syzbot


KASAN: use-after-free Read in crc_itu_t

Status: fixed on 2024/01/30 23:26
Subsystems: udf
[Documentation on labels]
Reported-by: syzbot+d8fc21bfa138a5ae916d@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 621d, last: 171d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in crc_itu_t (log)
Repro: syz .config
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Read in crc_itu_t 1 (4) 2024/01/26 14:11
[syzbot] Monthly udf report (Jun 2023) 0 (1) 2023/06/07 09:22
[syzbot] Monthly udf report (May 2023) 0 (1) 2023/05/06 08:19
[syzbot] Monthly udf report 0 (1) 2023/04/05 08:52
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: use-after-free Read in crc_itu_t origin:upstream C 5 26d 380d 0/3 upstream: reported C repro on 2023/05/30 07:40
linux-4.14 general protection fault in crc_itu_t udf C 2 467d 532d 0/1 upstream: reported C repro on 2022/12/29 23:30
linux-4.19 KASAN: use-after-free Read in crc_itu_t udf C error 4 517d 558d 0/1 upstream: reported C repro on 2022/12/03 10:52
linux-5.15 KASAN: use-after-free Read in crc_itu_t origin:upstream C 4 3d21h 442d 0/3 upstream: reported C repro on 2023/03/29 16:09
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/01/21 12:30 30m retest repro upstream OK log
2024/01/17 20:18 2h03m retest repro upstream OK log
2024/01/18 01:20 18m retest repro upstream OK log
2024/01/18 01:20 19m retest repro upstream OK log
2024/01/17 23:19 16m retest repro upstream OK log
2024/01/17 23:19 17m retest repro upstream OK log
2024/01/17 23:19 19m retest repro upstream OK log
2024/01/17 23:19 19m retest repro upstream OK log
2024/01/17 20:18 3h28m retest repro upstream OK log
2024/01/17 23:19 18m retest repro upstream OK log
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2024/01/26 08:18 4h52m bisect fix upstream job log (1)
2023/12/26 02:11 1h23m bisect fix upstream job log (0) log
2023/11/25 06:17 1h22m bisect fix upstream job log (0) log
2023/10/25 12:08 2h26m bisect fix upstream job log (0) log
2023/09/23 21:06 1h21m bisect fix upstream job log (0) log
2023/07/19 14:05 6h13m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff8880743a3000 by task syz-executor922/4991

