syzbot


KASAN: use-after-free Read in crc_itu_t

Status: upstream: reported C repro on 2022/10/01 14:28
Reported-by: syzbot+d8fc21bfa138a5ae916d@syzkaller.appspotmail.com
First crash: 56d, last: 13d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in crc_itu_t (log)
Repro: syz .config

Sample crash report:
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
loop0: detected capacity change from 0 to 2048
Unable to handle kernel NULL pointer dereference at virtual address 000000000000001a
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107067000
[000000000000001a] pgd=080000010904b003, p4d=080000010904b003, pud=0800000109e4e003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3031 Comm: syz-executor632 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : crc_itu_t+0x40/0x88 lib/crc-itu-t.c:60
lr : crc_itu_t+0x30/0x88 lib/crc-itu-t.c:59
sp : ffff800012a03a20
x29: ffff800012a03a20 x28: 0000000000000026 x27: 000000000000002c
x26: 00000000fffffff0 x25: 0000000000000000 x24: 00000000b147c223
x23: ffff0000c752c690 x22: ffff80000c170b50 x21: 000000000000ffd9
x20: 000000000000001a x19: 00000000b147c223 x18: 00000000000000c0
x17: ffff80000dd0b198 x16: ffff80000db49158 x15: ffff0000c5d8cf80
x14: 0000000000000010 x13: 0000000000000000 x12: ffff0000c5d8cf80
x11: ff808000095d5cec x10: 0000000000000000 x9 : ffff0000c5d8cf80
x8 : ffff8000095d5cec x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000004 x3 : 0000000000000010
x2 : 000000000000ffda x1 : 000000000000ffda x0 : 0000000000000000
Call trace:
 crc_itu_t+0x40/0x88
 udf_write_fi+0x308/0x4e0
 udf_delete_entry fs/udf/namei.c:577 [inline]
 udf_rename+0x47c/0x6d0 fs/udf/namei.c:1173
 vfs_rename+0x59c/0x7f8 fs/namei.c:4756
 do_renameat2+0x490/0x758 fs/namei.c:4907
 __do_sys_renameat2 fs/namei.c:4940 [inline]
 __se_sys_renameat2 fs/namei.c:4937 [inline]
 __arm64_sys_renameat2+0x6c/0x88 fs/namei.c:4937
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: b40001f5 f0015cd6 d10006b5 912d42d6 (38401688) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	b40001f5 	cbz	x21, 0x3c
   4:	f0015cd6 	adrp	x22, 0x2b9b000
   8:	d10006b5 	sub	x21, x21, #0x1
   c:	912d42d6 	add	x22, x22, #0xb50
* 10:	38401688 	ldrb	w8, [x20], #1 <-- trapping instruction

Crashes (12):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-arm64 2022/10/21 19:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config log report syz C BUG: unable to handle kernel NULL pointer dereference in crc_itu_t
ci-upstream-kasan-gce-root 2022/11/13 19:04 upstream fef7fd48922d 3ead01ad .config log report syz KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/10/01 10:51 upstream 70575e77839f feb56351 .config log report info KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/11/02 21:57 upstream b229b6ca5abb 08977f5d .config log report info general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 14:59 upstream b229b6ca5abb 08977f5d .config log report info general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 09:30 upstream b229b6ca5abb 08977f5d .config log report info general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 01:08 upstream b229b6ca5abb 08977f5d .config log report info general protection fault in crc_itu_t
ci2-upstream-fs 2022/10/31 07:37 upstream b229b6ca5abb 2a71366b .config log report info general protection fault in crc_itu_t
ci2-upstream-fs 2022/10/30 21:21 upstream b229b6ca5abb 2a71366b .config log report info general protection fault in crc_itu_t
ci-upstream-kasan-gce-root 2022/10/30 03:34 upstream b229b6ca5abb 2a71366b .config log report info general protection fault in crc_itu_t
ci2-upstream-fs 2022/10/29 23:03 upstream b229b6ca5abb 2a71366b .config log report info general protection fault in crc_itu_t
ci-upstream-gce-arm64 2022/10/21 19:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config log report info BUG: unable to handle kernel NULL pointer dereference in crc_itu_t
* Struck through repros no longer work on HEAD.