| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Oct 2022 00:35:39 -0700
From: syzbot <syzbot+667a6d667592227b1452@...kaller.appspotmail.com>
To: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
shaggy@...nel.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] KASAN: use-after-free Read in dbJoin
Hello,
syzbot found the following issue on:
HEAD commit: aaa11ce2ffc8 Add linux-next specific files for 20220923
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10a9b134880000
kernel config: https://syzkaller.appspot.com/x/.config?x=186d1ff305f10294
dashboard link: https://syzkaller.appspot.com/bug?extid=667a6d667592227b1452
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/95c7bf83c07e/disk-aaa11ce2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b161cd56a7a3/vmlinux-aaa11ce2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+667a6d667592227b1452@...kaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in dbJoin+0x23b/0x240 fs/jfs/jfs_dmap.c:2772
Read of size 1 at addr ffff88817cbdfa4c by task jfsCommit/123
CPU: 0 PID: 123 Comm: jfsCommit Not tainted 6.0.0-rc6-next-20220923-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
dbJoin+0x23b/0x240 fs/jfs/jfs_dmap.c:2772
dbFreeBits+0x15d/0x8c0 fs/jfs/jfs_dmap.c:2305
dbFreeDmap+0x61/0x1a0 fs/jfs/jfs_dmap.c:2054
dbFree+0x250/0x540 fs/jfs/jfs_dmap.c:379
txFreeMap+0x8f1/0xd70 fs/jfs/jfs_txnmgr.c:2529
txUpdateMap+0x3cd/0xc50 fs/jfs/jfs_txnmgr.c:2325
txLazyCommit fs/jfs/jfs_txnmgr.c:2659 [inline]
jfs_lazycommit+0x5bb/0xaa0 fs/jfs/jfs_txnmgr.c:2727
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The buggy address belongs to the physical page:
page:ffffea0005f2f7c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17cbdf
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea0005f2f7c8 ffffea0005f2f7c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffff88817cbdf900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88817cbdf980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88817cbdfa00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88817cbdfa80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88817cbdfb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Powered by blists - more mailing lists