KASAN: use-after-free Read in squashfs_get_id

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+a296f64433c9cfd55cc8@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, phillip@squashfs.org.uk,
	syzkaller-bugs@googlegroups.com
Subject: KASAN: use-after-free Read in squashfs_get_id
Date: Fri, 25 Sep 2020 09:12:22 -0700	[thread overview]
Message-ID: <000000000000eda45205b0259440@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    171d4ff7 Merge tag 'mmc-v5.9-rc4-2' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122ff481900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=af502ec9a451c9fc
dashboard link: https://syzkaller.appspot.com/bug?extid=a296f64433c9cfd55cc8
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a296f64433c9cfd55cc8@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in squashfs_get_id+0xb9/0x1c0 fs/squashfs/id.c:38
Read of size 8 at addr ffff88809daca0d8 by task syz-executor.1/31404

CPU: 0 PID: 31404 Comm: syz-executor.1 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 print_address_description+0x66/0x620 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 squashfs_get_id+0xb9/0x1c0 fs/squashfs/id.c:38
 squashfs_new_inode fs/squashfs/inode.c:51 [inline]
 squashfs_read_inode+0x155/0x2170 fs/squashfs/inode.c:120
 squashfs_fill_super+0x1478/0x1790 fs/squashfs/super.c:310
 get_tree_bdev+0x3e9/0x5f0 fs/super.c:1342
 vfs_get_tree+0x88/0x270 fs/super.c:1547
 do_new_mount fs/namespace.c:2875 [inline]
 path_mount+0x179d/0x29e0 fs/namespace.c:3192
 do_mount fs/namespace.c:3205 [inline]
 __do_sys_mount fs/namespace.c:3413 [inline]
 __se_sys_mount+0x126/0x180 fs/namespace.c:3390
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x460bca
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 87 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 87 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f17af019a88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f17af019b20 RCX: 0000000000460bca
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f17af019ae0
RBP: 00007f17af019ae0 R08: 00007f17af019b20 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020000040

Allocated by task 23539:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x205/0x300 mm/slab.c:3664
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 tomoyo_encode2+0x25a/0x560 security/tomoyo/realpath.c:45
 tomoyo_encode security/tomoyo/realpath.c:80 [inline]
 tomoyo_realpath_from_path+0x5d6/0x630 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x1b6/0x900 security/tomoyo/file.c:771
 security_file_open+0x50/0xc0 security/security.c:1574
 do_dentry_open+0x36b/0x1010 fs/open.c:804
 do_open fs/namei.c:3251 [inline]
 path_openat+0x2794/0x3840 fs/namei.c:3368
 do_filp_open+0x191/0x3a0 fs/namei.c:3395
 do_sys_openat2+0x463/0x830 fs/open.c:1168
 do_sys_open fs/open.c:1184 [inline]
 __do_sys_open fs/open.c:1192 [inline]
 __se_sys_open fs/open.c:1188 [inline]
 __x64_sys_open+0x1af/0x1e0 fs/open.c:1188
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 23539:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x113/0x200 mm/slab.c:3756
 tomoyo_check_open_permission+0x6e2/0x900 security/tomoyo/file.c:786
 security_file_open+0x50/0xc0 security/security.c:1574
 do_dentry_open+0x36b/0x1010 fs/open.c:804
 do_open fs/namei.c:3251 [inline]
 path_openat+0x2794/0x3840 fs/namei.c:3368
 do_filp_open+0x191/0x3a0 fs/namei.c:3395
 do_sys_openat2+0x463/0x830 fs/open.c:1168
 do_sys_open fs/open.c:1184 [inline]
 __do_sys_open fs/open.c:1192 [inline]
 __se_sys_open fs/open.c:1188 [inline]
 __x64_sys_open+0x1af/0x1e0 fs/open.c:1188
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88809daca0c0
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 24 bytes inside of
 32-byte region [ffff88809daca0c0, ffff88809daca0e0)
The buggy address belongs to the page:
page:00000000f04bb05a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809dacafc1 pfn:0x9daca
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00024d0308 ffffea00028b2cc8 ffff8880aa440100
raw: ffff88809dacafc1 ffff88809daca000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809dac9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809daca000: fa fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
>ffff88809daca080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
                                                    ^
 ffff88809daca100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
 ffff88809daca180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

next             reply	other threads:[~2020-09-25 16:12 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-25 16:12 syzbot [this message]
2020-12-06  3:04 ` KASAN: use-after-free Read in squashfs_get_id syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000eda45205b0259440@google.com \
    --to=syzbot+a296f64433c9cfd55cc8@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=phillip@squashfs.org.uk \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.