[syzbot] [erofs?] KASAN: use-after-free Read in z_erofs_transform_plain (2)

[syzbot] [erofs?] KASAN: use-after-free Read in z_erofs_transform_plain (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8bf22c33e7a1 Merge tag 'net-7.0-rc1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=178f7ffa580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=abe4fa590468dbfb
dashboard link: https://syzkaller.appspot.com/bug?extid=d988dc155e740d76a331
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=157fb95a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102a9722580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/010f0532c934/disk-8bf22c33.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ed0946db3f63/vmlinux-8bf22c33.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ef1efd866885/bzImage-8bf22c33.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ca3875f86433/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1450c73a580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d988dc155e740d76a331@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_to_page include/linux/highmem.h:552 [inline]
BUG: KASAN: slab-out-of-bounds in z_erofs_transform_plain+0x33c/0xa00 fs/erofs/decompressor.c:309
Read of size 4096 at addr ffff88803f175800 by task kworker/u9:2/5851

CPU: 1 UID: 0 PID: 5851 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: erofs_worker z_erofs_decompressqueue_work
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 memcpy_to_page include/linux/highmem.h:552 [inline]
 z_erofs_transform_plain+0x33c/0xa00 fs/erofs/decompressor.c:309
 z_erofs_decompress_pcluster fs/erofs/zdata.c:1297 [inline]
 z_erofs_decompress_queue+0x1af7/0x3740 fs/erofs/zdata.c:1410
 z_erofs_decompressqueue_work+0x88/0xe0 fs/erofs/zdata.c:1422
 process_one_work kernel/workqueue.c:3275 [inline]
 process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358
 worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439
 kthread+0x388/0x470 kernel/kthread.c:467
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803f175900 pfn:0x3f175
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88803f175900 fffffffffffffffc 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 6046, tgid 6046 (syz.1.18), ts 99298614076, free_ts 99297784595
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2485
 alloc_frozen_pages_noprof mm/mempolicy.c:2556 [inline]
 alloc_pages_noprof+0xce/0x1e0 mm/mempolicy.c:2576
 __erofs_allocpage+0x1a0/0x270 fs/erofs/zutil.c:190
 z_erofs_fill_bio_vec fs/erofs/zdata.c:1560 [inline]
 z_erofs_submit_queue fs/erofs/zdata.c:1728 [inline]
 z_erofs_runqueue+0xb2f/0x20f0 fs/erofs/zdata.c:1808
 z_erofs_readahead+0x8ad/0xc10 fs/erofs/zdata.c:1936
 read_pages+0x193/0x5a0 mm/readahead.c:163
 page_cache_ra_unbounded+0x704/0x9b0 mm/readahead.c:304
 do_page_cache_ra mm/readahead.c:334 [inline]
 page_cache_ra_order+0x2b5/0x4b0 mm/readahead.c:538
 filemap_readahead mm/filemap.c:2658 [inline]
 filemap_get_pages+0x832/0x1ea0 mm/filemap.c:2704
 filemap_read+0x44a/0x1240 mm/filemap.c:2800
 erofs_file_read_iter+0x249/0x2d0 fs/erofs/data.c:441
 __kernel_read+0x50d/0x9c0 fs/read_write.c:532
 integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28
page last free pid 6046 tgid 6046 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xfe3/0x1170 mm/page_alloc.c:2978
 __folio_put+0x25d/0x310 mm/swap.c:112
 erofs_release_pages+0x1c9/0x270 fs/erofs/zutil.c:213
 z_erofs_decompressqueue_work fs/erofs/zdata.c:1423 [inline]
 z_erofs_decompress_kickoff+0x2aa/0x330 fs/erofs/zdata.c:1480
 z_erofs_submit_queue fs/erofs/zdata.c:1791 [inline]
 z_erofs_runqueue+0x1db8/0x20f0 fs/erofs/zdata.c:1808
 z_erofs_readahead+0x8ad/0xc10 fs/erofs/zdata.c:1936
 read_pages+0x193/0x5a0 mm/readahead.c:163
 page_cache_ra_unbounded+0x704/0x9b0 mm/readahead.c:304
 do_page_cache_ra mm/readahead.c:334 [inline]
 page_cache_ra_order+0x2b5/0x4b0 mm/readahead.c:538
 filemap_get_pages+0x47c/0x1ea0 mm/filemap.c:2690
 filemap_read+0x44a/0x1240 mm/filemap.c:2800
 erofs_file_read_iter+0x249/0x2d0 fs/erofs/data.c:441
 __kernel_read+0x50d/0x9c0 fs/read_write.c:532
 integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28
 ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:480 [inline]
 ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
 ima_calc_file_hash+0x12cf/0x1800 security/integrity/ima/ima_crypto.c:568
 ima_collect_measurement+0x491/0x930 security/integrity/ima/ima_api.c:294

