syzbot


KASAN: out-of-bounds Write in udf_write_fi

Status: upstream: reported C repro on 2023/04/03 11:46
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+f9de9ee6cb8adb5b14c5@syzkaller.appspotmail.com
First crash: 324d, last: 77d
Fix commit to backport (bisect log) :
tree: upstream
commit e9109a92d2a95889498bed3719cd2318892171a2
Author: Jan Kara <jack@suse.cz>
Date: Thu Oct 6 14:41:23 2022 +0000

  udf: Convert udf_rename() to new directory iteration code

  
Fix bisection: the issue occurs on the latest tested release (bisect log)
Crash: KASAN: null-ptr-deref Write in udf_write_fi (log)
Repro: C syz .config
  
Bug presence (2)
Date Name Commit Repro Result
2023/10/20 linux-5.15.y (ToT) 00c03985402e C [report] KASAN: null-ptr-deref Write in udf_write_fi
2023/10/20 upstream (ToT) ce55c22ec8b2 C Didn't crash
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: null-ptr-deref Write in udf_write_fi origin:lts-only C inconclusive 15 6h36m 269d 0/3 upstream: reported C repro on 2023/05/29 04:55
linux-4.19 KASAN: out-of-bounds Write in udf_write_fi udf C error 9 365d 746d 0/1 upstream: reported C repro on 2022/02/06 00:22
linux-4.14 KASAN: out-of-bounds Write in udf_write_fi C 1 364d 364d 0/1 upstream: reported C repro on 2023/02/23 05:38
upstream KASAN: null-ptr-deref Write in udf_write_fi udf C inconclusive done 51 390d 513d 22/26 fixed on 2023/06/08 14:41
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/10/23 14:14 5h08m fix candidate upstream job log (1)
2023/10/20 05:32 58m bisect fix linux-5.15.y job log (0) log

Sample crash report:
loop0: detected capacity change from 0 to 2048
UDF-fs: error (device loop0): udf_process_sequence: Primary Volume Descriptor not found!
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 0 PID: 3499 Comm: syz-executor384 Not tainted 5.15.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:crc_itu_t+0xfb/0x2a0 lib/crc-itu-t.c:60
Code: e9 75 01 00 00 48 be 00 00 00 00 00 fc ff df b8 02 00 00 00 48 29 e8 48 89 44 24 08 48 8b 14 24 49 89 d7 4c 89 f8 48 c1 e8 03 <0f> b6 04 30 84 c0 0f 85 b1 00 00 00 42 0f b6 44 22 ff 41 0f b7 ce
RSP: 0018:ffffc90002dd77b0 EFLAGS: 00010203
RAX: 0000000000000004 RBX: 0000000000000082 RCX: ffff888014fabb80
RDX: 0000000000000026 RSI: dffffc0000000000 RDI: 0000000000000001
RBP: 0000000000000082 R08: ffffffff840c4636 R09: ffff88807252f1e9
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000738e R15: 0000000000000026
FS:  0000555556025380(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffca40bb000 CR3: 000000007f7fc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 udf_write_fi+0x68f/0xb70 fs/udf/namei.c:103
 udf_delete_entry fs/udf/namei.c:577 [inline]
 udf_rename+0x8b3/0x14d0 fs/udf/namei.c:1173
 vfs_rename+0xbfc/0xf90 fs/namei.c:4742
 do_renameat2+0xb97/0x13b0 fs/namei.c:4892
 __do_sys_rename fs/namei.c:4938 [inline]
 __se_sys_rename fs/namei.c:4936 [inline]
 __x64_sys_rename+0x82/0x90 fs/namei.c:4936
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f9f0940c8f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffca40baaf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f9f0940c8f9
RDX: 00007f9f0940c8f9 RSI: 0000000020000240 RDI: 0000000020000200
RBP: 00007f9f09480610 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000c17 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffca40bacc8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 59a0b5871f103083 ]---
RIP: 0010:crc_itu_t+0xfb/0x2a0 lib/crc-itu-t.c:60
Code: e9 75 01 00 00 48 be 00 00 00 00 00 fc ff df b8 02 00 00 00 48 29 e8 48 89 44 24 08 48 8b 14 24 49 89 d7 4c 89 f8 48 c1 e8 03 <0f> b6 04 30 84 c0 0f 85 b1 00 00 00 42 0f b6 44 22 ff 41 0f b7 ce
RSP: 0018:ffffc90002dd77b0 EFLAGS: 00010203
RAX: 0000000000000004 RBX: 0000000000000082 RCX: ffff888014fabb80
RDX: 0000000000000026 RSI: dffffc0000000000 RDI: 0000000000000001
RBP: 0000000000000082 R08: ffffffff840c4636 R09: ffff88807252f1e9
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000738e R15: 0000000000000026
FS:  0000555556025380(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561ebfd490b0 CR3: 000000007f7fc000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e9 75 01 00 00       	jmp    0x17a
   5:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
   c:	fc ff df
   f:	b8 02 00 00 00       	mov    $0x2,%eax
  14:	48 29 e8             	sub    %rbp,%rax
  17:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  1c:	48 8b 14 24          	mov    (%rsp),%rdx
  20:	49 89 d7             	mov    %rdx,%r15
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 04 30          	movzbl (%rax,%rsi,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	0f 85 b1 00 00 00    	jne    0xe7
  36:	42 0f b6 44 22 ff    	movzbl -0x1(%rdx,%r12,1),%eax
  3c:	41 0f b7 ce          	movzwl %r14w,%ecx

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/07 01:11 linux-5.15.y 9b91d36ba301 e3299f55 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/06/23 09:39 linux-5.15.y f67653019430 79782afc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/05/29 11:43 linux-5.15.y 1fe619a7d252 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/05/04 18:16 linux-5.15.y 8a7f2a5c5aa1 518a39a6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: out-of-bounds Write in udf_write_fi
2023/05/03 18:26 linux-5.15.y 8a7f2a5c5aa1 b5918830 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: out-of-bounds Write in udf_write_fi
2023/04/03 11:46 linux-5.15.y c957cbb87315 41147e3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: out-of-bounds Write in udf_write_fi
2023/07/28 03:50 linux-5.15.y 09996673e313 92476829 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2023/06/25 21:33 linux-5.15.y f67653019430 79782afc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2023/06/25 05:52 linux-5.15.y f67653019430 79782afc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2023/12/06 23:01 linux-5.15.y 9b91d36ba301 e3299f55 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/09/19 22:02 linux-5.15.y 35ecaa3632bf 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/07/12 19:28 linux-5.15.y d54cfc420586 979d5fe2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/07/07 03:47 linux-5.15.y d54cfc420586 22ae5830 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/06/18 15:04 linux-5.15.y 471e639e59d1 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/06/18 14:56 linux-5.15.y 471e639e59d1 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/04/23 03:58 linux-5.15.y 3299fb36854f 2b32bd34 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/06/09 03:28 linux-5.15.y d7af3e5ba454 058b3a5a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
* Struck through repros no longer work on HEAD.