KASAN: use-after-free Read in __ext4_check_dir_entry

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1236ce66f79263e8a862@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	tytso@mit.edu
Subject: KASAN: use-after-free Read in __ext4_check_dir_entry
Date: Sat, 31 Mar 2018 13:47:06 -0700	[thread overview]
Message-ID: <089e0825cec8b70cc70568bb75d9@google.com> (raw)

Hello,

syzbot hit the following crash on upstream commit
9dd2326890d89a5179967c947dab2bab34d7ddee (Fri Mar 30 17:29:47 2018 +0000)
Merge tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=1236ce66f79263e8a862

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6171830884761600
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5341633302233088
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6080954745487360
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2760467897697295172
compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1236ce66f79263e8a862@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2de/0x320  
fs/ext4/dir.c:69
Read of size 2 at addr ffff8801b80bf000 by task syzkaller432828/4365

CPU: 1 PID: 4365 Comm: syzkaller432828 Not tainted 4.16.0-rc7+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report+0x23c/0x360 mm/kasan/report.c:412
  __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
  __ext4_check_dir_entry+0x2de/0x320 fs/ext4/dir.c:69
  ext4_readdir+0xd00/0x3600 fs/ext4/dir.c:237
  iterate_dir+0x1ca/0x530 fs/readdir.c:51
  SYSC_getdents64 fs/readdir.c:314 [inline]
  SyS_getdents64+0x221/0x420 fs/readdir.c:295
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd69
RSP: 002b:00007ffc446ac118 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd69
RDX: 00000000200015fc RSI: 0000000020001540 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401690
R13: 0000000000401720 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0006e02fc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0006c095a0 ffffea0006e03020 ffff8801be5f2a50 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801b80bef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8801b80bef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801b80bf000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                    ^
  ffff8801b80bf080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ffff8801b80bf100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

next             reply	other threads:[~2018-03-31 20:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-31 20:47 syzbot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-03-31 20:47 KASAN: use-after-free Read in __ext4_check_dir_entry syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=089e0825cec8b70cc70568bb75d9@google.com \
    --to=syzbot+1236ce66f79263e8a862@syzkaller.appspotmail.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.