syzbot


KASAN: use-after-free Write in udf_close_lvid

Status: upstream: reported C repro on 2022/05/24 00:17
Reported-by: syzbot+60864ed35b1073540d57@syzkaller.appspotmail.com
First crash: 251d, last: 7d06h

Cause bisection: introduced by (bisect log) :
commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d
Author: Jan Kara <jack@suse.cz>
Date: Mon May 3 09:39:03 2021 +0000

  udf: Check LVID earlier

Crash: KASAN: slab-out-of-bounds Write in udf_close_lvid (log)
Repro: C syz .config
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in udf_close_lvid udf C error 4 21d 404d 0/1 upstream: reported C repro on 2021/12/21 15:22
linux-4.14 KASAN: use-after-free Write in udf_close_lvid udf C 4 21d 52d 0/1 upstream: reported C repro on 2022/12/07 21:30
Last patch testing requests:
Created Duration User Patch Repo Result
2022/05/28 07:34 17m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 97fa5887cf28 OK
2022/05/24 07:31 15m hdanton@sina.com patch upstream report log
2022/05/24 04:48 4m hdanton@sina.com patch upstream error

Sample crash report:
loop0: detected capacity change from 0 to 2048
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in udf_close_lvid.isra.0+0x4a7/0x550 fs/udf/super.c:2072
Write of size 1 at addr ffff888158290aa8 by task syz-executor364/5062

CPU: 1 PID: 5062 Comm: syz-executor364 Not tainted 6.1.0-syzkaller-11674-g84e57d292203 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:306 [inline]
 print_report+0x15e/0x45d mm/kasan/report.c:417
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
 udf_close_lvid.isra.0+0x4a7/0x550 fs/udf/super.c:2072
 udf_put_super+0x1bb/0x230 fs/udf/super.c:2359
 generic_shutdown_super+0x158/0x410 fs/super.c:492
 kill_block_super+0x9b/0xf0 fs/super.c:1386
 deactivate_locked_super+0x98/0x160 fs/super.c:332
 deactivate_super+0xb1/0xd0 fs/super.c:363
 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xaa8/0x2950 kernel/exit.c:867
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1010
 __do_sys_exit_group kernel/exit.c:1021 [inline]
 __se_sys_exit_group kernel/exit.c:1019 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1019
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2aba16e009
Code: Unable to access opcode bytes at 0x7f2aba16dfdf.
RSP: 002b:00007ffc88061b88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f2aba1de350 RCX: 00007f2aba16e009
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 000000000000000c
R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f2aba1de350
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

The buggy address belongs to the physical page:
page:ffffea000560a400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x158290
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea000560a408 ffffea000560a408 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff888158290980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888158290a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888158290a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff888158290b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888158290b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2022/12/28 09:05 upstream 4b0986a3613c 4c7657cb .config console log report syz C
ci-upstream-kasan-gce-smack-root 2022/08/25 13:49 upstream c40e8341e3b3 4c7657cb .config console log report syz C
ci-upstream-kasan-gce-smack-root 2022/07/26 04:18 upstream e0dccc3b76fb 4c7657cb .config console log report syz C
ci-upstream-kasan-gce-smack-root 2022/06/25 20:51 upstream 0840a7914caa 4c7657cb .config console log report syz C
* Struck through repros no longer work on HEAD.
Crashes (18):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-root 2022/12/16 18:22 upstream 84e57d292203 79e1d513 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2022/11/29 04:59 upstream b7b275e60bcd ca9683b8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Write in udf_close_lvid
ci-upstream-kasan-gce-smack-root 2022/05/23 17:07 upstream 4b0986a3613c 4c7657cb .config console log report syz C KASAN: use-after-free Write in udf_close_lvid
ci-upstream-linux-next-kasan-gce-root 2023/01/21 03:59 linux-next d514392f17fd 559a440a .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2023/01/02 17:48 upstream 88603b6dc419 ab32d508 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] BUG: unable to handle kernel paging request in udf_close_lvid
ci2-upstream-fs 2022/12/30 04:23 upstream 2258c2dc850b 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] BUG: unable to handle kernel paging request in udf_close_lvid
ci2-upstream-fs 2022/12/02 07:49 upstream ef4d3ea40565 e080de16 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] BUG: unable to handle kernel paging request in udf_close_lvid
ci-upstream-kasan-gce-smack-root 2022/11/04 18:13 upstream ee6050c8af96 6d752409 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] BUG: unable to handle kernel paging request in udf_close_lvid
ci2-upstream-fs 2023/01/22 13:54 upstream 2241ab53cbb5 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2023/01/20 18:33 upstream d368967cb103 dd15ff29 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2023/01/16 10:34 upstream 5dc4c995db9e a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2023/01/15 14:01 upstream 7c6984405241 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2023/01/12 10:35 upstream e8f60cd7db24 96166539 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2022/12/20 20:43 upstream 6feb57c2fd7c d3e76707 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2022/12/05 16:29 upstream 76dcd734eca2 045cbb84 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2022/12/02 18:17 upstream a4412fdd49dc e080de16 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci2-upstream-fs 2022/11/24 09:07 upstream 4312098baf37 ff68ff8f .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
ci-upstream-kasan-gce-smack-root 2022/11/04 17:44 upstream ee6050c8af96 6d752409 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Write in udf_close_lvid
* Struck through repros no longer work on HEAD.