* KASAN: slab-out-of-bounds Read in hfsplus_bnode_read in v6.14-rc4 kernel
@ 2025-03-03 1:52 Strforexc yn
2025-03-03 3:59 ` Matthew Wilcox
0 siblings, 1 reply; 2+ messages in thread
From: Strforexc yn @ 2025-03-03 1:52 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 9547 bytes --]
Dear Maintainers, When using our customized Syzkaller to fuzz the
latest Linux kernel, the following crash was triggered.
Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025)
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config
Kernel Log: attachment
Reproduce: attachment
KASAN detects a slab-out-of-bounds read of size 8 at address
ffff888044c23ac0 in hfsplus_bnode_read (fs/hfsplus/bnode.c:32) during
a rename operation. Preceding logs report: hfsplus: request for
non-existent node 65030 in B*Tree.
Location: The fault occurs in hfsplus_bnode_read at
memcpy_from_page(buf, *pagep, off, l), where *pagep accesses memory
beyond the node->page array.
Cause: Likely due to:
1. Invalid Offset: off + node->page_offset exceeds the allocated
node->page size, possibly from a corrupted struct hfs_bnode (node
65030 is non-existent).
2. Undersized Allocation: node->page (152 bytes) may not accommodate
the required page pointers for the requested offset.
Context: Syzkaller’s renameat2 on an HFS+ filesystem likely introduced
malformed metadata, corrupting the B-tree and triggering the invalid
node access.
Our knowledge of the kernel is somewhat limited, and we'd appreciate
it if you could determine if there is such an issue. If this issue
doesn't have an impact, please ignore it ☺.
If you fix this issue, please add the following tag to the commit:
Reported-by: Zhizhuo Tang <strforexctzzchange@foxmail.com>, Jianzhou
Zhao <xnxc22xnxc22@qq.com>, Haoran Liu <cherest_san@163.com>
hfsplus: request for non-existent node 65030 in B*Tree
hfsplus: request for non-existent node 65030 in B*Tree
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x23e/0x260
fs/hfsplus/bnode.c:32
Read of size 8 at addr ffff888044c23ac0 by task syz.1.178/13668
CPU: 1 UID: 0 PID: 13668 Comm: syz.1.178 Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description.constprop.0+0x2c/0x420 mm/kasan/report.c:408
print_report+0xaa/0x270 mm/kasan/report.c:521
kasan_report+0xbd/0x100 mm/kasan/report.c:634
hfsplus_bnode_read+0x23e/0x260 fs/hfsplus/bnode.c:32
hfsplus_bnode_read_u16 fs/hfsplus/bnode.c:45 [inline]
hfsplus_bnode_dump+0x2c6/0x3b0 fs/hfsplus/bnode.c:321
hfsplus_brec_remove+0x3e7/0x4f0 fs/hfsplus/brec.c:229
__hfsplus_delete_attr+0x296/0x3b0 fs/hfsplus/attributes.c:299
hfsplus_delete_all_attrs+0x26d/0x330 fs/hfsplus/attributes.c:378
hfsplus_delete_cat+0x87b/0xe70 fs/hfsplus/catalog.c:425
hfsplus_unlink+0x1cd/0x7c0 fs/hfsplus/dir.c:385
hfsplus_rename+0xc2/0x220 fs/hfsplus/dir.c:547
vfs_rename+0x118f/0x1ab0 fs/namei.c:5069
do_renameat2+0xb28/0xd60 fs/namei.c:5226
__do_sys_renameat2 fs/namei.c:5260 [inline]
__se_sys_renameat2 fs/namei.c:5257 [inline]
__x64_sys_renameat2+0xe7/0x140 fs/namei.c:5257
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f130c5b85ad
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f130d48af98 EFLAGS: 00000246 ORIG_RAX: 000000000000013c
RAX: ffffffffffffffda RBX: 00007f130c845fa0 RCX: 00007f130c5b85ad
RDX: 0000000000000004 RSI: 00004000000000c0 RDI: 0000000000000005
RBP: 00007f130c66a8d6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000400000000180 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f130c845fa0 R15: 00007f130d46b000
</TASK>
Allocated by task 13668:
kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x40 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xba/0xc0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_noprof+0x212/0x580 mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
__hfs_bnode_create+0x107/0x850 fs/hfsplus/bnode.c:409
hfsplus_bnode_find+0x424/0xc70 fs/hfsplus/bnode.c:486
hfsplus_brec_find+0x2b3/0x540 fs/hfsplus/bfind.c:172
hfsplus_find_attr+0xf7/0x180 fs/hfsplus/attributes.c:153
__hfsplus_getxattr+0x2cf/0x5f0 fs/hfsplus/xattr.c:520
hfsplus_getxattr+0xc9/0x140 fs/hfsplus/xattr.c:588
hfsplus_security_getxattr+0x3a/0x60 fs/hfsplus/xattr_security.c:20
__vfs_getxattr+0x13f/0x1b0 fs/xattr.c:423
smk_fetch+0xe6/0x180 security/smack/smack_lsm.c:290
smack_d_instantiate+0x434/0xbb0 security/smack/smack_lsm.c:3599
security_d_instantiate+0x142/0x1a0 security/security.c:4079
d_splice_alias+0x91/0x860 fs/dcache.c:3017
hfsplus_lookup+0x652/0x890 fs/hfsplus/dir.c:124
lookup_one_qstr_excl+0x12b/0x190 fs/namei.c:1693
do_renameat2+0x671/0xd60 fs/namei.c:5167
__do_sys_renameat2 fs/namei.c:5260 [inline]
__se_sys_renameat2 fs/namei.c:5257 [inline]
__x64_sys_renameat2+0xe7/0x140 fs/namei.c:5257
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888044c23a00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 40 bytes to the right of
allocated 152-byte region [ffff888044c23a00, ffff888044c23a98)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44c23
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801b4413c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid
1 (swapper/0), ts 13955582992, free_ts 13944852717
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1a3/0x1d0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0x8a5/0xfa0 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x1d8/0x3b0 mm/page_alloc.c:4739
alloc_pages_mpol+0x1f2/0x550 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab+0x229/0x310 mm/slub.c:2587
___slab_alloc+0x7f3/0x12b0 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xc0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__kmalloc_cache_noprof+0x280/0x450 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
call_usermodehelper_setup+0x9c/0x350 kernel/umh.c:362
kobject_uevent_env+0x76c/0xa70 lib/kobject_uevent.c:628
device_add+0xbf3/0x1490 drivers/base/core.c:3646
usb_set_configuration+0x11a5/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xbf/0x120 drivers/usb/core/generic.c:250
usb_probe_device+0xed/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x252/0xaa0 drivers/base/dd.c:658
__driver_probe_device+0x1df/0x460 drivers/base/dd.c:800
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x71f/0xff0 mm/page_alloc.c:2660
__put_partials+0x13b/0x190 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x50/0x130 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x1a5/0x1f0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x6f/0xa0 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
__kmalloc_cache_noprof+0x15a/0x450 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
kobject_uevent_env+0x23b/0xa70 lib/kobject_uevent.c:540
device_add+0xbf3/0x1490 drivers/base/core.c:3646
device_create_groups_vargs+0x215/0x290 drivers/base/core.c:4347
device_create+0xe0/0x130 drivers/base/core.c:4386
mon_bin_add+0xbb/0x190 drivers/usb/mon/mon_bin.c:1370
mon_bus_init+0x18e/0x320 drivers/usb/mon/mon_main.c:291
mon_bus_add drivers/usb/mon/mon_main.c:188 [inline]
mon_notify+0x324/0x480 drivers/usb/mon/mon_main.c:219
notifier_call_chain+0xd7/0x250 kernel/notifier.c:85
blocking_notifier_call_chain+0x6b/0xb0 kernel/notifier.c:380