Memory state around the buggy address:
 ffff88803f175f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88803f176000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88803f176080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00
                                     ^
 ffff88803f176100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88803f176180: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[PATCH] erofs: fix interlaced plain identification for encoded extents

[Gao Xiang]

Only plain data whose start position and on-disk physical length are
both aligned to the block size should be classified as interlaced
plain extents. Otherwise, it must be treated as shifted plain extents.

This issue was found by syzbot using a crafted compressed image
containing plain extents with unaligned physical lengths, which can
cause OOB read in z_erofs_transform_plain().

Reported-by: syzbot+d988dc155e740d76a331@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/699d5714.050a0220.cdd3c.03e7.GAE@google.com
Fixes: 1d191b4ca51d ("erofs: implement encoded extent metadata")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
 fs/erofs/zmap.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index c8d8e129eb4b..30775502b56d 100644
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -513,6 +513,7 @@ static int z_erofs_map_blocks_ext(struct inode *inode,
 	unsigned int recsz = z_erofs_extent_recsize(vi->z_advise);
 	erofs_off_t pos = round_up(Z_EROFS_MAP_HEADER_END(erofs_iloc(inode) +
 				   vi->inode_isize + vi->xattr_isize), recsz);
+	unsigned int bmask = sb->s_blocksize - 1;
 	bool in_mbox = erofs_inode_in_metabox(inode);
 	erofs_off_t lend = inode->i_size;
 	erofs_off_t l, r, mid, pa, la, lstart;
@@ -596,17 +597,17 @@ static int z_erofs_map_blocks_ext(struct inode *inode,
 			map->m_flags |= EROFS_MAP_MAPPED |
 				EROFS_MAP_FULL_MAPPED | EROFS_MAP_ENCODED;
 			fmt = map->m_plen >> Z_EROFS_EXTENT_PLEN_FMT_BIT;
+			if (map->m_plen & Z_EROFS_EXTENT_PLEN_PARTIAL)
+				map->m_flags |= EROFS_MAP_PARTIAL_REF;
+			map->m_plen &= Z_EROFS_EXTENT_PLEN_MASK;
 			if (fmt)
 				map->m_algorithmformat = fmt - 1;
-			else if (interlaced && !erofs_blkoff(sb, map->m_pa))
+			else if (interlaced && !((map->m_pa | map->m_plen) & bmask))
 				map->m_algorithmformat =
 					Z_EROFS_COMPRESSION_INTERLACED;
 			else
 				map->m_algorithmformat =
 					Z_EROFS_COMPRESSION_SHIFTED;
-			if (map->m_plen & Z_EROFS_EXTENT_PLEN_PARTIAL)
-				map->m_flags |= EROFS_MAP_PARTIAL_REF;
-			map->m_plen &= Z_EROFS_EXTENT_PLEN_MASK;
 		}
 	}
 	map->m_llen = lend - map->m_la;
-- 
2.43.5

Re: [syzbot] [erofs?] KASAN: use-after-free Read in z_erofs_transform_plain (2)

[Gao Xiang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test

Re: [syzbot] [erofs?] KASAN: use-after-free Read in z_erofs_transform_plain (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d988dc155e740d76a331@syzkaller.appspotmail.com
Tested-by: syzbot+d988dc155e740d76a331@syzkaller.appspotmail.com

Tested on:

commit:         f5436aa3 erofs: fix interlaced plain identification fo..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=16a8a394580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d91443204e48b7a1
dashboard link: https://syzkaller.appspot.com/bug?extid=d988dc155e740d76a331
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.