syzbot


KASAN: use-after-free Read in ext4_xattr_set_entry

Status: fixed on 2020/03/01 21:06
Reported-by: syzbot+4e00aede6dbcb9c7d9d9@syzkaller.appspotmail.com
Fix commit: 08e4a312439c ext4: validate the debug_want_extra_isize mount option at parse time
First crash: 1122d, last: 1030d

Fix bisection: fixed by (bisect log) :
commit 08e4a312439c294b9753166537baf3cc0bd6bb07
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sun Dec 15 06:09:03 2019 +0000

  ext4: validate the debug_want_extra_isize mount option at parse time

similar bugs (12):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (3) C error 1 274d 759d 0/1 upstream: reported C repro on 2020/10/28 15:08
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 6 1122d 1178d 0/1 auto-closed as invalid on 2020/02/28 13:35
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 1 979d 979d 0/1 auto-closed as invalid on 2020/07/21 03:20
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry (2) C done 7 440d 898d 1/1 fixed on 2021/10/13 07:23
upstream KASAN: use-after-free Read in ext4_xattr_set_entry 1 1583d 1583d 0/24 closed as invalid on 2018/07/29 11:55
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry 4 1430d 1323d 0/1 auto-closed as invalid on 2019/06/26 01:15
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (5) 2 124d 182d 0/24 auto-obsoleted due to no activity on 2022/11/22 17:19
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (3) 4 874d 993d 0/24 auto-closed as invalid on 2020/11/02 08:32
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry syz done 10 1002d 1250d 1/1 fixed on 2020/03/30 09:03
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (4) C error done 21 278d 665d 22/24 fixed on 2022/03/28 10:17
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (2) C done 19 1076d 1485d 16/24 fixed on 2020/02/14 01:19
android-54 KASAN: use-after-free Read in ext4_xattr_set_entry 6 842d 1023d 0/2 auto-closed as invalid on 2020/12/04 21:44

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16496: comm syz-executor526: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
Read of size 4 at addr ffff88808681a483 by task syz-executor526/7015

CPU: 0 PID: 7015 Comm: syz-executor526 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
device hsr_slave_0 entered promiscuous mode
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
 ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238
 ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
 ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
 security_inode_init_security security/security.c:492 [inline]
 security_inode_init_security+0x26d/0x360 security/security.c:465
 ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
 __ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
 ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
 vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
 SYSC_mkdirat fs/namei.c:3869 [inline]
 SyS_mkdirat fs/namei.c:3853 [inline]
 SYSC_mkdir fs/namei.c:3880 [inline]
 SyS_mkdir+0x1b7/0x200 fs/namei.c:3878
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44cc57
RSP: 002b:00007ffdb7b64348 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 000000000000bc1c RCX: 000000000044cc57
RDX: 00007ffdb7b643b3 RSI: 00000000000001ff RDI: 00007ffdb7b643b0
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000003
R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000001
R13: 000000000040a5d0 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea00021a0680 count:0 mapcount:0 mapping:          (null) index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea00021849e0 ffffea00025e2720 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808681a380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808681a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808681a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88808681a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808681a580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (9):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2019/12/16 17:47 linux-4.14.y a844dc4c5442 0ae38e44 .config log report syz C
ci2-linux-4-14 2019/12/13 12:48 linux-4.14.y a844dc4c5442 2a752b7c .config log report syz
ci2-linux-4-14 2020/01/31 17:11 linux-4.14.y 9fa690a2a016 5ed23f9a .config log report
ci2-linux-4-14 2020/01/10 09:36 linux-4.14.y b0cdffaa546e 4de4e9f0 .config log report
ci2-linux-4-14 2019/12/28 06:47 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config log report
ci2-linux-4-14 2019/12/25 22:01 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config log report
ci2-linux-4-14 2019/12/15 16:18 linux-4.14.y a844dc4c5442 eef6e580 .config log report
ci2-linux-4-14 2019/12/13 10:09 linux-4.14.y a844dc4c5442 2a752b7c .config log report
ci2-linux-4-14 2019/10/31 13:37 linux-4.14.y ddef1e8e3f6e a41ca8fa .config log report
* Struck through repros no longer work on HEAD.