usb_register_bus drivers/usb/core/hcd.c:908 [inline]
usb_add_hcd+0x4a8/0x1770 drivers/usb/core/hcd.c:2865
Memory state around the buggy address:
ffff888044c23980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888044c23a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888044c23a80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888044c23b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888044c23b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
Thanks,
Zhizhuo Tang
[-- Attachment #2: repro.cprog --]
[-- Type: application/octet-stream, Size: 20375 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s,
const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {
3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {
0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2,
3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
8193, 12289, 16385, 24577};
static const short dext[30] = {
0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6,
7, 7, 8, 8, 9, 9, 10, 10, 11, 11,
12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] =
{16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(
unsigned char* dest,
unsigned long* destlen,
const unsigned char* source,
unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(
volatile long fsarg,
volatile long dir,
volatile long flags,
volatile long optsarg,
volatile long change_dir,
volatile unsigned long size,
volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x3ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x400000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x400001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
const char* reason;
(void)reason;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {}
memcpy((void*)0x400000000600, "hfsplus\000", 8);
memcpy((void*)0x400000000200, "./bus\000", 6);
memcpy((void*)0x400000000640, "\x78\x9c\xec\xdd\xcf\x6f\x1c\x67\xfd\x07\xf0\xf7\xac\x1d\x27\x9b\x6f\xbf\xae\x9b\x26\x6d\x8a\x2a\xd5\x6a\x24\x40\x58\x24\xfe\x21\x17\xcc\x85\x80\x10\xf2\xa1\x42\x55\x39\x70\xb6\x12\xa7\xb1\xb2\x49\x8b\xed\x22\xb7\x42\xd4\xfc\xbe\xf6\xd0\x3f\xa0\x1c\x7c\xe3\x80\x90\xb8\x47\x2a\x17\x2e\x20\x2e\xbd\xfa\x58\x09\x89\x4b\x2f\x98\xd3\xa2\x99\x9d\xb5\x37\xfe\xd5\x75\x71\xbc\x9b\xf2\x7a\x45\xb3\xcf\x33\xf3\xcc\x3c\xcf\xe7\xf9\xcc\xce\xce\xee\x46\xd6\x06\xf8\x9f\xb5\x38\x95\xd1\x87\x29\xb2\x38\xf5\xea\x46\xb9\xbe\xbd\x35\xd7\xda\xde\x9a\xbb\xdf\xad\x27\x39\x9f\xa4\x91\x8c\x76\x8a\x14\xff\x6a\xb7\xdb\x1f\x25\x37\xd3\x59\xf2\x42\xb9\xb1\xee\xae\x38\x6a\x9c\x0f\x56\x16\x5e\xff\xf8\xd3\xed\x4f\x3a\x6b\xa3\xf5\x52\xed\xdf\x38\xee\xb8\xfe\x6c\xd6\x4b\x26\x93\x8c\xd4\x65\xff\x0e\x8c\xfe\x48\x7f\xb7\x4e\xdc\xdf\x61\xfd\x77\xc6\x28\x13\x76\xad\x9b\x38\x18\xb4\x73\x49\xda\x8f\xf8\xf1\x5f\x9e\xda\x6d\xe9\xd1\x3c\xec\xe8\x0b\x67\x12\x23\xf0\x78\x15\x9d\xfb\xe6\x01\x13\xc9\xc5\xfa\x42\x2f\xdf\x07\x74\xee\x8a\x9d\x7b\xf6\x13\x6d\x73\xd0\x01\x00\x00\x00\xc0\x19\x78\x7a\x27\x3b\xd9\xc8\xf8\xa0\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x27\x49\xfd\xfb\xff\x45\xbd\x34\xba\xf5\xc9\x14\xdd\xdf\xff\x1f\xab\xb7\xa5\xae\x0f\x97\x97\x4e\xb6\xfb\xc3\xc7\x15\x07\x00\x00\x00\x00\x00\x00\x00\x9c\xa1\x97\x76\xb2\x93\x8d\x8c\x27\x9b\xd5\x7a\xbb\xa8\xfe\xcf\xff\xe5\x6a\xe5\x72\xf5\xf8\x7f\x79\x3b\x6b\x59\xce\x6a\xae\x67\x23\x4b\x59\xcf\x7a\x56\x33\x93\x64\xa2\xa7\xa3\xb1\x8d\xa5\xf5\xf5\xd5\x99\x3e\x8e\x9c\x3d\xf4\xc8\xd9\xcf\x08\xf4\x7c\x5d\x36\x4f\x6d\xea\x00\x00\x00\x00\x00\x00\x00\xf0\x45\xf2\x8b\x2c\x66\x7c\xd0\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\xaf\x22\x19\xe9\x14\xd5\x72\xb9\x5b\x9f\x48\x63\x34\