syzbot


KASAN: use-after-free Read in ntfs_iget
Status: fixed on 2021/03/23 15:18
Reported-by: syzbot+57a1beae03eb5395dea5@syzkaller.appspotmail.com
Fix commit: 49ee014a2070 ntfs: check for valid standard information attribute
First crash: 530d, last: 454d

Fix bisection: fixed by (bisect log) :
commit 49ee014a2070b209fd73ad96a7a36193dcdd149c
Author: Rustam Kovhaev <rkovhaev@gmail.com>
Date: Wed Feb 24 20:00:30 2021 +0000

  ntfs: check for valid standard information attribute

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in ntfs_iget C done 1 450d 510d 1/1 fixed on 2021/03/29 19:17
linux-4.19 KASAN: use-after-free Read in ntfs_iget (2) C done 1 332d 332d 1/1 fixed on 2021/07/22 23:24
upstream KASAN: use-after-free Read in ntfs_iget C error error 1 543d 539d 22/22 fixed on 2021/04/09 19:46
upstream KASAN: use-after-free Read in ntfs_iget (2) C inconclusive 2 351d 347d 22/22 fixed on 2021/11/10 00:50

Sample crash report:
ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5.  Marking corrupt inode 0xa as bad.  Run chkdsk.
ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default.
ntfs: (device loop0): map_mft_record_page(): Mft record 0x4 is corrupt.  Run chkdsk.
==================================================================
BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x425a/0x5000 fs/ntfs/inode.c:677
Read of size 8 at addr ffff88808b8803d5 by task syz-executor224/8003

CPU: 1 PID: 8003 Comm: syz-executor224 Not tainted 4.14.210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
 ntfs_read_locked_inode+0x425a/0x5000 fs/ntfs/inode.c:677
 ntfs_iget+0xfa/0x130 fs/ntfs/inode.c:190
 load_and_init_mft_mirror fs/ntfs/super.c:1041 [inline]
 load_system_files fs/ntfs/super.c:1786 [inline]
 ntfs_fill_super+0xa5a/0x7170 fs/ntfs/super.c:2908
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0xe53/0x2a00 fs/namespace.c:2879
 SYSC_mount fs/namespace.c:3095 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3072
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4494fa
RSP: 002b:00007ffcc6fe8988 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffcc6fe89e0 RCX: 00000000004494fa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcc6fe89a0
RBP: 00007ffcc6fe89a0 R08: 00007ffcc6fe89e0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

The buggy address belongs to the page:
page:ffffea00022e2000 count:0 mapcount:0 mapping:          (null) index:0x1
flags: 0xfff00000000000()
raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea00022e2060 ffffea00022e1fe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808b880280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808b880300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808b880380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff88808b880400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808b880480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2020/12/07 12:13 linux-4.14.y c196b3a9c83a f80ce148 .config log report syz C
ci2-linux-4-14 2020/12/07 09:39 linux-4.14.y c196b3a9c83a f80ce148 .config log report info