syzbot

 sign-in | mailing list | source | docs
🐞 Open [1158] Subsystems 🐞 Fixed [4412] 🐞 Invalid [9929] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in crc_itu_t

Status: upstream: reported C repro on 2022/10/01 14:28
Subsystems: udf (incorrect?)
Reported-by: syzbot+d8fc21bfa138a5ae916d@syzkaller.appspotmail.com
First crash: 180d, last: 2d02h

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in crc_itu_t (log)
Repro: syz .config
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in crc_itu_t udf C 2 25d 90d 0/1 upstream: reported C repro on 2022/12/29 23:30
linux-4.19 KASAN: use-after-free Read in crc_itu_t udf C error 4 75d 117d 0/1 upstream: reported C repro on 2022/12/03 10:52
linux-5.15 KASAN: use-after-free Read in crc_itu_t 1 23h52m 23h52m 0/3 upstream: reported on 2023/03/29 16:09

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff88807408e000 by task syz-executor303/5070

CPU: 0 PID: 5070 Comm: syz-executor303 Not tainted 6.2.0-syzkaller-10443-g8cbd92339db0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:319 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:430
 kasan_report+0x143/0x170 mm/kasan/report.c:536
 crc_itu_t+0x1d5/0x2a0 lib/crc-itu-t.c:60
 udf_finalize_lvid fs/udf/super.c:1988 [inline]
 udf_sync_fs+0x1d2/0x380 fs/udf/super.c:2344
 sync_filesystem+0xec/0x220 fs/sync.c:56
 generic_shutdown_super+0x6f/0x340 fs/super.c:473
 kill_block_super+0x7e/0xe0 fs/super.c:1398
 deactivate_locked_super+0xa4/0x110 fs/super.c:331
 cleanup_mnt+0x490/0x520 fs/namespace.c:1177
 task_work_run+0x24a/0x300 kernel/task_work.c:179
 ptrace_notify+0x2cd/0x380 kernel/signal.c:2354
 ptrace_report_syscall include/linux/ptrace.h:411 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
 syscall_exit_work kernel/entry/common.c:251 [inline]
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x17a/0x2e0 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe1f89b7e57
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcd1e4fbb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe1f89b7e57
RDX: 00007ffcd1e4fc79 RSI: 000000000000000a RDI: 00007ffcd1e4fc70
RBP: 00007ffcd1e4fc70 R08: 00000000ffffffff R09: 00007ffcd1e4fa50
R10: 00005555568b3653 R11: 0000000000000206 R12: 00007ffcd1e50ce0
R13: 00005555568b35f0 R14: 00007ffcd1e4fbe0 R15: 0000000000000007
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001d02380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7408e
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001fdb448 ffffea0001d023c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5075, tgid 5075 (syz-executor303), ts 66156089751, free_ts 66244626699
 prep_new_page mm/page_alloc.c:2552 [inline]
 get_page_from_freelist+0x37e0/0x3970 mm/page_alloc.c:4325
 __alloc_pages+0x291/0x7f0 mm/page_alloc.c:5591
 __folio_alloc+0x13/0x30 mm/page_alloc.c:5623
 vma_alloc_folio+0x48a/0x9a0 mm/mempolicy.c:2244
 do_anonymous_page mm/memory.c:4052 [inline]
 handle_pte_fault mm/memory.c:4907 [inline]
 __handle_mm_fault mm/memory.c:5051 [inline]
 handle_mm_fault+0x2984/0x51c0 mm/memory.c:5197
 do_user_addr_fault arch/x86/mm/fault.c:1407 [inline]
 handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 exc_page_fault+0x685/0x8a0 arch/x86/mm/fault.c:1554
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1453 [inline]
 free_pcp_prepare mm/page_alloc.c:1503 [inline]
 free_unref_page_prepare+0xf0e/0xf70 mm/page_alloc.c:3387
 free_unref_page_list+0x6be/0x960 mm/page_alloc.c:3528
 release_pages+0x219e/0x2470 mm/swap.c:1042
 tlb_batch_pages_flush mm/mmu_gather.c:97 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:292 [inline]
 tlb_flush_mmu+0x100/0x210 mm/mmu_gather.c:299
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:391
 exit_mmap+0x2c9/0x990 mm/mmap.c:3047
 __mmput+0x115/0x3c0 kernel/fork.c:1209
 exit_mm+0x227/0x310 kernel/exit.c:563
 do_exit+0x612/0x2290 kernel/exit.c:856
 do_group_exit+0x206/0x2c0 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88807408df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807408df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807408e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88807408e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807408e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (28):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-upstream-fs 2023/02/25 13:57 upstream 8cbd92339db0 ee50e71c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci-upstream-kasan-gce-root 2023/02/14 08:39 upstream f6feea56f66d 93ae7e0a .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/12/29 08:28 upstream 1b929c02afd3 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/12/26 23:29 upstream 1b929c02afd3 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci-upstream-kasan-gce-root 2022/12/25 00:38 upstream 72a85e2b0a1e 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci-upstream-kasan-gce-root 2022/12/18 21:54 upstream f9ff5644bcc0 05494336 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/11/28 16:51 upstream b7b275e60bcd 247de55b .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci-upstream-linux-next-kasan-gce-root 2023/01/15 17:48 linux-next 0a093b2893c7 a63719e7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/12/22 00:18 upstream b6bb9676f216 4067838e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] general protection fault in crc_itu_t
ci-upstream-gce-arm64 2022/10/21 19:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config console log report syz C [disk image] [vmlinux] [mounted in repro] BUG: unable to handle kernel NULL pointer dereference in crc_itu_t
ci-upstream-kasan-gce-root 2022/11/13 19:04 upstream fef7fd48922d 3ead01ad .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] KASAN: use-after-free Read in crc_itu_t
ci-upstream-kasan-gce-selinux-root 2023/03/28 13:41 upstream 3a93e40326c8 48c74771 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2023/02/27 05:03 upstream f3a2439f20d9 ee50e71c .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/11/30 14:44 upstream 01f856ae6d0c 4c2a66e8 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2022/10/01 10:51 upstream 70575e77839f feb56351 .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in crc_itu_t
ci-qemu-upstream-386 2023/03/13 07:31 upstream eeac8ede1755 5205ef30 .config console log report info KASAN: use-after-free Read in crc_itu_t
ci-qemu-upstream-386 2023/02/24 05:41 upstream d2980d8d8265 630c6bc9 .config console log report info KASAN: use-after-free Read in crc_itu_t
ci2-upstream-fs 2023/02/03 22:26 upstream 66a87fff1a87 1b2f701a .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2023/01/18 10:24 upstream 6e50979a9c87 42660d9e .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 21:57 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 14:59 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 09:30 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/11/02 01:08 upstream b229b6ca5abb 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/10/31 07:37 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/10/30 21:21 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci-upstream-kasan-gce-root 2022/10/30 03:34 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci2-upstream-fs 2022/10/29 23:03 upstream b229b6ca5abb 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] general protection fault in crc_itu_t
ci-upstream-gce-arm64 2022/10/21 19:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 4bfd3c27 .config console log report info [disk image] [vmlinux] BUG: unable to handle kernel NULL pointer dereference in crc_itu_t
* Struck through repros no longer work on HEAD.