xc9\x85\x24\x63\xe5\x7e\x9b\xc9\xdf\xba\xf5\x27\xd9\xc3\x41\x07\x00\x00\x00\x00\x67\xe0\xe9\x9d\xec\x64\x23\xe3\xdd\xf5\x76\x51\x7d\xe6\x7f\xae\xfa\xdc\x7f\x21\x6f\xe7\x41\xd6\xb3\x92\xf5\xb4\xb2\x9c\xdb\xd5\x77\x01\x9d\x4f\xfd\x8d\xed\xad\xb9\xd6\xf6\xd6\xdc\xfd\x72\x39\xd8\xef\x77\xfe\x79\xa2\x30\xaa\x1e\xd3\xf9\xee\xe1\xf0\x91\xaf\x56\x7b\x34\x73\x27\x2b\xd5\x96\xeb\xb9\x95\x37\xd3\xca\xed\x34\xaa\x23\x4b\x57\xbb\xf1\x1c\x1e\xd7\xcf\xcb\x98\x8a\x6f\xd7\xfa\x8c\xec\x76\x5d\x96\x33\x7f\xbf\x2e\x0f\x78\xef\x44\x93\x3d\xca\x09\xbf\x4c\x99\xa8\x32\x72\x6e\x37\x23\xd3\x75\x6c\x65\x36\x9e\x39\x3e\x13\x27\x3c\x3b\xfb\x47\x9a\x49\x63\x37\xd8\xcb\xfb\x46\xda\x37\x89\xcf\x95\xf3\x8b\x75\x59\xce\xe7\x37\x47\xe5\x7c\x20\xf6\x67\x62\xb6\xe7\xd9\xf7\xdc\xf1\x39\x4f\xbe\xf2\xa7\xdf\xff\xe8\x6e\xeb\xc1\xbd\xbb\x77\xd6\xa6\x86\x67\x4a\xfd\x19\xa9\xcb\x76\x77\xc3\xfe\x4c\xcc\xf5\x64\xe2\xf9\x2f\x72\x26\x0e\x98\xae\x32\x71\x65\x77\x7d\x31\xdf\xcf\x0f\x33\x95\xc9\xbc\x96\xd5\xac\xe4\x27\x59\xca\x7a\x96\x33\x99\xef\x55\xb5\xa5\xfa\xf9\x5c\xf4\x5c\xf2\x47\x64\xea\xe6\x23\x6b\xaf\x7d\x56\x24\x63\xf5\x79\xe9\x9c\xac\x93\xc5\xf4\x72\x75\xec\x78\x56\xf2\x83\xbc\x99\xdb\x59\xce\x2b\xd5\xbf\xd9\xcc\xe4\x1b\x99\xcf\x7c\x16\x7a\xce\xf0\x95\x3e\x5e\x69\x1b\x47\x5c\xf5\xed\xff\x3f\x34\xf8\x6b\x5f\xad\x2b\xcd\x24\xbf\xad\xcb\xe1\x50\xe6\xf5\x99\x9e\xbc\xf6\xbe\xe6\x4e\x54\x6d\xbd\x5b\xf6\xb2\x74\xe9\xf4\xef\x47\xa3\x5f\xaa\x2b\xe5\x18\xbf\xac\xcb\xe1\xb0\x3f\x13\x33\x3d\x99\x78\xf6\xf8\x4c\xfc\xae\x7a\x59\x59\x6b\x3d\xb8\xb7\x7a\x77\xe9\xad\xfe\x86\xbb\xf4\x7e\x5d\x29\xaf\xa3\x5f\x0f\xd5\x5d\xa2\x7c\xbe\x5c\x2a\x4f\x56\xb5\xf6\xe8\xb3\xa3\x6c\x7b\xf6\xd0\xb6\x99\xaa\xed\xf2\x6e\x5b\xe3\x40\xdb\x95\xdd\xb6\xce\x95\xba\x79\xe4\x95\x3a\x56\xbf\x87\x3b\xd8\xd3\x6c\xd5\xf6\xfc\xa1\x6d\x73\x55\xdb\xd5\x9e\xb6\xc3\xde\x6f\x01\x30\xf4\x2e\x7e\xed\xe2\x58\xf3\x1f\xcd\xbf\x36\x3f\x6c\xfe\xaa\x79\xb7\xf9\xea\x85\xef\x9e\xff\xe6\xf9\x17\xc7\x72\xee\xcf\xe7\xbe\x35\x3a\x3d\xf2\xe5\xc6\x8b\xc5\x1f\xf3\x61\x7e\xb6\xf7\xf9\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\xfc\xd6\xde\x79\xf7\xde\x52\xab\xb5\xbc\xba\xaf\xd2\x6e\xb7\xdf\x3b\xa2\xe9\x0c\x2b\x7f\x38\xed\x0e\xbb\x3f\x67\x76\x86\xb3\x78\xe1\xa9\x64\x90\x39\x1c\x8e\xca\xbf\xdb\xed\x76\xbd\xa5\x18\x86\x78\x8e\xaf\xb4\x6b\xa7\xda\xf3\xdf\xeb\xdf\x3f\x1b\x86\x09\xf6\x51\x19\xe4\xab\x12\x70\x16\x6e\xac\xdf\x7f\xeb\xc6\xda\x3b\xef\x7e\x7d\xe5\xfe\xd2\x1b\xcb\x6f\x2c\x3f\x58\x98\x9f\x5f\x98\x5e\x98\x7f\x65\xee\xc6\x9d\x95\xd6\xf2\x74\xe7\x71\xd0\x51\x02\x8f\xc3\xde\x4d\x7f\xd0\x91\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfd\x3a\x8b\x3f\x27\x18\xf4\x1c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x27\xdb\xe2\x54\x46\x1f\xa6\xc8\xcc\xf4\xf5\xe9\x72\x7d\x7b\x6b\xae\x55\x2e\xdd\xfa\xde\x9e\xa3\x49\x1a\x49\x8a\x9f\x26\xc5\x47\xc9\xcd\x74\x96\x4c\xf4\x74\x57\x1c\x35\xce\x07\x2b\x0b\xaf\x7f\xfc\xe9\xf6\x27\x7b\x7d\x8d\x76\xf7\x6f\x1c\x77\x5c\x7f\x36\xeb\x25\x93\x49\x46\xea\xf2\xb4\xfa\xbb\xf5\x5f\xf7\x57\xec\xce\xb0\x4c\xd8\xb5\x6e\xe2\x60\xd0\xfe\x13\x00\x00\xff\xff\xaa\x7b\x10\xae", 1606);
syz_mount_image(/*fs=*/0x400000000600, /*dir=*/0x400000000200, /*flags=MS_POSIXACL|MS_SYNCHRONOUS|MS_NOATIME*/0x10410, /*opts=*/0x400000000140, /*chdir=*/1, /*size=*/0x646, /*img=*/0x400000000640);
memcpy((void*)0x400000000140, "./file1\000", 8);
syscall(__NR_unlink, /*path=*/0x400000000140ul);
return 0;
}
[-- Attachment #3: repro.log --]
[-- Type: application/octet-stream, Size: 16336 bytes --]
Warning: Permanently added '[localhost]:53407' (ED25519) to the list of known hosts.
