KASAN: use-after-free Read in ntfs_attr_find

Status: fixed on 2020/11/12 10:36
Fix commit: d2918cca649f ntfs: add check for mft record size in superblock
First crash: 858d, last: 839d

Fix bisection: fixed by (bisect log) :
commit d2918cca649f7457018f2c94176a8302e7a9f311
Author: Rustam Kovhaev <>
Date: Tue Oct 13 23:48:17 2020 +0000

  ntfs: add check for mft record size in superblock

similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ntfs_attr_find ntfs C done 73 22d 157d 23/24 upstream: reported C repro on 2022/08/25 18:25
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_attr_find (2) C 30 4d00h 157d 0/1 upstream: reported C repro on 2022/08/25 11:21
linux-4.19 KASAN: use-after-free Read in ntfs_attr_find C done 13 824d 855d 1/1 fixed on 2020/11/27 11:32

Sample crash report:
audit: type=1400 audit(1601537642.898:8): avc:  denied  { execmem } for  pid=6352 comm="syz-executor242" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker.
BUG: KASAN: use-after-free in ntfs_attr_find+0x8df/0xa10 fs/ntfs/attrib.c:613
Read of size 4 at addr ffff8880974f3d00 by task syz-executor242/6352

CPU: 1 PID: 6352 Comm: syz-executor242 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load_n_noabort+0x6b/0x80 mm/kasan/report.c:440
 ntfs_attr_find+0x8df/0xa10 fs/ntfs/attrib.c:613
 ntfs_attr_lookup+0xeca/0x1f30 fs/ntfs/attrib.c:1203
 ntfs_read_inode_mount+0x6b4/0x1fb0 fs/ntfs/inode.c:1867
 ntfs_fill_super+0x9a6/0x7170 fs/ntfs/super.c:2871
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0xe53/0x2a00 fs/namespace.c:2879
 SYSC_mount fs/namespace.c:3095 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3072
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
RIP: 0033:0x44753a
RSP: 002b:00007ffc0a8bb868 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc0a8bb8c0 RCX: 000000000044753a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc0a8bb880
RBP: 00007ffc0a8bb880 R08: 00007ffc0a8bb8c0 R09: 00007ffc00000015
R10: 0000000000000000 R11: 0000000000000287 R12: 000000000000003a
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003

The buggy address belongs to the page:
page:ffffea00025d3cc0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880974f3c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880974f3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880974f3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880974f3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880974f3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Crashes (4):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2020/10/01 07:35 linux-4.14.y cbfa1702aaf6 a9767fb2 .config console log report syz C
ci2-linux-4-14 2020/10/12 16:37 linux-4.14.y cbfa1702aaf6 d32b0bbf .config console log report info
ci2-linux-4-14 2020/09/30 11:47 linux-4.14.y cbfa1702aaf6 8516f6d3 .config console log report info
ci2-linux-4-14 2020/09/23 11:30 linux-4.14.y cbfa1702aaf6 287cd75a .config console log report info
* Struck through repros no longer work on HEAD.