[syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com>
To: almaz.alexandrovich@paragon-software.com,
	linux-kernel@vger.kernel.org,  llvm@lists.linux.dev,
	nathan@kernel.org, ndesaulniers@google.com,
	 ntfs3@lists.linux.dev, syzkaller-bugs@googlegroups.com,
	trix@redhat.com
Subject: [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea
Date: Tue, 06 Sep 2022 09:55:30 -0700	[thread overview]
Message-ID: <0000000000005af92105e80510f2@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    e47eb90a0a9a Add linux-next specific files for 20220901
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13a9f455080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7933882276523081
dashboard link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1550d5e5080000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173664d7080000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com

ntfs3: loop0: Different NTFS' sector size (4096) and media sector size (512)
ntfs3: loop0: Mark volume as dirty due to NTFS errors
ntfs3: loop0: Failed to load $Extend.
==================================================================
BUG: KASAN: slab-out-of-bounds in unpacked_ea_size fs/ntfs3/xattr.c:26 [inline]
BUG: KASAN: slab-out-of-bounds in unpacked_ea_size fs/ntfs3/xattr.c:23 [inline]
BUG: KASAN: slab-out-of-bounds in find_ea fs/ntfs3/xattr.c:54 [inline]
BUG: KASAN: slab-out-of-bounds in find_ea fs/ntfs3/xattr.c:44 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_get_ea+0x5ca/0x620 fs/ntfs3/xattr.c:230
Read of size 1 at addr ffff88801b66abbd by task syz-executor378/3604

CPU: 0 PID: 3604 Comm: syz-executor378 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 unpacked_ea_size fs/ntfs3/xattr.c:26 [inline]
 unpacked_ea_size fs/ntfs3/xattr.c:23 [inline]
 find_ea fs/ntfs3/xattr.c:54 [inline]
 find_ea fs/ntfs3/xattr.c:44 [inline]
 ntfs_get_ea+0x5ca/0x620 fs/ntfs3/xattr.c:230
 ntfs_get_wsl_perm+0x117/0x360 fs/ntfs3/xattr.c:973
 ntfs_read_mft fs/ntfs3/inode.c:355 [inline]
 ntfs_iget5+0xe65/0x3280 fs/ntfs3/inode.c:501
 dir_search_u+0x36a/0x3f0 fs/ntfs3/dir.c:264
 ntfs_lookup+0x174/0x1e0 fs/ntfs3/namei.c:83
 __lookup_slow+0x24c/0x460 fs/namei.c:1685
 lookup_slow fs/namei.c:1702 [inline]
 walk_component+0x33f/0x5a0 fs/namei.c:1993
 lookup_last fs/namei.c:2450 [inline]
 path_lookupat+0x1ba/0x840 fs/namei.c:2474
 filename_lookup+0x1ce/0x590 fs/namei.c:2503
 vfs_statx+0x148/0x390 fs/stat.c:228
 do_statx+0xd9/0x160 fs/stat.c:629
 __do_sys_statx fs/stat.c:656 [inline]
 __se_sys_statx fs/stat.c:647 [inline]
 __x64_sys_statx+0x157/0x1b0 fs/stat.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0f3fb82519
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc68ced18 EFLAGS: 00000246 ORIG_RAX: 000000000000014c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f3fb82519
RDX: 0000000000000000 RSI: 0000000020003c40 RDI: 0000000000000005
RBP: 00007f0f3fb41d10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000080 R11: 0000000000000246 R12: 00007f0f3fb41da0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Allocated by task 3604:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 ____kasan_kmalloc mm/kasan/common.c:516 [inline]
 ____kasan_kmalloc mm/kasan/common.c:475 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 __do_kmalloc_node mm/slab_common.c:930 [inline]
 __kmalloc+0x54/0xc0 mm/slab_common.c:943
 kmalloc include/linux/slab.h:564 [inline]
 ntfs_read_ea+0x3e4/0x850 fs/ntfs3/xattr.c:110
 ntfs_get_ea+0x1ad/0x620 fs/ntfs3/xattr.c:222
 ntfs_get_wsl_perm+0x117/0x360 fs/ntfs3/xattr.c:973
 ntfs_read_mft fs/ntfs3/inode.c:355 [inline]
 ntfs_iget5+0xe65/0x3280 fs/ntfs3/inode.c:501
 dir_search_u+0x36a/0x3f0 fs/ntfs3/dir.c:264
 ntfs_lookup+0x174/0x1e0 fs/ntfs3/namei.c:83
 __lookup_slow+0x24c/0x460 fs/namei.c:1685
 lookup_slow fs/namei.c:1702 [inline]
 walk_component+0x33f/0x5a0 fs/namei.c:1993
 lookup_last fs/namei.c:2450 [inline]
 path_lookupat+0x1ba/0x840 fs/namei.c:2474
 filename_lookup+0x1ce/0x590 fs/namei.c:2503
 vfs_statx+0x148/0x390 fs/stat.c:228
 do_statx+0xd9/0x160 fs/stat.c:629
 __do_sys_statx fs/stat.c:656 [inline]
 __se_sys_statx fs/stat.c:647 [inline]
 __x64_sys_statx+0x157/0x1b0 fs/stat.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88801b66ab80
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 61 bytes inside of
 64-byte region [ffff88801b66ab80, ffff88801b66abc0)