executing program
syzkaller login: [ 59.918772][ T9411] loop0: detected capacity change from 0 to 1024
[ 59.976300][ T9411] hfsplus: request for non-existent node 32768 in B*Tree
[ 59.977861][ T9411] hfsplus: request for non-existent node 32768 in B*Tree
[ 59.980234][ T9411] ==================================================================
[ 59.981779][ T9411] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x23e/0x260
[ 59.983173][ T9411] Read of size 8 at addr ffff8880209281c0 by task syz-executor146/9411
[ 59.984525][ T9411]
[ 59.985209][ T9411] CPU: 0 UID: 0 PID: 9411 Comm: syz-executor146 Not tainted 6.14.0-rc4 #1
[ 59.985240][ T9411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 59.985256][ T9411] Call Trace:
[ 59.985265][ T9411] <TASK>
[ 59.985275][ T9411] dump_stack_lvl+0x116/0x1b0
[ 59.985322][ T9411] print_address_description.constprop.0+0x2c/0x420
[ 59.985364][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 59.985406][ T9411] print_report+0xaa/0x270
[ 59.985441][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 59.985481][ T9411] ? kasan_addr_to_slab+0x27/0x80
[ 59.985513][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 59.985553][ T9411] kasan_report+0xbd/0x100
[ 59.985590][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 59.985634][ T9411] hfsplus_bnode_read+0x23e/0x260
[ 59.985677][ T9411] hfsplus_bnode_dump+0x2c6/0x3b0
[ 59.985720][ T9411] ? __pfx_hfsplus_bnode_dump+0x10/0x10
[ 59.985778][ T9411] ? hfsplus_bnode_write_u16+0x84/0xc0
[ 59.985947][ T9411] ? hfsplus_bnode_move+0x2a/0x8b0
[ 59.985990][ T9411] ? __mark_inode_dirty+0x178/0x720
[ 59.986030][ T9411] hfsplus_brec_remove+0x3e7/0x4f0
[ 59.986060][ T9411] __hfsplus_delete_attr+0x296/0x3b0
[ 59.986090][ T9411] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
[ 59.986118][ T9411] ? __pfx___hfsplus_delete_attr+0x10/0x10
[ 59.986151][ T9411] ? __asan_memset+0x24/0x50
[ 59.986180][ T9411] hfsplus_delete_all_attrs+0x26d/0x330
[ 59.986213][ T9411] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
[ 59.986248][ T9411] ? rcu_is_watching+0x12/0xd0
[ 59.986286][ T9411] ? trace_writeback_dirty_inode_enqueue+0x16e/0x1f0
[ 59.986323][ T9411] ? __mark_inode_dirty+0x418/0x720
[ 59.986361][ T9411] hfsplus_delete_cat+0x87b/0xe70
[ 59.986400][ T9411] ? __pfx_hfsplus_delete_cat+0x10/0x10
[ 59.986442][ T9411] ? rcu_is_watching+0x12/0xd0
[ 59.986489][ T9411] hfsplus_unlink+0x1cd/0x7c0
[ 59.986529][ T9411] ? __pfx_hfsplus_unlink+0x10/0x10
[ 59.986568][ T9411] ? down_write+0x152/0x220
[ 59.986608][ T9411] ? __pfx_down_write+0x10/0x10
[ 59.986653][ T9411] vfs_unlink+0x36c/0x9e0
[ 59.986682][ T9411] do_unlinkat+0x54a/0x720
[ 59.986720][ T9411] ? __pfx_do_unlinkat+0x10/0x10
[ 59.986775][ T9411] ? __phys_addr_symbol+0x30/0x80
[ 59.986812][ T9411] ? getname_flags+0x260/0x620
[ 59.986846][ T9411] __x64_sys_unlink+0x40/0x60
[ 59.986883][ T9411] do_syscall_64+0xcb/0x260
[ 59.986922][ T9411] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.986961][ T9411] RIP: 0033:0x7f96758bdafd
[ 59.986982][ T9411] Code: c3 e8 f7 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 59.987009][ T9411] RSP: 002b:00007ffc6396d868 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
[ 59.987036][ T9411] RAX: ffffffffffffffda RBX: 00007ffc6396da78 RCX: 00007f96758bdafd
[ 59.987053][ T9411] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000400000000140
[ 59.987069][ T9411] RBP: 0000000000000001 R08: 0000000000000640 R09: 0000000000000000
[ 59.987085][ T9411] R10: 00007ffc6396d720 R11: 0000000000000246 R12: 0000000000000001
[ 59.987101][ T9411] R13: 00007ffc6396da68 R14: 00007f967593c530 R15: 0000000000000001
[ 59.987126][ T9411] </TASK>
[ 59.987135][ T9411]
[ 60.041060][ T9411] Allocated by task 9411:
[ 60.041620][ T9411] kasan_save_stack+0x24/0x50
[ 60.042219][ T9411] kasan_save_track+0x14/0x40
[ 60.042784][ T9411] __kasan_kmalloc+0xba/0xc0
[ 60.043332][ T9411] __kmalloc_noprof+0x212/0x580
[ 60.043917][ T9411] __hfs_bnode_create+0x107/0x850
[ 60.044530][ T9411] hfsplus_bnode_find+0x424/0xc70
[ 60.045145][ T9411] hfsplus_brec_find+0x2b3/0x540
[ 60.045717][ T9411] hfsplus_find_attr+0xf7/0x180
[ 60.046274][ T9411] __hfsplus_getxattr+0x2cf/0x5f0
[ 60.046858][ T9411] hfsplus_getxattr+0xc9/0x140
