syzbot


KASAN: out-of-bounds Write in udf_write_fi

Status: upstream: reported C repro on 2023/04/03 11:46
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+f9de9ee6cb8adb5b14c5@syzkaller.appspotmail.com
First crash: 578d, last: 13d
Fix commit to backport (bisect log) :
tree: upstream
commit e9109a92d2a95889498bed3719cd2318892171a2
Author: Jan Kara <jack@suse.cz>
Date: Thu Oct 6 14:41:23 2022 +0000

  udf: Convert udf_rename() to new directory iteration code

[report pending]
  
Fix bisection: the issue occurs on the latest tested release (bisect log)
Crash: KASAN: null-ptr-deref Write in udf_write_fi (log)
Repro: C syz .config
  
Bug presence (2)
Date Name Commit Repro Result
2023/10/20 linux-5.15.y (ToT) 00c03985402e C [report] KASAN: null-ptr-deref Write in udf_write_fi
2023/10/20 upstream (ToT) ce55c22ec8b2 C Didn't crash
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: null-ptr-deref Write in udf_write_fi origin:lts-only C inconclusive 34 57d 523d 0/3 upstream: reported C repro on 2023/05/29 04:55
linux-4.19 KASAN: out-of-bounds Write in udf_write_fi udf C error 9 619d 1000d 0/1 upstream: reported C repro on 2022/02/06 00:22
linux-4.14 KASAN: out-of-bounds Write in udf_write_fi C 1 618d 618d 0/1 upstream: reported C repro on 2023/02/23 05:38
upstream KASAN: null-ptr-deref Write in udf_write_fi udf C inconclusive done 51 644d 767d 22/28 fixed on 2023/06/08 14:41
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/10/09 06:54 14m retest repro linux-5.15.y report log
2024/10/09 06:54 19m retest repro linux-5.15.y report log
2024/10/09 06:54 32m retest repro linux-5.15.y report log
2024/10/09 06:54 1h04m retest repro linux-5.15.y report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/10/23 14:14 5h08m fix candidate upstream OK (1) job log
2023/10/20 05:32 58m bisect fix linux-5.15.y OK (0) job log log

Sample crash report:
loop0: detected capacity change from 0 to 2048
UDF-fs: INFO Mounting volume 'LiuxUDF', timestamp 2022/11/22 14:59 (1000)
general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 1 PID: 3564 Comm: syz-executor231 Not tainted 5.15.168-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:crc_itu_t+0xfb/0x2a0 lib/crc-itu-t.c:60
Code: e9 75 01 00 00 48 be 00 00 00 00 00 fc ff df b8 02 00 00 00 48 29 e8 48 89 44 24 08 48 8b 14 24 49 89 d7 4c 89 f8 48 c1 e8 03 <0f> b6 04 30 84 c0 0f 85 b1 00 00 00 42 0f b6 44 22 ff 41 0f b7 ce
RSP: 0018:ffffc90002567790 EFLAGS: 00010203
RAX: 0000000000000004 RBX: 00000000000000fa RCX: ffff888027015940
RDX: 0000000000000026 RSI: dffffc0000000000 RDI: 0000000000000001
RBP: 00000000000000fa R08: ffffffff840e91e6 R09: ffff88807c62d374
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000479e R15: 0000000000000026
FS:  0000555571d29380(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564e5451e000 CR3: 0000000074ae1000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 udf_write_fi+0x68f/0xb70 fs/udf/namei.c:103
 udf_delete_entry fs/udf/namei.c:577 [inline]
 udf_rename+0x8b3/0x14d0 fs/udf/namei.c:1173
 vfs_rename+0xd32/0x10f0 fs/namei.c:4832
 do_renameat2+0xe0f/0x1700 fs/namei.c:4985
 __do_sys_rename fs/namei.c:5031 [inline]
 __se_sys_rename fs/namei.c:5029 [inline]
 __x64_sys_rename+0x82/0x90 fs/namei.c:5029
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fb40af63879
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5def22a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fb40af63879
RDX: 00007fb40af63879 RSI: 0000000020000080 RDI: 0000000020000000
RBP: 00007fb40afd7610 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff5def2478 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 4b867b6ccdfdfe6b ]---
RIP: 0010:crc_itu_t+0xfb/0x2a0 lib/crc-itu-t.c:60
Code: e9 75 01 00 00 48 be 00 00 00 00 00 fc ff df b8 02 00 00 00 48 29 e8 48 89 44 24 08 48 8b 14 24 49 89 d7 4c 89 f8 48 c1 e8 03 <0f> b6 04 30 84 c0 0f 85 b1 00 00 00 42 0f b6 44 22 ff 41 0f b7 ce
RSP: 0018:ffffc90002567790 EFLAGS: 00010203
RAX: 0000000000000004 RBX: 00000000000000fa RCX: ffff888027015940
RDX: 0000000000000026 RSI: dffffc0000000000 RDI: 0000000000000001
RBP: 00000000000000fa R08: ffffffff840e91e6 R09: ffff88807c62d374
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000479e R15: 0000000000000026
FS:  0000555571d29380(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564e5451e000 CR3: 0000000074ae1000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e9 75 01 00 00       	jmp    0x17a
   5:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
   c:	fc ff df
   f:	b8 02 00 00 00       	mov    $0x2,%eax
  14:	48 29 e8             	sub    %rbp,%rax
  17:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  1c:	48 8b 14 24          	mov    (%rsp),%rdx
  20:	49 89 d7             	mov    %rdx,%r15
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 04 30          	movzbl (%rax,%rsi,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	0f 85 b1 00 00 00    	jne    0xe7
  36:	42 0f b6 44 22 ff    	movzbl -0x1(%rdx,%r12,1),%eax
  3c:	41 0f b7 ce          	movzwl %r14w,%ecx