The buggy address belongs to the physical page:
page:ffffea00006d9a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b66a
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001fc0040 dead000000000002 ffff888011841640
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2, tgid 2 (kthreadd), ts 6668566803, free_ts 0
 prep_new_page mm/page_alloc.c:2534 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4284
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5542
 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2280
 alloc_slab_page mm/slub.c:1721 [inline]
 allocate_slab+0x228/0x370 mm/slub.c:1866
 new_slab mm/slub.c:1919 [inline]
 ___slab_alloc+0xad0/0x1440 mm/slub.c:3100
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3198
 slab_alloc_node mm/slub.c:3283 [inline]
 __kmem_cache_alloc_node+0x18a/0x3d0 mm/slub.c:3356
 __do_kmalloc_node mm/slab_common.c:929 [inline]
 __kmalloc+0x44/0xc0 mm/slab_common.c:943
 kmalloc include/linux/slab.h:564 [inline]
 kzalloc include/linux/slab.h:695 [inline]
 lsm_task_alloc security/security.c:615 [inline]
 security_task_alloc+0x10b/0x250 security/security.c:1655
 copy_process+0x23de/0x7120 kernel/fork.c:2240
 kernel_clone+0xe7/0xab0 kernel/fork.c:2678
 kernel_thread+0xb5/0xf0 kernel/fork.c:2738
 create_kthread kernel/kthread.c:399 [inline]
 kthreadd+0x4ea/0x750 kernel/kthread.c:746
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88801b66aa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88801b66ab00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88801b66ab80: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc
                                        ^
 ffff88801b66ac00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88801b66ac80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

next             reply	other threads:[~2022-09-06 16:55 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-06 16:55 syzbot [this message]
2022-09-12  3:41 ` [PATCH] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-12  6:16   ` kernel test robot
2022-09-12  6:16   ` kernel test robot
2022-09-19  5:19     ` [PATCH] fs/ntfs3: "add a boundary check for EA_FULL" lose right parenthesis eadavis
2022-09-19  5:19       ` eadavis
2022-09-19 10:42       ` Dan Carpenter
2022-09-19 10:42         ` Dan Carpenter
2022-09-19 11:19         ` [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL eadavis
2022-09-19 11:19           ` eadavis
2022-09-19 12:04           ` Dan Carpenter
2022-09-19 12:04             ` Dan Carpenter
2022-09-19 13:21             ` [PATCH v4] fs/ntfs3: Fix buffer overflow and integer overflow eadavis
2022-09-19 13:21               ` eadavis
2022-09-19 13:32             ` eadavis
2022-09-19 13:32               ` eadavis
2022-11-13  5:07               ` [PATCH v5] fs/ntfs3: Validate parameter bytes and valid size eadavis
2022-09-12  6:54 ` [PATCH v2] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-14 15:34   ` Dan Carpenter
2023-01-26  8:13 ` [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2023-04-12 13:11   ` Aleksandr Nogikh
     [not found] <20220928060450.1989643-1-eadavis@sina.com>
2022-09-28  6:16 ` syzbot
     [not found] <20220928062932.2003766-1-eadavis@sina.com>
2022-09-28  6:42 ` syzbot
     [not found] <20220928075253.2331824-1-eadavis@sina.com>
2022-09-28  8:11 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000005af92105e80510f2@google.com \
    --to=syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=ntfs3@lists.linux.dev \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=trix@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.