[ 60.047401][ T9411] hfsplus_security_getxattr+0x3a/0x60
[ 60.048033][ T9411] __vfs_getxattr+0x13f/0x1b0
[ 60.048584][ T9411] smk_fetch+0xe6/0x180
[ 60.049089][ T9411] smack_d_instantiate+0x434/0xbb0
[ 60.049668][ T9411] security_d_instantiate+0x142/0x1a0
[ 60.050269][ T9411] d_splice_alias+0x91/0x860
[ 60.050789][ T9411] hfsplus_lookup+0x652/0x890
[ 60.051319][ T9411] lookup_one_qstr_excl+0x12b/0x190
[ 60.051895][ T9411] do_unlinkat+0x27b/0x720
[ 60.052384][ T9411] __x64_sys_unlink+0x40/0x60
[ 60.052896][ T9411] do_syscall_64+0xcb/0x260
[ 60.053388][ T9411] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.054033][ T9411]
[ 60.054298][ T9411] The buggy address belongs to the object at ffff888020928100
[ 60.054298][ T9411] which belongs to the cache kmalloc-192 of size 192
[ 60.055748][ T9411] The buggy address is located 40 bytes to the right of
[ 60.055748][ T9411] allocated 152-byte region [ffff888020928100, ffff888020928198)
[ 60.057248][ T9411]
[ 60.057499][ T9411] The buggy address belongs to the physical page:
[ 60.058147][ T9411] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20928
[ 60.058976][ T9411] ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 60.059749][ T9411] page_type: f5(slab)
[ 60.060145][ T9411] raw: 00fff00000000000 ffff88801b4413c0 ffffea00008c6700 dead000000000003
[ 60.061010][ T9411] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[ 60.061822][ T9411] page dumped because: kasan: bad access detected
[ 60.062434][ T9411] page_owner tracks the page as allocated
[ 60.062986][ T9411] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 13486626478, free_ts 12926895884
[ 60.064647][ T9411] post_alloc_hook+0x1a3/0x1d0
[ 60.065104][ T9411] get_page_from_freelist+0x8a5/0xfa0
[ 60.065623][ T9411] __alloc_frozen_pages_noprof+0x1d8/0x3b0
[ 60.066178][ T9411] alloc_pages_mpol+0x1f2/0x550
[ 60.066638][ T9411] allocate_slab+0x229/0x310
[ 60.067063][ T9411] ___slab_alloc+0x7f3/0x12b0
[ 60.067502][ T9411] __slab_alloc.constprop.0+0x56/0xc0
[ 60.068005][ T9411] __kmalloc_cache_noprof+0x280/0x450
[ 60.068509][ T9411] call_usermodehelper_setup+0x9c/0x350
[ 60.069020][ T9411] kobject_uevent_env+0x76c/0xa70
[ 60.069493][ T9411] device_add+0xbf3/0x1490
[ 60.069896][ T9411] usb_new_device+0x8f4/0x1430
[ 60.070311][ T9411] register_root_hub+0x299/0x730
[ 60.070768][ T9411] usb_add_hcd+0xbe8/0x1770
[ 60.071183][ T9411] dummy_hcd_probe+0x15c/0x390
[ 60.071606][ T9411] platform_probe+0x103/0x210
[ 60.072019][ T9411] page last free pid 966 tgid 966 stack trace:
[ 60.072558][ T9411] free_frozen_pages+0x71f/0xff0
[ 60.072994][ T9411] vfree+0x172/0x850
[ 60.073342][ T9411] delayed_vfree_work+0x57/0x70
[ 60.073789][ T9411] process_one_work+0x109d/0x18c0
[ 60.074232][ T9411] worker_thread+0x677/0xe90
[ 60.074628][ T9411] kthread+0x3b3/0x760
[ 60.074998][ T9411] ret_from_fork+0x48/0x80
[ 60.075397][ T9411] ret_from_fork_asm+0x1a/0x30
[ 60.075821][ T9411]
[ 60.076038][ T9411] Memory state around the buggy address:
[ 60.076569][ T9411] ffff888020928080: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.077257][ T9411] ffff888020928100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 60.077985][ T9411] >ffff888020928180: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.078670][ T9411] ^
[ 60.079254][ T9411] ffff888020928200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 60.079934][ T9411] ffff888020928280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.080637][ T9411] ==================================================================
[ 60.087582][ T9411] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 60.088311][ T9411] CPU: 0 UID: 0 PID: 9411 Comm: syz-executor146 Not tainted 6.14.0-rc4 #1
[ 60.089066][ T9411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 60.089910][ T9411] Call Trace:
[ 60.090211][ T9411] <TASK>
[ 60.090487][ T9411] dump_stack_lvl+0x3d/0x1b0
[ 60.090908][ T9411] panic+0x6d5/0x790
[ 60.091269][ T9411] ? __pfx_panic+0x10/0x10
[ 60.091672][ T9411] ? irqentry_exit+0x3b/0xa0
[ 60.092116][ T9411] ? preempt_schedule_thunk+0x1a/0x30
[ 60.092589][ T9411] ? preempt_schedule_common+0x44/0xc0
[ 60.093081][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 60.093582][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 60.094067][ T9411] check_panic_on_warn+0xb1/0xc0
