syzbot


KASAN: use-after-free Read in ext4_xattr_set_entry (2)

Status: fixed on 2020/02/14 01:19
Reported-by: syzbot+4a39a025912b265cacef@syzkaller.appspotmail.com
Fix commit: 9803387c55f7 ext4: validate the debug_want_extra_isize mount option at parse time
First crash: 1510d, last: 1075d

Cause bisection: introduced by (bisect log) :
commit 8835cae5f2abd7f7a3143afe357f416aff5517a4
Author: Chris Lapa <chris@lapa.com.au>
Date: Wed Jan 11 01:44:47 2017 +0000

  power: supply: bq27xxx: adds specific support for bq27520-g4 revision.

Crash: WARNING in batadv_mcast_mla_update (log)
Repro: C syz .config
similar bugs (12):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (3) C error 1 273d 758d 0/1 upstream: reported C repro on 2020/10/28 15:08
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 6 1121d 1177d 0/1 auto-closed as invalid on 2020/02/28 13:35
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 1 978d 978d 0/1 auto-closed as invalid on 2020/07/21 03:20
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry (2) C done 7 439d 897d 1/1 fixed on 2021/10/13 07:23
upstream KASAN: use-after-free Read in ext4_xattr_set_entry 1 1582d 1582d 0/24 closed as invalid on 2018/07/29 11:55
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry 4 1429d 1322d 0/1 auto-closed as invalid on 2019/06/26 01:15
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (5) 2 123d 181d 0/24 auto-obsoleted due to no activity on 2022/11/22 17:19
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (3) 4 874d 992d 0/24 auto-closed as invalid on 2020/11/02 08:32
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry syz done 10 1001d 1249d 1/1 fixed on 2020/03/30 09:03
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (4) C error done 21 277d 664d 22/24 fixed on 2022/03/28 10:17
android-54 KASAN: use-after-free Read in ext4_xattr_set_entry 6 841d 1022d 0/2 auto-closed as invalid on 2020/12/04 21:44
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry C done 9 1029d 1121d 1/1 fixed on 2020/03/01 21:06
Patch testing requests:
Created Duration User Patch Repo Result
2019/12/15 06:30 18m tytso@mit.edu patch https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git master OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x35de/0x3770 fs/ext4/xattr.c:1580
Read of size 4 at addr ffff888082265183 by task syz-executor968/9741

CPU: 1 PID: 9741 Comm: syz-executor968 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 ext4_xattr_set_entry+0x35de/0x3770 fs/ext4/xattr.c:1580
 ext4_xattr_ibody_set+0x80/0x2d0 fs/ext4/xattr.c:2216
 ext4_xattr_set_handle+0x933/0x1200 fs/ext4/xattr.c:2372
 ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
 security_inode_init_security security/security.c:996 [inline]
 security_inode_init_security+0x2c8/0x3b0 security/security.c:969
 ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
 __ext4_new_inode+0x4288/0x4f30 fs/ext4/ialloc.c:1155
 ext4_mkdir+0x3d5/0xe20 fs/ext4/namei.c:2774
 vfs_mkdir+0x42e/0x670 fs/namei.c:3819
 do_mkdirat+0x234/0x2a0 fs/namei.c:3842
 __do_sys_mkdir fs/namei.c:3858 [inline]
 __se_sys_mkdir fs/namei.c:3856 [inline]
 __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3856
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44c637
Code: 1f 40 00 b8 5a 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 2d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffedabe5578 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 000000000001632d RCX: 000000000044c637
RDX: 00007ffedabe55e3 RSI: 00000000000001ff RDI: 00007ffedabe55e0
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000003
R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000001
R13: 000000000040a180 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0002089940 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
raw: 00fffe0000000000 ffffea0002082c88 ffffea0002089908 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888082265080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888082265100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888082265180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888082265200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888082265280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (19):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2019/12/16 14:14 upstream 07c4b9e9f71a eef6e580 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/13 18:20 upstream ae4b064e2a61 08003f64 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/04 02:31 upstream 76bb8b05960c ae13a849 .config log report
ci-upstream-kasan-gce-smack-root 2019/11/17 14:57 upstream fe30021c36fb d5696d51 .config log report
ci-upstream-kasan-gce-smack-root 2019/11/05 05:54 upstream a99d8080aaf3 76630fc9 .config log report
ci-upstream-kasan-gce-selinux-root 2019/09/29 18:43 upstream 02dc96ef6c25 c1ad5441 .config log report
ci-upstream-kasan-gce-root 2019/08/30 20:52 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce-selinux-root 2019/08/09 16:51 upstream b678c568c561 ede31a9b .config log report
ci-upstream-kasan-gce-smack-root 2019/06/30 18:31 upstream 6fbc7275c7a9 7509bf36 .config log report
ci-upstream-kasan-gce-root 2019/04/28 13:18 upstream 037904a22bf8 b617407b .config log report
ci-upstream-kasan-gce-selinux-root 2019/04/17 10:55 upstream 444fe9913539 b0e8efcb .config log report
ci-upstream-kasan-gce-smack-root 2019/03/04 23:58 upstream 736706bee329 7c693b52 .config log report
ci-upstream-kasan-gce-root 2019/01/05 20:03 upstream 3fed6ae4b027 53be0a37 .config log report
ci-upstream-kasan-gce-selinux-root 2019/01/05 15:07 upstream 3fed6ae4b027 53be0a37 .config log report
ci-upstream-kasan-gce-smack-root 2019/01/04 08:59 upstream 645ff1e8e704 7da23925 .config log report
ci-upstream-kasan-gce-root 2018/11/16 00:41 upstream da5322e65940 3a41052e .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/01 09:35 upstream 59fc453b21f7 1f38e9ae .config log report
ci-upstream-kasan-gce-selinux-root 2018/10/07 22:54 upstream fb1c592cf4c9 8b311eaf .config log report
ci-upstream-linux-next-kasan-gce-root 2019/04/28 19:52 linux-next 3ddfa8af5dc9 b617407b .config log report
* Struck through repros no longer work on HEAD.