lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 22 Mar 2021 16:18:15 +0800
From:   butt3rflyh4ck <butterflyhuangxx@...il.com>
To:     jaegeuk@...nel.org, chao@...nel.org
Cc:     linux-f2fs-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: KASAN: use-after-free Read in f2fs_flush_nat_entries

Hi, I reported a bug found by syzkaller fuzzer with custom modifications.
reproduce it in 5.12.0-rc3+ and crash log is as fellow:

==================================================================
BUG: KASAN: use-after-free in f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
BUG: KASAN: use-after-free in current_nat_addr fs/f2fs/node.h:213 [inline]
BUG: KASAN: use-after-free in get_next_nat_page fs/f2fs/node.c:123 [inline]
BUG: KASAN: use-after-free in __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
BUG: KASAN: use-after-free in f2fs_flush_nat_entries+0x258e/0x2960
fs/f2fs/node.c:2991
Read of size 1 at addr ffff88804a180e05 by task syz-executor191/8437

CPU: 0 PID: 8437 Comm: syz-executor191 Not tainted 5.12.0-rc3+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xfa/0x151 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
 current_nat_addr fs/f2fs/node.h:213 [inline]
 get_next_nat_page fs/f2fs/node.c:123 [inline]
 __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
 f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
 f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
 f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
 f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
 __sync_filesystem fs/sync.c:39 [inline]
 sync_filesystem fs/sync.c:67 [inline]
 sync_filesystem+0x1b5/0x260 fs/sync.c:48
 generic_shutdown_super+0x70/0x370 fs/super.c:448
 kill_block_super+0x97/0xf0 fs/super.c:1394
 kill_f2fs_super+0x28c/0x370 fs/f2fs/super.c:4128
 deactivate_locked_super+0x8c/0xf0 fs/super.c:335
 deactivate_super fs/super.c:366 [inline]
 deactivate_super+0xad/0xd0 fs/super.c:362
 cleanup_mnt+0x347/0x4b0 fs/namespace.c:1136
 task_work_run+0xe0/0x1a0 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x25c/0x270 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4527cb
Code: 07 00 48 83 c4 08 5b 5d c3 66 0f 1f 44 00 00 c3 66 2e 0f 1f 84
00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffed7ad9228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000020f6 RCX: 00000000004527cb
RDX: 0000000000401ef8 RSI: 0000000000000002 RDI: 00007ffed7ad92e0
RBP: 00007ffed7ad92e0 R08: 000000000049c00c R09: 00007ffed7ad90b0
R10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffed7ada350
R13: 0000000002287b70 R14: 00007ffed7ad9248 R15: 0000000000000001

Allocated by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 __kasan_slab_alloc+0x75/0x90 mm/kasan/common.c:460
 kasan_slab_alloc include/linux/kasan.h:223 [inline]
 slab_post_alloc_hook mm/slab.h:516 [inline]
 slab_alloc_node mm/slub.c:2907 [inline]
 slab_alloc mm/slub.c:2915 [inline]
 kmem_cache_alloc+0x242/0x900 mm/slub.c:2920
 getname_flags fs/namei.c:138 [inline]
 getname_flags+0xd2/0x5b0 fs/namei.c:128
 user_path_at_empty+0x2a/0x50 fs/namei.c:2733
 user_path_at include/linux/namei.h:60 [inline]
 vfs_statx+0x13c/0x370 fs/stat.c:195
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:372
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xf6/0x130 mm/kasan/common.c:367
 kasan_slab_free include/linux/kasan.h:199 [inline]
 slab_free_hook mm/slub.c:1562 [inline]
 slab_free_freelist_hook mm/slub.c:1600 [inline]
 slab_free mm/slub.c:3161 [inline]
 kmem_cache_free+0xb4/0x450 mm/slub.c:3177
 putname+0xe1/0x120 fs/namei.c:259
 filename_lookup+0x282/0x3e0 fs/namei.c:2463
 user_path_at include/linux/namei.h:60 [inline]
 vfs_statx+0x13c/0x370 fs/stat.c:195
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:372
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88804a180000
 which belongs to the cache names_cache of size 4096
The buggy address is located 3589 bytes inside of
 4096-byte region [ffff88804a180000, ffff88804a181000)
The buggy address belongs to the page:
page:00000000b163d35e refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x4a180
head:00000000b163d35e order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head)
raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888040005140
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88804a180d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804a180d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804a180e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88804a180e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804a180f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

The attachment is a reproduce.

Regards,
 butt3rflyh4ck.

View attachment "repro.c" of type "text/x-csrc" (17154 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