[ 60.094538][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 60.095002][ T9411] end_report+0x83/0xa0
[ 60.095390][ T9411] kasan_report+0xcd/0x100
[ 60.095801][ T9411] ? hfsplus_bnode_read+0x23e/0x260
[ 60.096320][ T9411] hfsplus_bnode_read+0x23e/0x260
[ 60.096778][ T9411] hfsplus_bnode_dump+0x2c6/0x3b0
[ 60.097254][ T9411] ? __pfx_hfsplus_bnode_dump+0x10/0x10
[ 60.097752][ T9411] ? hfsplus_bnode_write_u16+0x84/0xc0
[ 60.098281][ T9411] ? hfsplus_bnode_move+0x2a/0x8b0
[ 60.098737][ T9411] ? __mark_inode_dirty+0x178/0x720
[ 60.099223][ T9411] hfsplus_brec_remove+0x3e7/0x4f0
[ 60.099697][ T9411] __hfsplus_delete_attr+0x296/0x3b0
[ 60.100187][ T9411] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
[ 60.100730][ T9411] ? __pfx___hfsplus_delete_attr+0x10/0x10
[ 60.101256][ T9411] ? __asan_memset+0x24/0x50
[ 60.101677][ T9411] hfsplus_delete_all_attrs+0x26d/0x330
[ 60.102169][ T9411] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
[ 60.102696][ T9411] ? rcu_is_watching+0x12/0xd0
[ 60.103136][ T9411] ? trace_writeback_dirty_inode_enqueue+0x16e/0x1f0
[ 60.103713][ T9411] ? __mark_inode_dirty+0x418/0x720
[ 60.104182][ T9411] hfsplus_delete_cat+0x87b/0xe70
[ 60.104633][ T9411] ? __pfx_hfsplus_delete_cat+0x10/0x10
[ 60.105122][ T9411] ? rcu_is_watching+0x12/0xd0
[ 60.105558][ T9411] hfsplus_unlink+0x1cd/0x7c0
[ 60.105994][ T9411] ? __pfx_hfsplus_unlink+0x10/0x10
[ 60.106521][ T9411] ? down_write+0x152/0x220
[ 60.106940][ T9411] ? __pfx_down_write+0x10/0x10
[ 60.107392][ T9411] vfs_unlink+0x36c/0x9e0
[ 60.107792][ T9411] do_unlinkat+0x54a/0x720
[ 60.108218][ T9411] ? __pfx_do_unlinkat+0x10/0x10
[ 60.108666][ T9411] ? __phys_addr_symbol+0x30/0x80
[ 60.109117][ T9411] ? getname_flags+0x260/0x620
[ 60.109539][ T9411] __x64_sys_unlink+0x40/0x60
[ 60.109970][ T9411] do_syscall_64+0xcb/0x260
[ 60.110427][ T9411] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.110991][ T9411] RIP: 0033:0x7f96758bdafd
[ 60.111380][ T9411] Code: c3 e8 f7 20 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 60.113027][ T9411] RSP: 002b:00007ffc6396d868 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
[ 60.113775][ T9411] RAX: ffffffffffffffda RBX: 00007ffc6396da78 RCX: 00007f96758bdafd
[ 60.114515][ T9411] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000400000000140
[ 60.115247][ T9411] RBP: 0000000000000001 R08: 0000000000000640 R09: 0000000000000000
[ 60.115938][ T9411] R10: 00007ffc6396d720 R11: 0000000000000246 R12: 0000000000000001
[ 60.116637][ T9411] R13: 00007ffc6396da68 R14: 00007f967593c530 R15: 0000000000000001
[ 60.117322][ T9411] </TASK>
[ 60.117807][ T9411] Kernel Offset: disabled
[ 60.118179][ T9411] Rebooting in 86400 seconds..
VM DIAGNOSIS:
00:30:36 Registers:
info registers vcpu 0
RAX=0000000080000001 RBX=ffffffff82994bb3 RCX=ffffffff81b2627a RDX=ffff888022781cc0
RSI=ffffffff82994bb3 RDI=0000000000000006 RBP=00000000000102dd RSP=ffffc90002c26b00
R8 =0000000000000000 R9 =0000000000000000 R10=ffffffff82994c00 R11=0000000000000000
R12=00000000000102db R13=ffffffff82994c00 R14=00000000000102e0 R15=ffffc90002c26c00
RIP=ffffffff81be0ccc RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000555593f2a3c0 ffffffff 00c00000
GS =0000 ffff88802b600000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=000055970c4634f8 CR3=000000004b358000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000ff000000 000000000000ff00 XMM01=2c2c2c2c2c2c2c2c 2c2c2c2c2c2c2c2c
XMM02=ffffffffffffff00 ffffffffffffff00 XMM03=0000000000000000 0000000000000000
XMM04=00000000ff000000 000000000000ff00 XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 0000000000000000 XMM07=303a303030302f30 303a303030306963
XMM08=6f656d69742c313d 707267702c30333d XMM09=0000ff000000ff00 0000ffff00000000
XMM10=0000200000200000 0000000000000000 XMM11=ffffffffffffff00 ffff00ff00000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
info registers vcpu 1
RAX=0000000000000001 RBX=ffffc9000012fbc0 RCX=0000000000000000 RDX=0000000000000050
RSI=0000000000000000 RDI=ffffc9000012fbc0 RBP=0000000000000000 RSP=ffffc9000012fb18
R8 =0000000000000000 R9 =0000000000000000 R10=0000000000000000 R11=0000000000000000
R12=0000000000000004 R13=ffffc9000012fbc0 R14=ffff88804933ca80 R15=0000000000000000