CPU: 0 PID: 4991 Comm: syz-executor922 Not tainted 6.4.0-rc5-syzkaller-00016-ga4d7d7011219 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:351 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:462
 kasan_report+0x176/0x1b0 mm/kasan/report.c:572
 crc_itu_t+0x1d5/0x2a0 lib/crc-itu-t.c:60
 udf_finalize_lvid fs/udf/super.c:1988 [inline]
 udf_sync_fs+0x1d2/0x380 fs/udf/super.c:2344
 sync_filesystem+0xec/0x220 fs/sync.c:56
 generic_shutdown_super+0x6f/0x340 fs/super.c:473
 kill_block_super+0x84/0xf0 fs/super.c:1407
 deactivate_locked_super+0xa4/0x110 fs/super.c:331
 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
 task_work_run+0x24a/0x300 kernel/task_work.c:179
 ptrace_notify+0x2cd/0x380 kernel/signal.c:2371
 ptrace_report_syscall include/linux/ptrace.h:411 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
 syscall_exit_work kernel/entry/common.c:252 [inline]
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:279 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:284 [inline]
 syscall_exit_to_user_mode+0x157/0x280 kernel/entry/common.c:297
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f15497fa077
Code: 09 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd38bbc1e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 000000000000d3ab RCX: 00007f15497fa077
RDX: 00007ffd38bbc39c RSI: 000000000000000a RDI: 00007ffd38bbc2a0
RBP: 00007ffd38bbc2a0 R08: 000000000000000c R09: 00007ffd38bbc080
R10: 00005555563e1633 R11: 0000000000000206 R12: 00007ffd38bbd310
R13: 00005555563e15f0 R14: 00007ffd38bbc210 R15: 0000000000000001
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001d0e8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x743a3
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001d0e908 ffffea0001ffb9c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4954, tgid 4954 (sshd), ts 47175862591, free_ts 47253283703
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1731
 prep_new_page mm/page_alloc.c:1738 [inline]
 get_page_from_freelist+0x321c/0x33a0 mm/page_alloc.c:3502
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4768
 __folio_alloc+0x13/0x30 mm/page_alloc.c:4800
 vma_alloc_folio+0x48a/0x9a0 mm/mempolicy.c:2240
 do_anonymous_page mm/memory.c:4085 [inline]
 do_pte_missing mm/memory.c:3645 [inline]
 handle_pte_fault mm/memory.c:4947 [inline]
 __handle_mm_fault mm/memory.c:5089 [inline]
 handle_mm_fault+0x2942/0x5860 mm/memory.c:5243
 do_user_addr_fault arch/x86/mm/fault.c:1349 [inline]
 handle_page_fault arch/x86/mm/fault.c:1534 [inline]
 exc_page_fault+0x274/0x910 arch/x86/mm/fault.c:1590
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1302 [inline]
 free_unref_page_prepare+0x903/0xa30 mm/page_alloc.c:2564
 free_unref_page_list+0x596/0x830 mm/page_alloc.c:2705
 release_pages+0x2193/0x2470 mm/swap.c:1042
 tlb_batch_pages_flush mm/mmu_gather.c:97 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:292 [inline]
 tlb_flush_mmu+0x100/0x210 mm/mmu_gather.c:299
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:391
 unmap_region+0x258/0x2a0 mm/mmap.c:2222
 do_vmi_align_munmap+0x1123/0x1820 mm/mmap.c:2473
 do_vmi_munmap+0x24a/0x2b0 mm/mmap.c:2530
 __vm_munmap+0x226/0x470 mm/mmap.c:2805
 __do_sys_munmap mm/mmap.c:2830 [inline]
 __se_sys_munmap mm/mmap.c:2827 [inline]
 __x64_sys_munmap+0x69/0x80 mm/mmap.c:2827
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8880743a2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880743a2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880743a3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8880743a3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880743a3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (50):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/07 02:08 upstream a4d7d7011219 a4ae4f42 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/25 21:39 upstream 933174ae28ba 0513b3e6 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/18 06:55 upstream 1b66c114d161 3bb7af1d .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/15 19:03 upstream f1fcbaa18b28 c4d362e7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/13 09:05 upstream 9a48d6046722 2b9ba477 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/11 19:02 upstream d295b66a7b66 0fbd49f4 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/05 01:22 upstream 1a5304fecee5 518a39a6 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/02 20:31 upstream 865fdb08197e 52d40fd2 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/04/30 16:38 upstream 825a0714d2b3 62df2017 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/02/14 08:39 upstream f6feea56f66d 93ae7e0a .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2022/12/29 08:28 upstream 1b929c02afd3 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2022/12/26 23:29 upstream 1b929c02afd3 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2022/12/25 00:38 upstream 72a85e2b0a1e 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2022/12/18 21:54 upstream f9ff5644bcc0 05494336 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2022/11/28 16:51 upstream b7b275e60bcd 247de55b .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/02/25 13:57 upstream 8cbd92339db0 ee50e71c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/01/15 17:48 linux-next 0a093b2893c7 a63719e7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2022/12/22 00:18 upstream b6bb9676f216 4067838e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs general protection fault in crc_itu_t
2022/10/21 19:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci-upstream-gce-arm64 BUG: unable to handle kernel NULL pointer dereference in crc_itu_t
2022/11/13 19:04 upstream fef7fd48922d 3ead01ad .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2023/05/30 20:39 upstream 8b817fded42d 09898419 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2023/05/21 20:27 upstream e2065b8c1b01 4bce1a3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/21 14:56 upstream 0dd2a6fb1e34 4bce1a3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/14 17:58 upstream bb7c241fae62 2b9ba477 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/09 01:35 upstream ba0ad6ed89fd c7a5e2a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/05/06 20:03 upstream fc4354c6e5c2 90c93c40 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in crc_itu_t
2023/05/05 19:04 upstream 78b421b6a7c6 4cec9341 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in crc_itu_t
2023/04/29 11:38 upstream 89d77f71f493 62df2017 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/04/19 17:07 upstream 789b4a41c247 94b4184e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/04/18 13:25 upstream 6a8f57ae2eb0 436577a9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/04/10 04:46 upstream 09a9639e56c0 71147e29 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in crc_itu_t
2023/03/31 11:50 upstream 62bad54b26db f325deb0 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in crc_itu_t
2023/03/28 13:41 upstream 3a93e40326c8 48c74771 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in crc_itu_t
2023/02/27 05:03 upstream f3a2439f20d9 ee50e71c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2022/11/30 14:44 upstream 01f856ae6d0c 4c2a66e8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2022/10/01 10:51 upstream 70575e77839f feb56351 .config console log report info [disk image] [vmlinux] ci2-upstream-fs KASAN: use-after-free Read in crc_itu_t
2023/03/13 07:31 upstream eeac8ede1755 5205ef30 .config console log report info ci-qemu-upstream-386 KASAN: use-after-free Read in crc_itu_t
2023/02/24 05:41 upstream d2980d8d8265 630c6bc9 .config console log report info ci-qemu-upstream-386 KASAN: use-after-free Read in crc_itu_t
2023/06/08 09:30 linux-next 715abedee4cd 7086cdb9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in crc_itu_t
2023/02/03 22:26 upstream 66a87fff1a87 1b2f701a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2023/01/18 10:24 upstream 6e50979a9c87 42660d9e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/11/02 21:57 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/11/02 14:59 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/11/02 09:30 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/11/02 01:08 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/10/31 07:37 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/10/30 21:21 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/10/30 03:34 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in crc_itu_t
2022/10/29 23:03 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in crc_itu_t
2022/10/21 19:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config console log report info [disk image] [vmlinux] ci-upstream-gce-arm64 BUG: unable to handle kernel NULL pointer dereference in crc_itu_t
* Struck through repros no longer work on HEAD.