KASAN: use-after-free Read in ext4_xattr_set_entry
17 views
Skip to first unread message
syzbot
Oct 31, 2019, 5:38:09 PM10/31/19
Hello,
syzbot found the following crash on:
HEAD commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=170caa14e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=4e00aede6dbcb9c7d9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16524: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16524: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16524: comm
syz-fuzzer: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230
fs/ext4/xattr.c:1602
Read of size 4 at addr ffff88807ab550a6 by task syz-fuzzer/10821
CPU: 0 PID: 10821 Comm: syz-fuzzer Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x26d/0x360 security/security.c:465
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
SYSC_mkdirat fs/namei.c:3869 [inline]
SyS_mkdirat+0x1c2/0x210 fs/namei.c:3853
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x47c530
RSP: 002b:000000c4338cf4a8 EFLAGS: 00000216 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047c530
RDX: 00000000000001c0 RSI: 000000c425bba240 RDI: ffffffffffffff9c
RBP: 000000c4338cf508 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: ffffffffffffffff
R13: 0000000000000013 R14: 0000000000000012 R15: 0000000000000100
The buggy address belongs to the page:
page:ffffea0001ead540 count:0 mapcount:-127 mapping: (null)
index:0x1
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea0001e90ae0 ffffea0001ea8c20 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807ab54f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807ab55000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88807ab55080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807ab55100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807ab55180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=170caa14e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=4e00aede6dbcb9c7d9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16524: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16524: comm
syz-fuzzer: corrupted xattr entries
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16524: comm
syz-fuzzer: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230
fs/ext4/xattr.c:1602
Read of size 4 at addr ffff88807ab550a6 by task syz-fuzzer/10821
CPU: 0 PID: 10821 Comm: syz-fuzzer Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x26d/0x360 security/security.c:465
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
SYSC_mkdirat fs/namei.c:3869 [inline]
SyS_mkdirat+0x1c2/0x210 fs/namei.c:3853
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x47c530
RSP: 002b:000000c4338cf4a8 EFLAGS: 00000216 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047c530
RDX: 00000000000001c0 RSI: 000000c425bba240 RDI: ffffffffffffff9c
RBP: 000000c4338cf508 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: ffffffffffffffff
R13: 0000000000000013 R14: 0000000000000012 R15: 0000000000000100
The buggy address belongs to the page:
page:ffffea0001ead540 count:0 mapcount:-127 mapping: (null)
index:0x1
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000001 00000000ffffff80
raw: ffffea0001e90ae0 ffffea0001ea8c20 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807ab54f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807ab55000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88807ab55080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807ab55100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807ab55180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 13, 2019, 3:49:09 PM12/13/19
syzbot has found a reproducer for the following crash on:
HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f51a1ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
bond0: Enslaving bond_slave_0 as an active interface with an up link
IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
==================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
Read of size 4 at addr ffff88808db21183 by task syz-executor.3/6953
CPU: 1 PID: 6953 Comm: syz-executor.3 Not tainted 4.14.158-syzkaller #0
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
SYSC_mkdirat fs/namei.c:3869 [inline]
SyS_mkdirat fs/namei.c:3853 [inline]
SYSC_mkdir fs/namei.c:3880 [inline]
SyS_mkdir+0x1b7/0x200 fs/namei.c:3878
kobject: 'veth0_to_team' (ffff8880998c49f0): kobject_add_internal:
parent: 'net', set: 'devices'
kobject: 'veth0_to_team' (ffff8880998c49f0): kobject_uevent_env
kobject: 'veth0_to_team' (ffff8880998c49f0): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team'
kobject: 'queues' (ffff8880a5bd5448): kobject_add_internal:
parent: 'veth0_to_team', set: '<NULL>'
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459d27
RSP: 002b:00007ffde2917fa8 EFLAGS: 00000202 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 000000000000b6ae RCX: 0000000000459d27
RDX: 00007ffde2917ff3 RSI: 00000000000001ff RDI: 00007ffde2917ff0
kobject: 'queues' (ffff8880a5bd5448): kobject_uevent_env
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000003
kobject: 'queues' (ffff8880a5bd5448): kobject_uevent_env: filter function
caused the event to drop!
R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000003
kobject: 'rx-0' (ffff8880a0f7b3d0): kobject_add_internal: parent: 'queues',
set: 'queues'
R13: 00007ffde2917fe0 R14: 000000000000b672 R15: 00007ffde2917ff0
kobject: 'rx-0' (ffff8880a0f7b3d0): kobject_uevent_env
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea000242a6e0 ffffea000236d7e0 0000000000000000 0000000000000000
ffff88808db21100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88808db21180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808db21200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808db21280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kobject: 'rx-0' (ffff8880a0f7b3d0): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team/queues/rx-0'
==================================================================
HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f51a1ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
dashboard link: https://syzkaller.appspot.com/bug?extid=4e00aede6dbcb9c7d9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11adc40ae00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
==================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230
fs/ext4/xattr.c:1602
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
fs/ext4/xattr.c:1602
Read of size 4 at addr ffff88808db21183 by task syz-executor.3/6953
CPU: 1 PID: 6953 Comm: syz-executor.3 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
bond0: Enslaving bond_slave_1 as an active interface with an up link
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x26d/0x360 security/security.c:465
IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x26d/0x360 security/security.c:465
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
8021q: adding VLAN 0 to HW filter on device bond0
__ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
SYSC_mkdirat fs/namei.c:3869 [inline]
SyS_mkdirat fs/namei.c:3853 [inline]
SYSC_mkdir fs/namei.c:3880 [inline]
SyS_mkdir+0x1b7/0x200 fs/namei.c:3878
kobject: 'veth0_to_team' (ffff8880998c49f0): kobject_add_internal:
parent: 'net', set: 'devices'
kobject: 'veth0_to_team' (ffff8880998c49f0): kobject_uevent_env
kobject: 'veth0_to_team' (ffff8880998c49f0): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team'
kobject: 'queues' (ffff8880a5bd5448): kobject_add_internal:
parent: 'veth0_to_team', set: '<NULL>'
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459d27
RSP: 002b:00007ffde2917fa8 EFLAGS: 00000202 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 000000000000b6ae RCX: 0000000000459d27
RDX: 00007ffde2917ff3 RSI: 00000000000001ff RDI: 00007ffde2917ff0
kobject: 'queues' (ffff8880a5bd5448): kobject_uevent_env
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000003
kobject: 'queues' (ffff8880a5bd5448): kobject_uevent_env: filter function
caused the event to drop!
