syzbot


KASAN: use-after-free Read in ntfs_read_locked_inode

Status: upstream: reported C repro on 2018/04/05 04:02
Reported-by: syzbot+19b469021157c136116a@syzkaller.appspotmail.com
First crash: 1640d, last: 723d

Cause bisection: introduced by (bisect log) :
commit 910cd32e552ea09caa89cdbe328e468979b030dd
Author: Helge Deller <deller@gmx.de>
Date: Wed Mar 30 12:14:31 2016 +0000

  parisc: Fix and enable seccomp filter support

Crash: panic: runtime error: growslice: cap out of range (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit f7c6cb1d9728dea9d9f131ef57303d6821afb0f8
Author: Stanislav Fomichev <sdf@google.com>
Date: Wed Jul 29 00:31:03 2020 +0000

  bpf: Expose socket storage to BPF_PROG_TYPE_CGROUP_SOCK

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in ntfs_read_locked_inode C done 2 586d 735d 1/1 fixed on 2021/03/24 11:10
linux-4.14 KASAN: use-after-free Read in ntfs_read_locked_inode C done 2 588d 740d 1/1 fixed on 2021/03/22 03:02
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/24 16:30 9m upstream error
2022/09/24 14:30 18m upstream OK log
2022/09/21 21:29 18m upstream OK log
2022/09/20 17:29 19m upstream OK log
2021/03/21 16:53 4m alaaemadhossney.ae@gmail.com git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 3e968c9f1401088abc9a19ae6ff571644d37a355 error

Sample crash report:
ntfs: volume version 3.1.
ntfs: volume version 3.1.
ntfs: volume version 3.1.
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x47fe/0x51b0 fs/ntfs/inode.c:670
Read of size 8 at addr ffff8801becc42e8 by task syzkaller675411/4496

CPU: 0 PID: 4496 Comm: syzkaller675411 Not tainted 4.16.0+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1a7/0x27d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
 ntfs_read_locked_inode+0x47fe/0x51b0 fs/ntfs/inode.c:670
 ntfs_iget+0x1ab/0x240 fs/ntfs/inode.c:190
 load_and_init_quota fs/ntfs/super.c:1406 [inline]
 load_system_files+0x5f06/0x6c80 fs/ntfs/super.c:2117
 ntfs_fill_super+0x1485/0x2fb0 fs/ntfs/super.c:2908
 mount_bdev+0x2b7/0x370 fs/super.c:1119
 ntfs_mount+0x34/0x40 fs/ntfs/super.c:3065
 mount_fs+0x66/0x2d0 fs/super.c:1222
 vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:2514 [inline]
 do_new_mount fs/namespace.c:2517 [inline]
 do_mount+0xea4/0x2b90 fs/namespace.c:2847
 ksys_mount+0xab/0x120 fs/namespace.c:3063
 SYSC_mount fs/namespace.c:3077 [inline]
 SyS_mount+0x39/0x50 fs/namespace.c:3074
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44597a
RSP: 002b:00007ffe9dfbd7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000a80 RCX: 000000000044597a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe9dfbd850
RBP: 0000000000000003 R08: 0000000020077a00 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000004
R13: 000000000000ab33 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0006fb3100 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801becc4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801becc4200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801becc4280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff8801becc4300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801becc4380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (4):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2018/04/05 01:42 upstream 3e968c9f1401 676bd07e .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/10/07 17:02 upstream c85fb28b6f99 1880b4a9 .config log report syz C
ci-upstream-kasan-gce-root 2020/10/04 22:28 upstream 22fbc037cd32 5ef9c291 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/26 12:48 upstream 7c7ec3226f5f 4a006f63 .config log report syz C
* Struck through repros no longer work on HEAD.