RIP=ffffffff8b63a9f0 RFL=00000202 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00100
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00100
FS =0000 00007fb4aca98900 ffffffff 00c00100
GS =0000 ffff88807ee00000 ffffffff 00c00100
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000048000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=000055970c4f0d77 CR3=0000000028740000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=7379732f646d6574 7379732f62696c2f XMM01=65677261742e746e 756f6d752f6d6574
XMM02=007465677261742e 746e756f6d752f6d XMM03=65747379732f646d 65747379732f6269
XMM04=0000000000000000 0000000000000000 XMM05=ffffffffffffff00 ffff00000000ff00
XMM06=0000000000000000 0000000000000000 XMM07=000055970c4b0770 0000000000000020
XMM08=000055970c63d910 0000000000000020 XMM09=0000ff000000ff00 0000ffff00000000
XMM10=0000200000200000 0000000000000000 XMM11=ffffffffffffff00 ffff00ff00000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
[-- Attachment #4: repro.prog --]
[-- Type: application/octet-stream, Size: 2756 bytes --]
# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
syz_mount_image$hfsplus(&(0x7f0000000600), &(0x7f0000000200)='./bus\x00', 0x10410, &(0x7f0000000140)=ANY=[], 0x1, 0x646, &(0x7f0000000640)="$eJzs3c9vHGf9B/D3rB0nm2+/rpsmbYoq1WokQFgk/iEXzIWAEPKhQlU5cLYSp7GySYvtIrdC1Py+9tA/oBx844CQuEcqFy4gLr36WAmJSy+Y06KZnbU3/tV1cbyb8npFs88z88w8z+f5zM7O7kbWBviftTiV0Ycpsjj16ka5vr0119remrvfrSc5n6SRjHaKFP9qt9sfJTfTWfJCubHurjhqnA9WFl7/+NPtTzpro/VS7d847rj+bNZLJpOM1GX/Doz+SH+3TtzfYf13xigTdq2bOBi0c0naj/jxX57abenRPOzoC2cSI/B4FZ375gETycX6Qi/fB3Tuip179hNtc9ABAAAAwBl4eic72cj4oOMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAJ0n9+/9FvTS69ckU3d//H6u3pa4Pl5dOtvvDxxUHAAAAAAAAAJyhl3ayk42MJ5vVeruo/s//5WrlcvX4f3k7a1nOaq5nI0tZz3pWM5NkoqejsY2l9fXVmT6OnD30yNnPCPR8XTZPbeoAAAAAAAAA8EXyiyxmfNBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAryIZ6RTVcrlbn0hjNMmFJGPlfpvJ37r1J9nDQQcAAAAAZ+DpnexkI+Pd9XZRfeZ/rvrcfyFv50HWs5L1tLKc29V3AZ1P/Y3trbnW9tbc/XI52O93/nmiMKoe0/nu4fCRr1Z7NHMnK9WW67mVN9PK7TSqI0tXu/EcHtfPy5iKb9f6jOx2XZYzf78uD3jvRJM9ygm/TJmoMnJuNyPTdWxlNp45PhMnPDv7R5pJYzfYy/tG2jeJz5Xzi3VZzuc3R+V8IPZnYrbn2ffc8TlPvvKn3//obuvBvbt31qaGZ0r9GanLdnfD/kzM9WTi+S9yJg6YrjJxZXd9Md/PDzOVybyW1azkJ1nKepYzme9VtaX6+Vz0XPJHZOrmI2uvfVYkY/V56Zysk8X0cnXseFbyg7yZ21nOK9W/2czkG5nPfBZ6zvCVPl5pG0dc9e3/PzT4a1+tK80kv63L4VDm9ZmevPa+5k5Ubb1b9rJ06fTvR6NfqivlGL+sy+GwPxMzPZl49vhM/K56WVlrPbi3enfprf6Gu/R+XSmvo18P1V2ifL5cKk9Wtfbos6Nse/bQtpmq7fJuW+NA25Xdts6VunnklTpWv4c72NNs1fb8oW1zVdvVnrbD3m8BMPQufu3iWPMfzb82P2z+qnm3+eqF757/5vkXx3Luz+e+NTo98uXGi8Uf82F+tvf5HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+PzW3nn33lKrtby6r9Jut987oukMK3847Q67P2d2hrN44alkkDkcjsq/2+12vaUYhniOr7Rrp9rz3+vfPxuGCfZRGeSrEnAWbqzff+vG2jvvfn3l/tIby28sP1iYn1+YXph/Ze7GnZXW8nTncdBRAo/D3k1/0JEAAAAAAAAAAAAA/TqLPycY9BwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAJ9viVEYfpsjM9PXpcn17a65VLt363p6jSRpJip8mxUfJzXSWTPR0Vxw1zgcrC69//On2J3t9jXb3bxx3XH826yWTSUbq8rT6u/Vf91fszrBM2LVu4mDQ/hMAAP//qnsQrg==")
unlink(&(0x7f0000000140)='./file1\x00')
[-- Attachment #5: mount_0.gz --]
[-- Type: application/x-gzip, Size: 1618 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfsplus_bnode_read in v6.14-rc4 kernel
2025-03-03 1:52 KASAN: slab-out-of-bounds Read in hfsplus_bnode_read in v6.14-rc4 kernel Strforexc yn
@ 2025-03-03 3:59 ` Matthew Wilcox
0 siblings, 0 replies; 2+ messages in thread
From: Matthew Wilcox @ 2025-03-03 3:59 UTC (permalink / raw)
To: Strforexc yn; +Cc: linux-fsdevel, linux-kernel
On Mon, Mar 03, 2025 at 09:52:56AM +0800, Strforexc yn wrote:
> KASAN detects a slab-out-of-bounds read of size 8 at address
> ffff888044c23ac0 in hfsplus_bnode_read (fs/hfsplus/bnode.c:32) during
> a rename operation. Preceding logs report: hfsplus: request for
> non-existent node 65030 in B*Tree.
hfsplus is unmaintained and rarely used. I'd rather delete it than
spend any time analysing this report.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-03-03 3:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-03 1:52 KASAN: slab-out-of-bounds Read in hfsplus_bnode_read in v6.14-rc4 kernel Strforexc yn
2025-03-03 3:59 ` Matthew Wilcox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).