KASAN: use-after-free Write in __ext4_expand_extra_isize

Status: fixed on 2019/06/14 18:22
Subsystems: ext4
[Documentation on labels]
Fix commit: 7bc04c5c2cc4 ext4: fix use-after-free race with debug_want_extra_isize
First crash: 2074d, last: 1682d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.4 00/76] 4.4.211-stable review 81 (81) 2020/01/22 20:52
[PATCH 4.9 00/97] 4.9.211-stable review 102 (102) 2020/01/22 20:52
[PATCH 4.19 000/105] 4.19.45-stable review 131 (131) 2019/05/23 09:18
[PATCH 5.0 000/123] 5.0.18-stable review 130 (130) 2019/05/23 05:41
[PATCH 5.1 000/128] 5.1.4-stable review 136 (136) 2019/05/22 05:35
[PATCH 4.14 00/63] 4.14.121-stable review 68 (68) 2019/05/21 21:35
[PATCH] ext4: fix use-after-free race with debug_want_extra_isize 5 (5) 2019/04/25 15:57
KASAN: use-after-free Write in __ext4_expand_extra_isize 0 (1) 2018/04/02 17:01
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Write in __ext4_expand_extra_isize 11 1486d 1597d 0/1 auto-closed as invalid on 2020/03/10 14:13
linux-4.19 KASAN: use-after-free Write in __ext4_expand_extra_isize 7 1473d 1535d 0/1 auto-closed as invalid on 2020/03/22 21:28
upstream KASAN: use-after-free Write in __ext4_expand_extra_isize (2) ext4 14 1490d 1507d 16/25 fixed on 2019/12/13 00:31
android-414 KASAN: use-after-free Write in __ext4_expand_extra_isize 65 1465d 1698d 0/1 auto-closed as invalid on 2020/03/31 02:59

Sample crash report:
EXT4-fs (sda1): re-mounted. Opts: debug_want_extra_isize=64648
EXT4-fs (sda1): re-mounted. Opts: debug_want_extra_isize=64648
EXT4-fs (sda1): re-mounted. Opts: debug_want_extra_isize=64648
EXT4-fs (sda1): re-mounted. Opts: debug_want_extra_isize=64648
BUG: KASAN: use-after-free in memset include/linux/string.h:330 [inline]
BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x178/0x240 fs/ext4/inode.c:5789
Write of size 64616 at addr ffff8801c3a660a0 by task syz-executor956/4449

