_pte_fault mm/memory.c:5054 [inline]
 __handle_mm_fault+0x1d7d/0x3d70 mm/memory.c:5179
 handle_mm_fault+0x47a/0xa10 mm/memory.c:5344
 do_user_addr_fault+0x30b/0x1000 arch/x86/mm/fault.c:1364
 handle_page_fault arch/x86/mm/fault.c:1505 [inline]
 exc_page_fault+0x5d/0xc0 arch/x86/mm/fault.c:1561
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x4fa/0xaa0 mm/page_alloc.c:2347
 free_unref_page_list+0xe6/0xb40 mm/page_alloc.c:2533
 release_pages+0x32a/0x14f0 mm/swap.c:1042
 folios_put include/linux/mm.h:1539 [inline]
 folio_batch_move_lru+0x2f7/0x470 mm/swap.c:224
 lru_add_drain_cpu+0x535/0x860 mm/swap.c:652
 lru_add_drain+0x10a/0x440 mm/swap.c:752
 __folio_batch_release+0x89/0xe0 mm/swap.c:1059
 folio_batch_release include/linux/pagevec.h:83 [inline]
 truncate_inode_pages_range+0x33e/0xf00 mm/truncate.c:371
 kill_bdev block/bdev.c:76 [inline]
 set_blocksize+0x2af/0x360 block/bdev.c:152
 sb_set_blocksize+0x47/0x120 block/bdev.c:161
 ntfs_fill_super+0x134d/0x9100 fs/ntfs/super.c:2818
 mount_bdev+0x1f3/0x2e0 fs/super.c:1650
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x370 fs/super.c:1771
 do_new_mount fs/namespace.c:3337 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3863

Memory state around the buggy address:
 ffff888052d76f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888052d76f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888052d77000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff888052d77080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888052d77100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
ntfs: (device loop0): ntfs_is_extended_system_file(): Inode hard link count doesn't match number of name attributes. You should run chkdsk.
ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing.
ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2.  Marking corrupt inode 0x0 as bad.  Run chkdsk.
ntfs: (device loop0): ntfs_read_inode_mount(): ntfs_read_inode() of $MFT failed. BUG or corrupt $MFT. Run chkdsk and if no errors are found, please report you saw this message to linux-ntfs-dev@lists.sourceforge.net
ntfs: (device loop0): ntfs_fill_super(): Failed to load essential metadata.

Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/30 12:11 upstream 3b47bc037bd4 f819d6f7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in ntfs_attr_find
2023/11/08 04:12 upstream 13d88ac54ddd 83211397 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in ntfs_attr_find
2023/08/25 22:50 upstream 4f9e7fabf864 03d9c195 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/08/16 06:13 upstream 4853c74bd7ab 39990d51 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_attr_find
2023/05/22 07:47 upstream e2065b8c1b01 4bce1a3e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ntfs_attr_find
2023/02/25 23:27 upstream 489fa31ea873 ee50e71c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/10/08 17:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 19af4a4ed414 5e837c76 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
2023/02/25 23:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2ebd1fbb946d ee50e71c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
2023/06/08 11:39 linux-next 715abedee4cd 7086cdb9 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_attr_find
2023/10/18 13:50 upstream 06dc10eae55b 342b9c55 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_attr_find
2023/06/19 06:25 upstream 8c1f0c38b310 f3921d4d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in ntfs_attr_find
2023/06/13 08:11 upstream fb054096aea0 749afb64 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/05/25 20:34 upstream 933174ae28ba 0513b3e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/05/05 08:21 upstream 78b421b6a7c6 518a39a6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/04/20 19:43 upstream cb0856346a60 a219f34e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/04/03 15:40 upstream 7e364e56293b 41147e3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/03/24 13:33 upstream 1e760fa3596e f94b4a29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/03/02 00:48 upstream ee3f96b16468 f8902b57 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_attr_find
2023/06/10 09:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d8b213732169 7086cdb9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_attr_find
* Struck through repros no longer work on HEAD.