syzbot


KASAN: use-after-free Read in __xattr_check_inode

Status: auto-closed as invalid on 2019/03/02 14:11
First crash: 2033d, last: 2033d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __xattr_check_inode+0xbe/0xc0 fs/ext4/xattr.c:264
Read of size 4 at addr ffff8801964d7001 by task syz-executor4/18680

CPU: 0 PID: 18680 Comm: syz-executor4 Not tainted 4.14.67+ #1
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 __xattr_check_inode+0xbe/0xc0 fs/ext4/xattr.c:264
 ext4_xattr_ibody_find+0x256/0x420 fs/ext4/xattr.c:2190
 ext4_xattr_set_handle+0x441/0xd90 fs/ext4/xattr.c:2353
 ext4_xattr_set+0x19e/0x2f0 fs/ext4/xattr.c:2501
 __vfs_setxattr+0xf1/0x150 fs/xattr.c:150
 __vfs_setxattr_noperm+0xfd/0x3a0 fs/xattr.c:181
 vfs_setxattr+0xba/0xe0 fs/xattr.c:224
 setxattr+0x1c6/0x2b0 fs/xattr.c:453
 path_setxattr+0x13c/0x160 fs/xattr.c:472
 SYSC_setxattr fs/xattr.c:487 [inline]
 SyS_setxattr+0x36/0x50 fs/xattr.c:483
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457099
RSP: 002b:00007f3258510c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 00007f32585116d4 RCX: 0000000000457099
RDX: 0000000020000200 RSI: 00000000200001c0 RDI: 0000000020000180
RBP: 00000000009301e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000009 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d62b8 R14: 00000000004c357b R15: 0000000000000002

The buggy address belongs to the page:
page:ffffea00065935c0 count:0 mapcount:-127 mapping:          (null) index:0x1
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea000663eb60 ffffea00066a0c60 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801964d6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801964d6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801964d7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8801964d7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801964d7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/03 14:05 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.