Crashes (45):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/20 04:10 linux-5.15.y 584a40a22cb9 cd6fc0a3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/04/28 19:24 linux-5.15.y b925f60c6ee7 07b455f9 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/12/07 01:11 linux-5.15.y 9b91d36ba301 e3299f55 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/06/23 09:39 linux-5.15.y f67653019430 79782afc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/05/29 11:43 linux-5.15.y 1fe619a7d252 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
2023/05/04 18:16 linux-5.15.y 8a7f2a5c5aa1 518a39a6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: out-of-bounds Write in udf_write_fi
2023/05/03 18:26 linux-5.15.y 8a7f2a5c5aa1 b5918830 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: out-of-bounds Write in udf_write_fi
2023/04/03 11:46 linux-5.15.y c957cbb87315 41147e3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: out-of-bounds Write in udf_write_fi
2023/07/28 03:50 linux-5.15.y 09996673e313 92476829 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2023/06/25 21:33 linux-5.15.y f67653019430 79782afc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2023/06/25 05:52 linux-5.15.y f67653019430 79782afc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: out-of-bounds Write in udf_write_fi
2024/10/20 03:39 linux-5.15.y 584a40a22cb9 cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/09/14 02:00 linux-5.15.y 3a5928702e71 b58f933c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/09/05 07:00 linux-5.15.y 14e468424d3e dfbe2ed4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/09/05 07:00 linux-5.15.y 14e468424d3e dfbe2ed4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/07/09 09:04 linux-5.15.y f45bea23c39c bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/07/09 09:04 linux-5.15.y f45bea23c39c bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/07/09 09:04 linux-5.15.y f45bea23c39c bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/07/09 09:04 linux-5.15.y f45bea23c39c bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/22 19:32 linux-5.15.y 83655231580b 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/22 19:31 linux-5.15.y 83655231580b 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/12 07:51 linux-5.15.y 284087d4f7d5 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/12 07:28 linux-5.15.y 284087d4f7d5 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/06 20:25 linux-5.15.y 284087d4f7d5 d884b519 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/04 21:59 linux-5.15.y 284087d4f7d5 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/04 21:47 linux-5.15.y 284087d4f7d5 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/04 21:44 linux-5.15.y 284087d4f7d5 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/04 21:33 linux-5.15.y 284087d4f7d5 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/04 13:00 linux-5.15.y 284087d4f7d5 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/05/01 06:17 linux-5.15.y b925f60c6ee7 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/04/28 18:32 linux-5.15.y b925f60c6ee7 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2024/04/28 18:24 linux-5.15.y b925f60c6ee7 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/12/06 23:01 linux-5.15.y 9b91d36ba301 e3299f55 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/09/19 22:02 linux-5.15.y 35ecaa3632bf 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Write in udf_write_fi
2024/05/12 07:59 linux-5.15.y 284087d4f7d5 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 BUG: unable to handle kernel paging request in udf_write_fi
2024/05/12 07:37 linux-5.15.y 284087d4f7d5 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 BUG: unable to handle kernel paging request in udf_write_fi
2024/05/06 20:25 linux-5.15.y 284087d4f7d5 d884b519 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 BUG: unable to handle kernel paging request in udf_write_fi
2023/07/12 19:28 linux-5.15.y d54cfc420586 979d5fe2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/07/07 03:47 linux-5.15.y d54cfc420586 22ae5830 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/06/18 15:04 linux-5.15.y 471e639e59d1 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/06/18 14:56 linux-5.15.y 471e639e59d1 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan general protection fault in udf_write_fi
2023/04/23 03:58 linux-5.15.y 3299fb36854f 2b32bd34 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Write in udf_write_fi
2023/06/09 03:28 linux-5.15.y d7af3e5ba454 058b3a5a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: null-ptr-deref Write in udf_write_fi
* Struck through repros no longer work on HEAD.