CPU: 0 PID: 4449 Comm: syz-executor956 Not tainted 4.17.0-rc7+ #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memset+0x23/0x40 mm/kasan/kasan.c:285
 memset include/linux/string.h:330 [inline]
 __ext4_expand_extra_isize+0x178/0x240 fs/ext4/inode.c:5789
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5841 [inline]
 ext4_mark_inode_dirty+0x72f/0xb20 fs/ext4/inode.c:5917
 ext4_dirty_inode+0x97/0xc0 fs/ext4/inode.c:5951
 __mark_inode_dirty+0x811/0x1530 fs/fs-writeback.c:2129
 generic_update_time+0x255/0x420 fs/inode.c:1657
 update_time fs/inode.c:1673 [inline]
 touch_atime+0x292/0x310 fs/inode.c:1745
 file_accessed include/linux/fs.h:2063 [inline]
 iterate_dir+0x394/0x5d0 fs/readdir.c:56
 __do_sys_getdents fs/readdir.c:231 [inline]
 __se_sys_getdents fs/readdir.c:212 [inline]
 __x64_sys_getdents+0x293/0x4e0 fs/readdir.c:212
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
RIP: 0033:0x445ceb
RSP: 002b:00007ffd5d921990 EFLAGS: 00000206 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 0000000002672990 RCX: 0000000000445ceb
RDX: 0000000000008000 RSI: 0000000002672990 RDI: 0000000000000003
RBP: 0000000002672990 R08: 0000000000001161 R09: 0000000002671940
R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffffd4
R13: 0000000000000016 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea00070e9980 count:2 mapcount:0 mapping:ffff8801ce85e660 index:0x4a8
flags: 0x2fffc0000001064(referenced|lru|active|private)
raw: 02fffc0000001064 ffff8801ce85e660 00000000000004a8 00000002ffffffff
raw: ffffea00070e9960 ffffea00070e99e0 ffff8801aee00348 ffff8801d9a42c80
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c3a6cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c3a6cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801c3a6d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c3a6d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c3a6d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Crashes (95):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/06/03 10:24 upstream 918fe1b31579 2f93b54f .config console log report syz C ci-upstream-kasan-gce-root
2018/05/05 20:12 upstream c1c07416cdd4 6a0382b5 .config console log report syz C ci-upstream-kasan-gce-root
2018/04/09 05:19 upstream 3fd14cdcc05a 77bd5117 .config console log report syz C ci-upstream-kasan-gce-root
2018/04/02 11:09 upstream 0adb32858b0b dc889257 .config console log report syz C ci-upstream-kasan-gce-root
2019/04/28 23:13 upstream 9520b5324b0e b617407b .config console log report ci-upstream-kasan-gce-smack-root
2019/04/28 13:23 upstream 037904a22bf8 b617407b .config console log report ci-upstream-kasan-gce-smack-root
2019/04/24 15:55 upstream ba25b50d582f 8e3c52b1 .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/16 11:42 upstream 5512320c9f6f 505ab413 .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/15 15:18 upstream dc4060a5dc25 505ab413 .config console log report ci-upstream-kasan-gce-root
2019/04/12 04:49 upstream 2d06b235815e 13030ef8 .config console log report ci-upstream-kasan-gce-smack-root
2019/04/09 20:41 upstream 869e3305f23d 995065ff .config console log report ci-upstream-kasan-gce-root
2019/04/02 17:01 upstream 5e7a8ca31926 dfd3394d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/14 16:15 upstream fa3d493f7a57 d09a902e .config console log report ci-upstream-kasan-gce-root
2019/03/10 09:37 upstream 6cdc577a18a6 12365b99 .config console log report ci-upstream-kasan-gce-root
2019/02/16 07:10 upstream 5ded5871030e f42dee6d .config console log report ci-upstream-kasan-gce-root
2019/02/08 10:17 upstream d47e3da17592 aa4feb03 .config console log report ci-upstream-kasan-gce-selinux-root
2019/01/30 12:38 upstream 62967898789d aa432daf .config console log report ci-upstream-kasan-gce-smack-root
2019/01/25 16:51 upstream d73aba1115cf b5d78bce .config console log report ci-upstream-kasan-gce-root
2019/01/24 07:54 upstream 30bac164aca7 56558f63 .config console log report ci-upstream-kasan-gce-root
2019/01/23 15:26 upstream 333478a7eb21 7cf3249c .config console log report ci-upstream-kasan-gce-root
2019/01/21 22:52 upstream 49a57857aeea badbbeee .config console log report ci-upstream-kasan-gce-root
2019/01/21 14:21 upstream 49a57857aeea badbbeee .config console log report ci-upstream-kasan-gce-smack-root
2019/01/18 21:51 upstream d7393226d15a 2103a236 .config console log report ci-upstream-kasan-gce-smack-root
2019/01/18 08:54 upstream a3a80255d58d 5bf17c30 .config console log report ci-upstream-kasan-gce-root
2019/01/16 23:08 upstream 47bfa6d9dc8c d538790b .config console log report ci-upstream-kasan-gce-root
2019/01/05 02:34 upstream 96d4f267e40f 0127e3ba .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/30 18:39 upstream 195303136f19 9942de5f .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/21 05:15 upstream 9097a058d49e 2b497001 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/19 13:14 upstream 62393dbcbe0f fe2dc057 .config console log report ci-upstream-kasan-gce-smack-root
2018/12/17 04:07 upstream 7566ec393f41 def91db3 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/16 12:36 upstream 6531e115b7ab def91db3 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/15 05:06 upstream eb6cf9f8cb9d 7624ddd6 .config console log report ci-upstream-kasan-gce-root
2018/12/14 02:31 upstream 65e08c5e8631 fe7127be .config console log report ci-upstream-kasan-gce-root
2018/12/13 17:09 upstream f5d582777bcb f3d9d594 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/03 06:55 upstream 6a512726090a 7dcaeaf3 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/02 14:17 upstream 4b78317679c4 e0d8c853 .config console log report ci-upstream-kasan-gce-root
2018/12/01 12:23 upstream b6839ef26e54 d8988561 .config console log report ci-upstream-kasan-gce-smack-root
2018/11/25 13:02 upstream e195ca6cb6f2 3d3ec907 .config console log report ci-upstream-kasan-gce-root
2018/11/16 00:36 upstream da5322e65940 3a41052e .config console log report ci-upstream-kasan-gce-smack-root
2018/11/13 16:49 upstream ccda4af0f4b9 5f5f6d14 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/22 10:22 linux-next 32a217bae32c dce6e62f .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/15 05:59 linux-next cf08baa29613 d72db19b .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/11 11:52 linux-next cf08baa29613 12365b99 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/07 06:04 linux-next cf08baa29613 18215b8d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/03 03:36 linux-next c63e9e91a254 1c0e457a .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/24 16:18 linux-next 94a47529a645 7a06e792 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/13 23:39 linux-next c4f3ef3eb53f 0a49c954 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/08 02:33 linux-next 1bd831d68d55 aa4feb03 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/02 05:20 linux-next 6a1d293238c1 3d85f48c .config console log report ci-upstream-linux-next-kasan-gce-root
2018/12/04 03:40 linux-next 442b8cea2477 03f94a45 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/12/03 05:30 linux-next 442b8cea2477 7dcaeaf3 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/11/11 23:56 linux-next 442b8cea2477 7b5f8621 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.