syzbot


KASAN: out-of-bounds Read in leaf_paste_in_buffer

Status: upstream: reported C repro on 2022/12/03 21:39
Subsystems: reiserfs
[Documentation on labels]
Reported-by: syzbot+3c1eef603f3e794cdae9@syzkaller.appspotmail.com
First crash: 480d, last: 389d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: out-of-bounds Read in leaf_paste_in_buffer origin:upstream C error 45 101d 283d 0/3 upstream: reported C repro on 2023/06/18 14:09
linux-4.19 KASAN: out-of-bounds Read in leaf_paste_in_buffer reiserfs C 13 414d 487d 0/1 upstream: reported C repro on 2022/11/27 00:33
upstream KASAN: use-after-free Read in leaf_paste_in_buffer reiserfs C error done 310 57d 482d 0/26 upstream: reported C repro on 2022/12/01 11:54
linux-6.1 KASAN: use-after-free Read in leaf_paste_in_buffer origin:upstream C done 56 58d 285d 0/3 upstream: reported C repro on 2023/06/16 18:50
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/03/05 05:21 26m bisect fix linux-4.14.y job log (0) log
2023/02/03 04:58 23m bisect fix linux-4.14.y job log (0) log

Sample crash report:
REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: out-of-bounds in memcpy include/linux/string.h:376 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_in_buffer+0x981/0xb80 fs/reiserfs/lbalance.c:1043
Read of size 80 at addr ffff88808b242fe0 by task syz-executor211/8196

CPU: 1 PID: 8196 Comm: syz-executor211 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report+0x6f/0x80 mm/kasan/report.c:409
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:376 [inline]
 leaf_paste_in_buffer+0x981/0xb80 fs/reiserfs/lbalance.c:1043
 leaf_copy_dir_entries.isra.0+0x770/0x8f0 fs/reiserfs/lbalance.c:108
 leaf_copy_boundary_item fs/reiserfs/lbalance.c:168 [inline]
 leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
 leaf_move_items+0x147e/0x3440 fs/reiserfs/lbalance.c:726
 leaf_shift_left+0x9f/0x360 fs/reiserfs/lbalance.c:750
 balance_leaf_left fs/reiserfs/do_balan.c:622 [inline]
 balance_leaf+0x2b73/0xba30 fs/reiserfs/do_balan.c:1420
 do_balance+0x282/0x630 fs/reiserfs/do_balan.c:1899
 reiserfs_insert_item+0x95b/0xc70 fs/reiserfs/stree.c:2271
 reiserfs_get_block+0xb54/0x36b0 fs/reiserfs/inode.c:876
 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
 reiserfs_write_begin+0x2e3/0x8a0 fs/reiserfs/inode.c:2793
 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
 call_write_iter include/linux/fs.h:1780 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x44c/0x630 fs/read_write.c:482
 __kernel_write+0xf5/0x330 fs/read_write.c:501
 dump_emit+0x153/0x280 fs/coredump.c:806
 elf_core_dump+0x2672/0x4410 fs/binfmt_elf.c:2308
 do_coredump+0x1a43/0x29f0 fs/coredump.c:770
 get_signal+0xc9f/0x1ca0 kernel/signal.c:2406
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the page:
page:ffffea00022c9080 count:2 mapcount:0 mapping:ffff8880a4c13b68 index:0x213
flags: 0xfff00000001064(referenced|lru|active|private)
raw: 00fff00000001064 ffff8880a4c13b68 0000000000000213 00000002ffffffff
raw: ffffea00022c9060 ffffea00022c2f20 ffff88808abf3348 ffff88823b3288c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88823b3288c0

Memory state around the buggy address:
 ffff88808b242f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88808b242f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808b243000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                     ^
 ffff88808b243080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88808b243100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/03 21:38 linux-4.14.y 179ef7fe8677 e080de16 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: out-of-bounds Read in leaf_paste_in_buffer
2023/01/02 14:20 linux-4.14.y c4215ee4771b ab32d508 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in leaf_paste_in_buffer
2023/01/01 06:48 linux-4.14.y c4215ee4771b ab32d508 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Write in leaf_paste_in_buffer
2022/12/30 06:36 linux-4.14.y c4215ee4771b 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in leaf_paste_in_buffer
2022/12/10 22:16 linux-4.14.y 65afe34ac33d 67be1ae7 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in leaf_paste_in_buffer
2022/12/19 10:41 linux-4.14.y c4215ee4771b 05494336 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in leaf_paste_in_buffer
* Struck through repros no longer work on HEAD.