syzbot


KASAN: use-after-free Read in ext4_xattr_set_entry
Status: fixed on 2020/03/30 09:03
Reported-by: syzbot+1634adac0cb6d2d930ef@syzkaller.appspotmail.com
Fix commit: cb1702c403ad ext4: validate the debug_want_extra_isize mount option at parse time
First crash: 1060d, last: 812d

Fix bisection: fixed by (bisect log) :
commit cb1702c403ad392a9ae6e090702a17cca98a38ca
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sun Dec 15 06:09:03 2019 +0000

  ext4: validate the debug_want_extra_isize mount option at parse time

similar bugs (11):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (3) C error 1 84d 569d 0/1 upstream: reported C repro on 2020/10/28 15:08
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 6 932d 988d 0/1 auto-closed as invalid on 2020/02/28 13:35
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 1 789d 789d 0/1 auto-closed as invalid on 2020/07/21 03:20
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry (2) C done 7 250d 708d 1/1 fixed on 2021/10/13 07:23
upstream KASAN: use-after-free Read in ext4_xattr_set_entry 1 1393d 1393d 0/22 closed as invalid on 2018/07/29 11:55
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry 4 1240d 1133d 0/1 auto-closed as invalid on 2019/06/26 01:15
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (3) 4 685d 803d 0/22 auto-closed as invalid on 2020/11/02 08:32
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (4) C error done 21 88d 475d 22/22 fixed on 2022/03/28 10:17
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (2) C done 19 886d 1295d 16/22 fixed on 2020/02/14 01:19
android-54 KASAN: use-after-free Read in ext4_xattr_set_entry 6 652d 833d 0/2 auto-closed as invalid on 2020/12/04 21:44
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry C done 9 840d 932d 1/1 fixed on 2020/03/01 21:06

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x35e0/0x3770 fs/ext4/xattr.c:1604
Read of size 4 at addr ffff88807a263083 by task syz-executor.2/7742

CPU: 1 PID: 7742 Comm: syz-executor.2 Not tainted 4.19.89-syzkaller #0
IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
Call Trace:
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 ext4_xattr_set_entry+0x35e0/0x3770 fs/ext4/xattr.c:1604
IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
 ext4_xattr_ibody_set+0x89/0x2c0 fs/ext4/xattr.c:2240
 ext4_xattr_set_handle+0x5d2/0x1010 fs/ext4/xattr.c:2396
 ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
 security_inode_init_security security/security.c:502 [inline]
 security_inode_init_security+0x2c8/0x3b0 security/security.c:475
 ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
 __ext4_new_inode+0x3b2f/0x52d0 fs/ext4/ialloc.c:1160
EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16514: comm syz-executor.0: corrupted in-inode xattr
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
 ext4_symlink+0x3f8/0xbe0 fs/ext4/namei.c:3125
 vfs_symlink fs/namei.c:4126 [inline]
 vfs_symlink+0x373/0x5c0 fs/namei.c:4112
 do_symlinkat+0x22b/0x290 fs/namei.c:4153
8021q: adding VLAN 0 to HW filter on device batadv0
 __do_sys_symlink fs/namei.c:4172 [inline]
 __se_sys_symlink fs/namei.c:4170 [inline]
 __x64_sys_symlink+0x59/0x80 fs/namei.c:4170
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
EXT4-fs error (device sda1): ext4_xattr_set_entry:1607: inode #16520: comm syz-executor.3: corrupted xattr entries
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a637
Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc19bc9ba8 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045a637
RDX: 00007ffc19bc9c47 RSI: 00000000004c0369 RDI: 00007ffc19bc9c30
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000017
R10: 0000000000000075 R11: 0000000000000202 R12: 0000000000000001
R13: 00007ffc19bc9be0 R14: 0000000000000000 R15: 00007ffc19bc9bf0

The buggy address belongs to the page:
page:ffffea0001e898c0 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 ffffea0001e89c48 ffffea0001e80848 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807a262f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807a263000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88807a263080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88807a263100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807a263180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16514: comm syz-executor.0: corrupted in-inode xattr
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16512: comm syz-executor.1: corrupted in-inode xattr
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready

Crashes (10):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2019/12/13 12:48 linux-4.19.y 312017a460d5 2a752b7c .config log report syz
ci2-linux-4-19 2020/02/28 23:27 linux-4.19.y a083db76118d c88c7b75 .config log report
ci2-linux-4-19 2020/02/04 20:45 linux-4.19.y 32ee7492f104 93e5e335 .config log report
ci2-linux-4-19 2020/01/19 02:28 linux-4.19.y dc4ba5be1bab bc8bc756 .config log report
ci2-linux-4-19 2019/12/23 16:08 linux-4.19.y 672481c2deff be5c2c81 .config log report
ci2-linux-4-19 2019/12/09 05:24 linux-4.19.y fb683b5e3f53 1508f453 .config log report
ci2-linux-4-19 2019/12/05 20:13 linux-4.19.y fb683b5e3f53 9fd5a512 .config log report
ci2-linux-4-19 2019/10/24 16:37 linux-4.19.y c3038e718a19 d01bb02a .config log report
ci2-linux-4-19 2019/07/03 06:09 linux-4.19.y aec3002d07fd 55565fa0 .config log report
ci2-linux-4-19 2019/06/25 19:29 linux-4.19.y aec3002d07fd 0a8d1a96 .config log report