R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000003
kobject: 'rx-0' (ffff8880a0f7b3d0): kobject_add_internal: parent: 'queues',
set: 'queues'
R13: 00007ffde2917fe0 R14: 000000000000b672 R15: 00007ffde2917ff0
kobject: 'rx-0' (ffff8880a0f7b3d0): kobject_uevent_env
The buggy address belongs to the page:
page:ffffea000236c840 count:0 mapcount:0 mapping: (null) index:0x1
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea000242a6e0 ffffea000236d7e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808db21080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Memory state around the buggy address:
ffff88808db21100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88808db21180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808db21200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808db21280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kobject: 'rx-0' (ffff8880a0f7b3d0): fill_kobj_path: path
= '/devices/virtual/net/veth0_to_team/queues/rx-0'
==================================================================
syzbot
Dec 16, 2019, 8:48:09 PM12/16/19
syzbot has found a reproducer for the following crash on:
HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1102efdae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc3499e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
syz-executor526: corrupted xattr entries
CPU: 0 PID: 7015 Comm: syz-executor526 Not tainted 4.14.158-syzkaller #0
device hsr_slave_0 entered promiscuous mode
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44cc57
RSP: 002b:00007ffdb7b64348 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 000000000000bc1c RCX: 000000000044cc57
RDX: 00007ffdb7b643b3 RSI: 00000000000001ff RDI: 00007ffdb7b643b0
R13: 000000000040a5d0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00021a0680 count:0 mapcount:0 mapping: (null) index:0x1
ffff88808681a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88808681a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808681a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808681a580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1102efdae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
dashboard link: https://syzkaller.appspot.com/bug?extid=4e00aede6dbcb9c7d9d9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1373a0fee00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc3499e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16496: comm
syz-executor526: corrupted xattr entries
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230
fs/ext4/xattr.c:1602
Read of size 4 at addr ffff88808681a483 by task syz-executor526/7015
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230
fs/ext4/xattr.c:1602
CPU: 0 PID: 7015 Comm: syz-executor526 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
device hsr_slave_0 entered promiscuous mode
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x26d/0x360 security/security.c:465
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
SYSC_mkdirat fs/namei.c:3869 [inline]
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602
ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238
ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394
ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43
security_inode_init_security security/security.c:492 [inline]
security_inode_init_security+0x26d/0x360 security/security.c:465
ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57
__ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166
ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657
vfs_mkdir+0x3ca/0x610 fs/namei.c:3846
SYSC_mkdirat fs/namei.c:3869 [inline]
SyS_mkdirat fs/namei.c:3853 [inline]
SYSC_mkdir fs/namei.c:3880 [inline]
SyS_mkdir+0x1b7/0x200 fs/namei.c:3878
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
SYSC_mkdir fs/namei.c:3880 [inline]
SyS_mkdir+0x1b7/0x200 fs/namei.c:3878
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44cc57
RSP: 002b:00007ffdb7b64348 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 000000000000bc1c RCX: 000000000044cc57
RDX: 00007ffdb7b643b3 RSI: 00000000000001ff RDI: 00007ffdb7b643b0
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000003
R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000001
R13: 000000000040a5d0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea00021849e0 ffffea00025e2720 0000000000000000 0000000000000000
raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808681a380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Memory state around the buggy address:
ffff88808681a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88808681a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808681a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808681a580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
syzbot
Mar 1, 2020, 11:48:03 PM3/1/20
syzbot suspects this bug was fixed by commit:
commit 08e4a312439c294b9753166537baf3cc0bd6bb07
Author: Theodore Ts'o <[email protected]>
Date: Sun Dec 15 06:09:03 2019 +0000
ext4: validate the debug_want_extra_isize mount option at parse time
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12c452c3e00000
start commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
#syz fix: ext4: validate the debug_want_extra_isize mount option at parse time
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 08e4a312439c294b9753166537baf3cc0bd6bb07
Author: Theodore Ts'o <[email protected]>
Date: Sun Dec 15 06:09:03 2019 +0000
ext4: validate the debug_want_extra_isize mount option at parse time
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12c452c3e00000
start commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
dashboard link: https://syzkaller.appspot.com/bug?extid=4e00aede6dbcb9c7d9d9
dashboard link: https://syzkaller.appspot.com/bug?extid=4e00aede6dbcb9c7d9d9
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1373a0fee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc3499e00000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc3499e00000
#syz fix: ext4: validate the debug_want_extra_isize mount option at parse time
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages