syzbot


KASAN: use-after-free Read in ext4_xattr_set_entry (2)

Status: fixed on 2021/10/13 07:23
Reported-by: syzbot+b0fe9558904a8bb778ac@syzkaller.appspotmail.com
Fix commit: c481607ba522 ext4: fix race writing to an inline_data file while its xattrs are changing
First crash: 898d, last: 440d

Fix bisection: fixed by (bisect log) :
commit c481607ba522e31e6ed01efefc19cc1d0e0a46fa
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sat Aug 21 03:44:17 2021 +0000

  ext4: fix race writing to an inline_data file while its xattrs are changing

similar bugs (16):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (3) C error 1 274d 759d 0/1 upstream: reported C repro on 2020/10/28 15:08
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 6 1122d 1178d 0/1 auto-closed as invalid on 2020/02/28 13:35
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 1 979d 979d 0/1 auto-closed as invalid on 2020/07/21 03:20
upstream KASAN: use-after-free Read in ext4_xattr_set_entry 1 1583d 1583d 0/24 closed as invalid on 2018/07/29 11:55
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry 4 1430d 1323d 0/1 auto-closed as invalid on 2019/06/26 01:15
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (5) 2 124d 182d 0/24 auto-obsoleted due to no activity on 2022/11/22 17:19
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (3) 4 875d 993d 0/24 auto-closed as invalid on 2020/11/02 08:32
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry syz done 10 1002d 1250d 1/1 fixed on 2020/03/30 09:03
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (4) C error done 21 278d 665d 22/24 fixed on 2022/03/28 10:17
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (2) C done 19 1076d 1485d 16/24 fixed on 2020/02/14 01:19
android-54 KASAN: use-after-free Read in ext4_xattr_set_entry 6 842d 1023d 0/2 auto-closed as invalid on 2020/12/04 21:44
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry C done 9 1030d 1122d 1/1 fixed on 2020/03/01 21:06
android-5-10 general protection fault in ext4_xattr_set_entry (2) C error 19 13h05m 42d 0/2 upstream: reported C repro on 2022/10/15 11:08
android-54 KASAN: out-of-bounds Read in ext4_xattr_set_entry C 1 615d 615d 0/2 upstream: reported C repro on 2021/03/21 22:06
android-5-10 general protection fault in ext4_xattr_set_entry C error 2 65d 79d 0/2 closed as invalid on 2022/09/26 18:30
linux-4.14 KASAN: out-of-bounds Read in ext4_xattr_set_entry C error 2 79d 593d 0/1 upstream: reported C repro on 2021/04/12 14:20

Sample crash report:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop0): ext4_mb_generate_buddy:744: group 0, block bitmap and bg descriptor inconsistent: 50 vs 25 free clusters
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/string.h:392 [inline]
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x2562/0x3750 fs/ext4/xattr.c:1733
Read of size 18446744073709551600 at addr ffff8880abc820d4 by task syz-executor288/8103

CPU: 1 PID: 8103 Comm: syz-executor288 Not tainted 4.19.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 memmove+0x20/0x50 mm/kasan/kasan.c:293
 memmove include/linux/string.h:392 [inline]
 ext4_xattr_set_entry+0x2562/0x3750 fs/ext4/xattr.c:1733
 ext4_xattr_ibody_inline_set+0x81/0x2a0 fs/ext4/xattr.c:2222
 ext4_destroy_inline_data_nolock+0x22d/0x4f0 fs/ext4/inline.c:434
 ext4_convert_inline_data_nolock+0x145/0xd10 fs/ext4/inline.c:1207
 ext4_convert_inline_data+0x347/0x3a0 fs/ext4/inline.c:2027
 ext4_fallocate+0x137/0x2150 fs/ext4/extents.c:4956
 vfs_fallocate+0x487/0x9a0 fs/open.c:308
 ksys_fallocate fs/open.c:331 [inline]
 __do_sys_fallocate fs/open.c:339 [inline]
 __se_sys_fallocate fs/open.c:337 [inline]
 __x64_sys_fallocate+0xcf/0x140 fs/open.c:337
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44a649
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6a6cc272f8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00000000004cc410 RCX: 000000000044a649
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 000000000049c0c4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000010000101 R11: 0000000000000246 R12: 000000000049b0c0
R13: 0030656c69662f2e R14: e5d26e84aa4cf3c6 R15: 00000000004cc418

The buggy address belongs to the page:
page:ffffea0002af2080 count:2 mapcount:0 mapping:ffff8880ae106b60 index:0x8
flags: 0xfff0000001107c(referenced|uptodate|dirty|lru|active|private|mappedtodisk)
raw: 00fff0000001107c ffffea0002641888 ffffea0002624d08 ffff8880ae106b60
raw: 0000000000000008 ffff88808df34000 00000002ffffffff ffff8880b59f88c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8880b59f88c0

Memory state around the buggy address:
 ffff8880abc81f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880abc82000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880abc82080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                 ^
 ffff8880abc82100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880abc82180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2021/04/11 17:20 linux-4.19.y 830a059cbba6 6a81331a .config log report syz C KASAN: out-of-bounds Read in ext4_xattr_set_entry
ci2-linux-4-19 2020/11/06 23:19 linux-4.19.y b94de4d19498 cba33199 .config log report syz C
ci2-linux-4-19 2021/04/15 16:15 linux-4.19.y 0f1b4cb77d7f fcdb12ba .config log report syz KASAN: out-of-bounds Read in ext4_xattr_set_entry
ci2-linux-4-19 2021/02/22 22:04 linux-4.19.y 255b58a2b3af c26fb06b .config log report info KASAN: use-after-free Read in ext4_xattr_set_entry
ci2-linux-4-19 2020/08/29 22:22 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config log report
ci2-linux-4-19 2020/06/21 19:47 linux-4.19.y 3fc898571b97 4f2acff9 .config log report
ci2-linux-4-19 2020/06/11 12:56 linux-4.19.y 3fc898571b97 3ab7a05a .config log report
* Struck through repros no longer work on HEAD.