syzbot

 sign-in | mailing list | source | docs
🐞 Open [630] 🐞 Fixed [180] 🐞 Invalid [614] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: use-after-free Read in search_by_entry_key

Status: fixed on 2021/02/21 17:18
Reported-by: syzbot+c78d28ac5472f784e38b@syzkaller.appspotmail.com
Fix commit: b74d5f70523a reiserfs: add check for an invalid ih_entry_count
First crash: 796d, last: 690d

Fix bisection: fixed by (bisect log) :
commit b74d5f70523a819aac71e0eee4f4b530e69e463a
Author: Rustam Kovhaev <rkovhaev@gmail.com>
Date: Sun Nov 1 14:09:58 2020 +0000

  reiserfs: add check for an invalid ih_entry_count

similar bugs (6):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in search_by_entry_key (2) C inconclusive inconclusive 14 5d12h 167d 0/24 upstream: reported C repro on 2022/06/12 10:38
linux-4.14 KASAN: use-after-free Read in search_by_entry_key (2) C error 4 27d 590d 0/1 upstream: reported C repro on 2021/04/16 06:17
linux-4.19 KASAN: use-after-free Read in search_by_entry_key (3) C error 6 1d05h 163d 0/1 upstream: reported C repro on 2022/06/17 02:59
linux-4.19 KASAN: use-after-free Read in search_by_entry_key C done 1 691d 781d 1/1 fixed on 2021/02/20 09:47
upstream KASAN: use-after-free Read in search_by_entry_key C done 3 776d 779d 21/24 fixed on 2021/03/10 01:49
linux-4.19 KASAN: use-after-free Read in search_by_entry_key (2) C done 2 472d 622d 1/1 fixed on 2021/09/10 21:17

Sample crash report:
REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
REISERFS (device loop0): using 3.5.x disk format
==================================================================
BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
BUG: KASAN: use-after-free in search_by_entry_key+0xc87/0xf70 fs/reiserfs/namei.c:164
Read of size 4 at addr ffff888078a437bd by task syz-executor757/6355

CPU: 1 PID: 6355 Comm: syz-executor757 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
 bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
 search_by_entry_key+0xc87/0xf70 fs/reiserfs/namei.c:164
 reiserfs_find_entry.part.0+0x138/0x1200 fs/reiserfs/namei.c:321
 reiserfs_find_entry fs/reiserfs/namei.c:367 [inline]
 reiserfs_lookup+0x1fd/0x400 fs/reiserfs/namei.c:367
 lookup_real fs/namei.c:1555 [inline]
 __lookup_hash fs/namei.c:1575 [inline]
 __lookup_hash+0x1bb/0x270 fs/namei.c:1563
 lookup_one_len+0x279/0x3a0 fs/namei.c:2539
 reiserfs_lookup_privroot+0x92/0x270 fs/reiserfs/xattr.c:963
 reiserfs_fill_super+0x1ad8/0x28b6 fs/reiserfs/super.c:2179
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0xe53/0x2a00 fs/namespace.c:2879
 SYSC_mount fs/namespace.c:3095 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3072
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x447d9a
RSP: 002b:00007ffdc6a01ba8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffdc6a01c00 RCX: 0000000000447d9a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdc6a01bc0
RBP: 00007ffdc6a01bc0 R08: 00007ffdc6a01c00 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

The buggy address belongs to the page:
page:ffffea0001e290c0 count:0 mapcount:0 mapping:          (null) index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea0001e29120 ffffea0001e290a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888078a43680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078a43700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888078a43780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff888078a43800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078a43880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2020/09/26 18:15 linux-4.14.y cbfa1702aaf6 2d5ea0cb .config log report syz C
ci2-linux-4-14 2020/09/22 02:21 linux-4.14.y cbfa1702aaf6 9e1fa68e .config log report syz C
ci2-linux-4-14 2020/12/07 05:02 linux-4.14.y c196b3a9c83a c521566d .config log report info
* Struck through repros no longer work on HEAD.