Re: [syzbot] [udf?] KASAN: use-after-free Read in udf_update_tag

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com>
To: jack@suse.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [udf?] KASAN: use-after-free Read in udf_update_tag
Date: Sun, 15 Sep 2024 12:21:20 -0700	[thread overview]
Message-ID: <00000000000071e9fb06222d5c17@google.com> (raw)
In-Reply-To: <0000000000003e572006202cb2ce@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    d42f7708e27c Merge tag 'for-linus-6.11' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12725407980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=61d235cb8d15001c
dashboard link: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11725407980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=161797c7980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d42f7708.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/27fdaed14a4f/vmlinux-d42f7708.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f65db4a0147a/bzImage-d42f7708.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/35d929f5e424/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/5c402e34d952/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff88804575c000 by task syz-executor293/5222

CPU: 0 UID: 0 PID: 5222 Comm: syz-executor293 Not tainted 6.11.0-rc7-syzkaller-00151-gd42f7708e27c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2146
 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
 udf_truncate_extents+0x627/0x12d0 fs/udf/truncate.c:251
 udf_setsize+0xe85/0x1280 fs/udf/inode.c:1289
 udf_setattr+0x3c7/0x5d0 fs/udf/file.c:236
 notify_change+0xbca/0xe90 fs/attr.c:503
 do_truncate+0x220/0x310 fs/open.c:65
 handle_truncate fs/namei.c:3381 [inline]
 do_open fs/namei.c:3731 [inline]
 path_openat+0x2ced/0x3470 fs/namei.c:3886
 do_filp_open+0x235/0x490 fs/namei.c:3913
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1416
 do_sys_open fs/open.c:1431 [inline]
 __do_sys_creat fs/open.c:1507 [inline]
 __se_sys_creat fs/open.c:1501 [inline]
 __x64_sys_creat+0x123/0x170 fs/open.c:1501
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f27b96eed79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f27b965d218 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f27b9777728 RCX: 00007f27b96eed79
RDX: 00007f27b96c7596 RSI: 0000000000000004 RDI: 0000000020000240
RBP: 00007f27b9777720 R08: 00007ffdf39855a7 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f27b9743964
R13: 0031656c69662f2e R14: 00007f27b9742068 R15: 6f6f6c2f7665642f
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1a pfn:0x4575c
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea000115d748 ffffea00011567c8 0000000000000000
raw: 000000000000001a 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5220, tgid 5219 (syz-executor293), ts 100640669004, free_ts 100713641467
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1500
 prep_new_page mm/page_alloc.c:1508 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3446
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4702
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2263
 alloc_pages_noprof mm/mempolicy.c:2343 [inline]
 folio_alloc_noprof+0x128/0x180 mm/mempolicy.c:2350
 filemap_alloc_folio_noprof+0xdf/0x500 mm/filemap.c:1008
 __filemap_get_folio+0x44e/0xc10 mm/filemap.c:1950
 grow_dev_folio fs/buffer.c:1047 [inline]
 grow_buffers fs/buffer.c:1113 [inline]
 __getblk_slow fs/buffer.c:1139 [inline]
 bdev_getblk+0x1d8/0x550 fs/buffer.c:1441
 __bread_gfp+0x86/0x400 fs/buffer.c:1495
 sb_bread include/linux/buffer_head.h:347 [inline]
 udf_read_tagged+0xa6/0xe00 fs/udf/misc.c:199
 udf_read_inode fs/udf/inode.c:1352 [inline]
 __udf_iget+0x408/0x3e60 fs/udf/inode.c:1939
 udf_iget fs/udf/udfdecl.h:152 [inline]
 udf_lookup+0x1e9/0x2b0 fs/udf/namei.c:127
 lookup_open fs/namei.c:3556 [inline]
 open_last_lookups fs/namei.c:3647 [inline]
 path_openat+0x11cc/0x3470 fs/namei.c:3883
 do_filp_open+0x235/0x490 fs/namei.c:3913
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1416
 do_sys_open fs/open.c:1431 [inline]
 __do_sys_open fs/open.c:1439 [inline]
 __se_sys_open fs/open.c:1435 [inline]
 __x64_sys_open+0x225/0x270 fs/open.c:1435
page last free pid 5221 tgid 5219 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1101 [inline]
 free_unref_folios+0x103a/0x1b00 mm/page_alloc.c:2667
 folios_put_refs+0x76e/0x860 mm/swap.c:1039
 folio_batch_release include/linux/pagevec.h:101 [inline]
 mapping_try_invalidate+0x3b1/0x4f0 mm/truncate.c:515
 loop_set_status+0x1ab/0x900 drivers/block/loop.c:1264
 lo_ioctl+0xcc2/0x1f60
 blkdev_ioctl+0x580/0x6b0 block/ioctl.c:676
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88804575bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88804575bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804575c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88804575c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804575c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2024-09-15 19:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-21  7:43 [syzbot] [udf?] KASAN: use-after-free Read in udf_update_tag syzbot
2024-09-15 19:21 ` syzbot [this message]
2024-10-22  0:23 ` [syzbot] test repro if bug still valid syzbot
     [not found] <96ad31d0-7b3a-468d-8525-5246124b7801@gmail.com>
2024-10-22  0:44 ` [syzbot] [udf?] KASAN: use-after-free Read in udf_update_tag syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000071e9fb06222d5c17@google.com \
    --to=syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com \
    --cc=jack@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.