syzbot


KASAN: use-after-free Read in ntfs_read_locked_inode
Status: upstream: reported C repro on 2018/04/05 04:02
Reported-by: syzbot+19b469021157c136116a@syzkaller.appspotmail.com
First crash: 1512d, last: 595d

Cause bisection: introduced by (bisect log) :
commit 910cd32e552ea09caa89cdbe328e468979b030dd
Author: Helge Deller <deller@gmx.de>
Date: Wed Mar 30 12:14:31 2016 +0000

  parisc: Fix and enable seccomp filter support

Crash: panic: runtime error: growslice: cap out of range (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit f7c6cb1d9728dea9d9f131ef57303d6821afb0f8
Author: Stanislav Fomichev <sdf@google.com>
Date: Wed Jul 29 00:31:03 2020 +0000

  bpf: Expose socket storage to BPF_PROG_TYPE_CGROUP_SOCK

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in ntfs_read_locked_inode C done 2 457d 607d 1/1 fixed on 2021/03/24 11:10
linux-4.14 KASAN: use-after-free Read in ntfs_read_locked_inode C done 2 460d 612d 1/1 fixed on 2021/03/22 03:02
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/21 16:53 4m alaaemadhossney.ae@gmail.com git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 3e968c9f1401088abc9a19ae6ff571644d37a355 error

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x49dc/0x58b0 fs/ntfs/inode.c:645
Read of size 8 at addr ffff88808e402e46 by task syz-executor208/6894

CPU: 0 PID: 6894 Comm: syz-executor208 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 ntfs_read_locked_inode+0x49dc/0x58b0 fs/ntfs/inode.c:645
 ntfs_iget+0x12d/0x180 fs/ntfs/inode.c:177
 load_and_init_mft_mirror fs/ntfs/super.c:1027 [inline]
 load_system_files fs/ntfs/super.c:1772 [inline]
 ntfs_fill_super+0xb30/0x8560 fs/ntfs/super.c:2894
 mount_bdev+0x32e/0x3f0 fs/super.c:1417
 legacy_get_tree+0x105/0x220 fs/fs_context.c:592
 vfs_get_tree+0x89/0x2f0 fs/super.c:1547
 do_new_mount fs/namespace.c:2875 [inline]
 path_mount+0x1387/0x20a0 fs/namespace.c:3192
 do_mount fs/namespace.c:3205 [inline]
 __do_sys_mount fs/namespace.c:3413 [inline]
 __se_sys_mount fs/namespace.c:3390 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4494fa
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffd3c1a4dc8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd3c1a4e20 RCX: 00000000004494fa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd3c1a4de0
RBP: 00007ffd3c1a4de0 R08: 00007ffd3c1a4e20 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

Allocated by task 6875:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 __do_kmalloc mm/slab.c:3659 [inline]
 __kmalloc+0x1b0/0x360 mm/slab.c:3668
 kmalloc include/linux/slab.h:559 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path2_perm+0x264/0x6b0 security/tomoyo/file.c:922
 tomoyo_path_rename+0xd2/0x130 security/tomoyo/tomoyo.c:279
 security_path_rename+0x1b5/0x2e0 security/security.c:1135
 do_renameat2+0x481/0xbf0 fs/namei.c:4452
 __do_sys_rename fs/namei.c:4502 [inline]
 __se_sys_rename fs/namei.c:4500 [inline]
 __x64_sys_rename+0x5d/0x80 fs/namei.c:4500
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6875:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3422 [inline]
 kfree+0x10e/0x2b0 mm/slab.c:3760
 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path2_perm+0x264/0x6b0 security/tomoyo/file.c:922
 tomoyo_path_rename+0xd2/0x130 security/tomoyo/tomoyo.c:279
 security_path_rename+0x1b5/0x2e0 security/security.c:1135
 do_renameat2+0x481/0xbf0 fs/namei.c:4452
 __do_sys_rename fs/namei.c:4502 [inline]
 __se_sys_rename fs/namei.c:4500 [inline]
 __x64_sys_rename+0x5d/0x80 fs/namei.c:4500
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88808e402000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3654 bytes inside of
 4096-byte region [ffff88808e402000, ffff88808e403000)
The buggy address belongs to the page:
page:00000000ec636ae4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8e402
head:00000000ec636ae4 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00024bfe08 ffffea000242b508 ffff8880aa040900
raw: 0000000000000000 ffff88808e402000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808e402d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808e402d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808e402e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88808e402e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808e402f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (4):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2020/10/07 17:02 upstream c85fb28b6f99 1880b4a9 .config log report syz C
ci-upstream-kasan-gce-root 2020/10/04 22:28 upstream 22fbc037cd32 5ef9c291 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/26 12:48 upstream 7c7ec3226f5f 4a006f63 .config log report syz C
ci-upstream-kasan-gce-root 2018/04/05 01:42 upstream 3e968c9f1401 676bd07e .config log report syz C