From: syzbot <syzbot+b4084c18420f9fad0b4f@syzkaller.appspotmail.com>
To: almaz.alexandrovich@paragon-software.com,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
nathan@kernel.org, ndesaulniers@google.com,
ntfs3@lists.linux.dev, syzkaller-bugs@googlegroups.com,
trix@redhat.com
Subject: Re: [syzbot] KASAN: slab-out-of-bounds Read in ntfs_iget5
Date: Wed, 14 Sep 2022 10:14:34 -0700 [thread overview]
Message-ID: <000000000000462c3d05e8a643e0@google.com> (raw)
In-Reply-To: <0000000000000149eb05dd3de8cc@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: a6b443748715 Merge branch 'for-next/core', remote-tracking..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=15625dbf080000
kernel config: https://syzkaller.appspot.com/x/.config?x=14bf9ec0df433b27
dashboard link: https://syzkaller.appspot.com/bug?extid=b4084c18420f9fad0b4f
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1482f778880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d9e35d080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4084c18420f9fad0b4f@syzkaller.appspotmail.com
ntfs3: loop0: Different NTFS' sector size (4096) and media sector size (512)
ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
Unable to handle kernel paging request at virtual address dead4ead00000010
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
[dead4ead00000010] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3051 Comm: syz-executor281 Not tainted 6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ntfs_iget5+0x88/0x138c fs/ntfs3/inode.c:502
lr : ntfs_iget5+0x78/0x138c fs/ntfs3/inode.c:500
sp : ffff80001275ba40
x29: ffff80001275bae0 x28: ffff0000cb374000 x27: ffff0000c90ce000
x26: ffff80001275bb70 x25: 0000000000000024 x24: ffff80000c1300b4
x23: ffff0000cb3761a8 x22: ffff0000ca8c8250 x21: ffff0000ca8c9708
x20: 0000000000000002 x19: ffff0000ca8c1a30 x18: 00000000000000c0
x17: ffff80000dd3a698 x16: ffff80000db78658 x15: ffff0000c71eb500
x14: ffff80000dd3a698 x13: ffff80000db78658 x12: ffff0000c71eb500
x11: ff80800008bf1798 x10: 0000000000000000 x9 : ffff0000c71eb500
x8 : dead4ead00000000 x7 : ffff8000085eb4a0 x6 : 0000000000000000
x5 : 0000000000000020 x4 : ffff80001275b690 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
ntfs_iget5+0x88/0x138c fs/ntfs3/inode.c:502
ntfs_fill_super+0xbe8/0x14a4 fs/ntfs/super.c:2902
get_tree_bdev+0x1e8/0x2a0 fs/super.c:1323
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1358
vfs_get_tree+0x40/0x140 fs/super.c:1530
do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
path_mount+0x358/0x914 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
el0t_64_sync+0x18c/0x190
Code: 37180194 d108c268 f9400108 79400f54 (79402115)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 37180194 tbnz w20, #3, 0x30
4: d108c268 sub x8, x19, #0x230
8: f9400108 ldr x8, [x8]
c: 79400f54 ldrh w20, [x26, #6]
* 10: 79402115 ldrh w21, [x8, #16] <-- trapping instruction
next prev parent reply other threads:[~2022-09-14 17:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 13:07 [syzbot] KASAN: slab-out-of-bounds Read in ntfs_iget5 syzbot
2022-09-14 17:14 ` syzbot [this message]
2024-03-09 21:19 ` [syzbot] [ntfs3?] " syzbot
2024-03-11 16:23 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000462c3d05e8a643e0@google.com \
--to=syzbot+b4084c18420f9fad0b4f@syzkaller.appspotmail.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ntfs3@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.