KASAN: use-after-free Read in search_by_entry

KASAN: use-after-free Read in search_by_entry_key
Status: fixed on 2021/02/21 17:18
Reported-by: syzbot+c78d28ac5472f784e38b@syzkaller.appspotmail.com
Fix commit: b74d5f70523a reiserfs: add check for an invalid ih_entry_count
First crash: 603d, last: 497d

Fix bisection: fixed by (bisect log) :
commit b74d5f70523a819aac71e0eee4f4b530e69e463a
Author: Rustam Kovhaev <rkovhaev@gmail.com>
Date: Sun Nov 1 14:09:58 2020 +0000

reiserfs: add check for an invalid ih_entry_count

similar bugs (4):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in search_by_entry_key (2)	C			1	5d15h	397d	0/1	upstream: reported C repro on 2021/04/16 06:17
linux-4.19	KASAN: use-after-free Read in search_by_entry_key	C		done	1	498d	588d	1/1	fixed on 2021/02/20 09:47
upstream	KASAN: use-after-free Read in search_by_entry_key	C	done		3	583d	586d	21/22	fixed on 2021/03/10 01:49
linux-4.19	KASAN: use-after-free Read in search_by_entry_key (2)	C		done	2	279d	429d	1/1	fixed on 2021/09/10 21:17

Sample crash report:

REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
REISERFS (device loop0): using 3.5.x disk format
==================================================================
BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
BUG: KASAN: use-after-free in search_by_entry_key+0xc87/0xf70 fs/reiserfs/namei.c:164
Read of size 4 at addr ffff888078a437bd by task syz-executor757/6355

CPU: 1 PID: 6355 Comm: syz-executor757 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
 bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
 search_by_entry_key+0xc87/0xf70 fs/reiserfs/namei.c:164
 reiserfs_find_entry.part.0+0x138/0x1200 fs/reiserfs/namei.c:321
 reiserfs_find_entry fs/reiserfs/namei.c:367 [inline]
 reiserfs_lookup+0x1fd/0x400 fs/reiserfs/namei.c:367
 lookup_real fs/namei.c:1555 [inline]
 __lookup_hash fs/namei.c:1575 [inline]
 __lookup_hash+0x1bb/0x270 fs/namei.c:1563
 lookup_one_len+0x279/0x3a0 fs/namei.c:2539
 reiserfs_lookup_privroot+0x92/0x270 fs/reiserfs/xattr.c:963
 reiserfs_fill_super+0x1ad8/0x28b6 fs/reiserfs/super.c:2179
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0xe53/0x2a00 fs/namespace.c:2879
 SYSC_mount fs/namespace.c:3095 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3072
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x447d9a
RSP: 002b:00007ffdc6a01ba8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffdc6a01c00 RCX: 0000000000447d9a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdc6a01bc0
RBP: 00007ffdc6a01bc0 R08: 00007ffdc6a01c00 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

The buggy address belongs to the page:
page:ffffea0001e290c0 count:0 mapcount:0 mapping:          (null) index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea0001e29120 ffffea0001e290a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888078a43680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078a43700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888078a43780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff888078a43800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078a43880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info
ci2-linux-4-14	2020/09/26 18:15	linux-4.14.y	cbfa1702aaf6	2d5ea0cb	.config	log	report	syz	C
ci2-linux-4-14	2020/09/22 02:21	linux-4.14.y	cbfa1702aaf6	9e1fa68e	.config	log	report	syz	C
ci2-linux-4-14	2020/12/07 05:02	linux-4.14.y	c196b3a9c83a	c521566d	.config	log	report			info