syzbot


KASAN: out-of-bounds Read in leaf_paste_entries

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
Fix commit: 13d257503c09 reiserfs: check directory items on read from disk
First crash: 712d, last: 477d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: out-of-bounds Read in leaf_paste_entries (log)
Repro: C syz .config
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: out-of-bounds Read in leaf_paste_entries reiserfs C error 47 5d17h 805d 0/1 upstream: reported C repro on 2020/11/14 23:23
upstream KASAN: out-of-bounds Read in leaf_paste_entries (2) reiserfs C inconclusive inconclusive 133 4h52m 412d 0/24 upstream: reported C repro on 2021/12/13 19:20
linux-4.14 KASAN: out-of-bounds Read in leaf_paste_entries reiserfs C error 13 34d 846d 0/1 upstream: reported C repro on 2020/10/05 14:11
Last patch testing requests:
Created Duration User Patch Repo Result
2021/07/09 12:01 19m chouhan.shreyansh630@gmail.com patch linux-next OK
2021/07/09 04:02 19m chouhan.shreyansh630@gmail.com patch linux-next OK
2021/07/08 12:47 11m chouhan.shreyansh630@gmail.com patch linux-next report log
2021/06/23 16:37 11m chouhan.shreyansh630@gmail.com linux-next report log

Sample crash report:
REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using tea hash to sort names
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/fortify-string.h:207 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
Read of size 18446744073709551584 at addr ffff88804238ffa4 by task syz-executor219/8443

CPU: 0 PID: 8443 Comm: syz-executor219 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memmove+0x20/0x60 mm/kasan/shadow.c:54
 memmove include/linux/fortify-string.h:207 [inline]
 leaf_paste_entries+0x449/0x910 fs/reiserfs/lbalance.c:1377
 balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1295 [inline]
 balance_leaf_finish_node_paste fs/reiserfs/do_balan.c:1321 [inline]
 balance_leaf_finish_node fs/reiserfs/do_balan.c:1364 [inline]
 balance_leaf+0x951e/0xd8b0 fs/reiserfs/do_balan.c:1452
 do_balance+0x315/0x810 fs/reiserfs/do_balan.c:1888
 reiserfs_paste_into_item+0x762/0x8e0 fs/reiserfs/stree.c:2159
 reiserfs_add_entry+0x8cb/0xcf0 fs/reiserfs/namei.c:567
 reiserfs_mkdir+0x675/0x980 fs/reiserfs/namei.c:860
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x4de/0xb60 fs/reiserfs/xattr.c:1012
 reiserfs_fill_super+0x20fb/0x2e80 fs/reiserfs/super.c:2185
 mount_bdev+0x34d/0x410 fs/super.c:1368
 legacy_get_tree+0x105/0x220 fs/fs_context.c:610
 vfs_get_tree+0x89/0x2f0 fs/super.c:1498
 do_new_mount fs/namespace.c:2923 [inline]
 path_mount+0x134a/0x1fc0 fs/namespace.c:3253
 do_mount fs/namespace.c:3266 [inline]
 __do_sys_mount fs/namespace.c:3474 [inline]
 __se_sys_mount fs/namespace.c:3451 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3451
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x445b8a
Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd168486d8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd16848730 RCX: 0000000000445b8a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd168486f0
RBP: 00007ffd168486f0 R08: 00007ffd16848730 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8
R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007

The buggy address belongs to the page:
page:ffffea000108e3c0 refcount:3 mapcount:0 mapping:ffff8881454d1400 index:0x3d97 pfn:0x4238f
memcg:ffff888140144000
aops:def_blk_aops ino:700000
flags: 0xfff00000002022(referenced|active|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002022 0000000000000000 dead000000000122 ffff8881454d1400
raw: 0000000000003d97 ffff888041833740 00000003ffffffff ffff888140144000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 8443, ts 56740585754, free_ts 0
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4168
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
 __page_cache_alloc mm/filemap.c:1005 [inline]
 __page_cache_alloc+0x303/0x3a0 mm/filemap.c:990
 pagecache_get_page+0x357/0x18d0 mm/filemap.c:1885
 find_or_create_page include/linux/pagemap.h:420 [inline]
 grow_dev_page fs/buffer.c:949 [inline]
 grow_buffers fs/buffer.c:1014 [inline]
 __getblk_slow+0x217/0xb70 fs/buffer.c:1041
 __getblk_gfp+0x70/0x80 fs/buffer.c:1334
 sb_getblk include/linux/buffer_head.h:327 [inline]
 search_by_key+0x3a5/0x3cc0 fs/reiserfs/stree.c:672
 reiserfs_read_locked_inode+0x154/0x2160 fs/reiserfs/inode.c:1557
 reiserfs_fill_super+0x157a/0x2e80 fs/reiserfs/super.c:2081
 mount_bdev+0x34d/0x410 fs/super.c:1368
 legacy_get_tree+0x105/0x220 fs/fs_context.c:610
 vfs_get_tree+0x89/0x2f0 fs/super.c:1498
 do_new_mount fs/namespace.c:2923 [inline]
 path_mount+0x134a/0x1fc0 fs/namespace.c:3253
 do_mount fs/namespace.c:3266 [inline]
 __do_sys_mount fs/namespace.c:3474 [inline]
 __se_sys_mount fs/namespace.c:3451 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3451
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88804238fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88804238ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804238ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                               ^
 ffff888042390000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888042390080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-selinux-root 2021/06/08 22:46 upstream 368094df48e6 98682e5e .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2021/04/17 11:24 upstream 9cdbf6467424 98682e5e .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2021/03/18 07:49 upstream 6417f03132a6 98682e5e .config console log report syz C
* Struck through repros no longer work on HEAD.
Crashes (8):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-root 2021/08/23 07:03 upstream 1bdc3d5be7e1 b599f2fc .config console log report syz C KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-selinux-root 2021/06/23 13:50 upstream 0c18f29aae7c aba2b2fb .config console log report syz C KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-selinux-root 2021/02/16 07:29 upstream f40ddce88593 98682e5e .config console log report syz C KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-linux-next-kasan-gce-root 2021/10/09 07:39 linux-next 683f29b781ae efe0f24d .config console log report syz C KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-linux-next-kasan-gce-root 2021/06/12 10:09 linux-next a1f92694393a 1ba81399 .config console log report syz C KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-root 2021/06/28 23:14 upstream 62fb9874f5da 9d2ab5df .config console log report info KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-root 2021/05/08 21:43 upstream ab159ac569fd bc5434be .config console log report info KASAN: out-of-bounds Read in leaf_paste_entries
ci-upstream-kasan-gce-selinux-root 2021/02/16 05:57 upstream f40ddce88593 98682e5e .config console log report info KASAN: out-of-bounds Read in leaf_paste_entries
* Struck through repros no longer work on HEAD.