syzbot


KASAN: slab-out-of-bounds Read in ntfs_attr_find (2)

Status: upstream: reported C repro on 2022/08/25 11:21
Reported-by: syzbot+d1c69adac1c973a02e29@syzkaller.appspotmail.com
First crash: 641d, last: 456d
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ntfs_attr_find ntfs3 C done 74 475d 641d 22/26 fixed on 2023/02/24 13:50
upstream KASAN: slab-out-of-bounds Read in ntfs_attr_find ntfs3 C done 9 1321d 2247d 15/26 fixed on 2020/11/16 12:12
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_attr_find C done 10 1314d 1342d 1/1 fixed on 2020/11/20 16:27
linux-5.15 KASAN: slab-out-of-bounds Read in ntfs_attr_find 1 399d 399d 0/3 auto-obsoleted due to no activity on 2023/08/22 04:27
linux-4.19 KASAN: slab-out-of-bounds Read in ntfs_attr_find C done 10 1282d 1339d 1/1 fixed on 2020/12/23 11:20
linux-5.15 KASAN: use-after-free Read in ntfs_attr_find missing-backport origin:lts-only C error 4 8d06h 128d 0/3 upstream: reported C repro on 2024/01/20 12:39
linux-6.1 KASAN: use-after-free Read in ntfs_attr_find 3 400d 411d 0/3 auto-obsoleted due to no activity on 2023/08/21 05:46
upstream KASAN: use-after-free Read in ntfs_attr_find (2) ntfs3 C error done 22 99d 453d 0/26 upstream: reported C repro on 2023/03/01 23:29
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find (2) C 1 456d 456d 0/1 upstream: reported C repro on 2023/02/26 02:15
linux-6.1 KASAN: use-after-free Read in ntfs_attr_find (2) origin:upstream missing-backport C inconclusive 2 11d 157d 0/3 upstream: reported C repro on 2023/12/22 04:54
linux-4.14 KASAN: use-after-free Read in ntfs_attr_find C done 4 1323d 1342d 1/1 fixed on 2020/11/12 10:36
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find C done 13 1308d 1339d 1/1 fixed on 2020/11/27 11:32
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2023/01/26 05:57 22m bisect fix linux-4.14.y job log (0) log

Sample crash report:
ntfs: (device loop0): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel.
ntfs: (device loop0): parse_options(): Invalid mft_zone_multiplier. Using default value, i.e. 1.
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0xacd/0xc20 fs/ntfs/attrib.c:611
Read of size 2 at addr ffff888095409ab2 by task syz-executor216/7974

CPU: 0 PID: 7974 Comm: syz-executor216 Not tainted 4.14.295-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
 ntfs_attr_find+0xacd/0xc20 fs/ntfs/attrib.c:611
 ntfs_attr_lookup+0xeca/0x1f30 fs/ntfs/attrib.c:1207
 ntfs_read_inode_mount+0x726/0x2060 fs/ntfs/inode.c:1879
 ntfs_fill_super+0x9a6/0x7170 fs/ntfs/super.c:2871
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a30 fs/namespace.c:2905
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f8b3de8aa7a
RSP: 002b:00007ffe1476d448 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8b3de8aa7a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe1476d460
RBP: 00007ffe1476d460 R08: 00007ffe1476d4a0 R09: 00007ffe1476d4b0
R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004
R13: 00007ffe1476d4a0 R14: 0000000000000088 R15: 0000000020000ec0

Allocated by task 6274:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
 getname_flags+0xc8/0x550 fs/namei.c:138
 user_path_at_empty+0x2a/0x50 fs/namei.c:2631
 SYSC_readlinkat fs/stat.c:393 [inline]
 SyS_readlinkat+0xa8/0x270 fs/stat.c:381
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 6274:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 putname+0xcd/0x110 fs/namei.c:259
 filename_lookup+0x37b/0x510 fs/namei.c:2386
 SYSC_readlinkat fs/stat.c:393 [inline]
 SyS_readlinkat+0xa8/0x270 fs/stat.c:381
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff888095408380
 which belongs to the cache names_cache of size 4096
The buggy address is located 1842 bytes to the right of
 4096-byte region [ffff888095408380, ffff888095409380)
The buggy address belongs to the page:
page:ffffea0002550200 count:1 mapcount:0 mapping:ffff888095408380 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888095408380 0000000000000000 0000000100000001
raw: ffffea0002cb2120 ffffea000257a3a0 ffff88823f8c1200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888095409980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888095409a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888095409a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff888095409b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888095409b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (31):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/10/07 22:58 linux-4.14.y 9d5c0b3a8e1a 79a59635 .config console log report syz C [disk image] [vmlinux] [mounted in repro] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in ntfs_attr_find
2023/02/27 01:34 linux-4.14.y 7878a41b6cc1 ee50e71c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/03 18:31 linux-4.14.y 9d5c0b3a8e1a feb56351 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/09/25 01:28 linux-4.14.y 4edbf74132a4 0042f2b4 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/09/24 23:44 linux-4.14.y 4edbf74132a4 0042f2b4 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/09/24 17:58 linux-4.14.y 4edbf74132a4 0042f2b4 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/09/19 22:42 linux-4.14.y 5df8b4735177 dd9a85ff .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/25 16:19 linux-4.14.y 9d5c0b3a8e1a 45645420 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in ntfs_attr_find
2022/10/12 11:49 linux-4.14.y 9d5c0b3a8e1a 02b6492e .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in ntfs_attr_find
2022/09/29 16:28 linux-4.14.y 9d5c0b3a8e1a 45fd7169 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in ntfs_attr_find
2022/09/21 04:56 linux-4.14.y 4edbf74132a4 c4b8ccfd .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in ntfs_attr_find
2022/08/25 11:20 linux-4.14.y e548869f356f 514514f6 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in ntfs_attr_find
2022/11/17 12:16 linux-4.14.y e911713e40ca 3a127a31 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/11/12 11:05 linux-4.14.y e911713e40ca f42ee5d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/11/08 20:03 linux-4.14.y a901bb6c7db7 060f945e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/11/02 04:08 linux-4.14.y a85772d7ba90 08977f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/30 20:46 linux-4.14.y 41f36d7859a7 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/30 20:45 linux-4.14.y 41f36d7859a7 2a71366b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/29 09:13 linux-4.14.y 41f36d7859a7 899d812a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/29 09:13 linux-4.14.y 41f36d7859a7 899d812a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/27 03:31 linux-4.14.y 41f36d7859a7 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/27 03:21 linux-4.14.y 41f36d7859a7 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/27 03:21 linux-4.14.y 41f36d7859a7 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/27 03:21 linux-4.14.y 41f36d7859a7 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: out-of-bounds Read in ntfs_attr_find
2022/10/24 01:50 linux-4.14.y 9d5c0b3a8e1a 23bf86af .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/21 14:58 linux-4.14.y 9d5c0b3a8e1a 63e790dd .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/10 04:02 linux-4.14.y 9d5c0b3a8e1a aea5da89 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/10 00:39 linux-4.14.y 9d5c0b3a8e1a aea5da89 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/10/06 15:48 linux-4.14.y 9d5c0b3a8e1a 80b58a42 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 BUG: unable to handle kernel paging request in ntfs_attr_find
2022/09/19 21:31 linux-4.14.y 5df8b4735177 dd9a85ff .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
2022/08/25 13:32 linux-4.14.y e548869f356f 514514f6 .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in ntfs_attr_find
* Struck through repros no longer work on HEAD.