lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <B6DA8027-DC43-41ED-828B-4740DC0CC571@gmail.com>
Date: Tue, 14 May 2024 00:41:05 -0400
From: Shuangpeng Bai <shuangpengbai@...il.com>
To: brauner@...nel.org,
 jack@...e.cz,
 jlayton@...nel.org,
 viro@...iv.linux.org.uk
Cc: reiserfs-devel@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 syzkaller@...glegroups.com
Subject: KASAN: use-after-free in search_by_entry_key in kernel v6.9

Hi Kernel Maintainers,

Our tool found a kernel bug KASAN: use-after-free in search_by_entry_key. Please see the details below.

Kenrel commit: v6.9 (Commits on May 12, 2024)
Kernel config: attachment
C/Syz reproducer: attachment

We find this bug was reported and marked as fixed recently. Seems Syzbot could not trigger this bug in recent kernels. (https://syzkaller.appspot.com/bug?extid=ffe24b1afbc4cb5ae8fb)

Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly.

Please let me know for anything I can help.

Best,
Shuangpeng


Download attachment ".config" of type "application/octet-stream" (247338 bytes)

Download attachment "repro.c" of type "application/octet-stream" (309676 bytes)



[   74.947073][ T8082] ==================================================================
[ 74.947711][ T8082] BUG: KASAN: use-after-free in search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[   74.948339][ T8082] Read of size 4 at addr ffff8881585e6fc4 by task a.out/8082
[   74.948921][ T8082]
[   74.949117][ T8082] CPU: 1 PID: 8082 Comm: a.out Not tainted 6.9.0 #7
[   74.949650][ T8082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   74.950389][ T8082] Call Trace:
[   74.950670][ T8082]  <TASK>
[ 74.950921][ T8082] dump_stack_lvl (lib/dump_stack.c:117) 
[ 74.951327][ T8082] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) 
[ 74.951711][ T8082] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) 
[ 74.952104][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[ 74.952548][ T8082] kasan_report (mm/kasan/report.c:603) 
[ 74.952920][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[ 74.953374][ T8082] search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[ 74.953805][ T8082] reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:324) 
[ 74.954269][ T8082] ? __pfx_reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:305) 
[ 74.954771][ T8082] ? __d_alloc (fs/dcache.c:1626) 
[ 74.955124][ T8082] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 74.955524][ T8082] ? d_set_d_op (fs/dcache.c:1784 (discriminator 3)) 
[ 74.955901][ T8082] reiserfs_lookup (fs/reiserfs/namei.c:370) 
[ 74.956307][ T8082] ? __pfx_reiserfs_lookup (fs/reiserfs/namei.c:355) 
[ 74.956763][ T8082] ? d_alloc (fs/dcache.c:1717) 
[ 74.957138][ T8082] ? d_alloc_parallel (fs/dcache.c:2458) 
[ 74.957584][ T8082] ? avc_has_perm_noaudit (security/selinux/avc.c:1168) 
[ 74.958047][ T8082] ? reiserfs_check_lock_depth (fs/reiserfs/lock.c:91) 
[ 74.958524][ T8082] ? generic_permission (fs/namei.c:442) 
[ 74.958961][ T8082] __lookup_slow (./include/linux/dcache.h:371 /include/linux/dcache.h:376 fs/namei.c:1693) 
[ 74.959368][ T8082] ? __pfx___lookup_slow (fs/namei.c:1668) 
[ 74.959808][ T8082] ? __d_lookup (fs/dcache.c:2331) 
[ 74.960197][ T8082] ? d_lookup (fs/dcache.c:2259) 
[ 74.960551][ T8082] lookup_one_len (fs/namei.c:2756 (discriminator 1)) 
[ 74.960946][ T8082] ? __pfx_lookup_one_len (fs/namei.c:2744) 
[ 74.961386][ T8082] ? __pfx_down_write (kernel/locking/rwsem.c:1577) 
[ 74.961795][ T8082] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545) 
[ 74.962179][ T8082] ? __pfx_mutex_unlock (kernel/locking/mutex.c:543) 
[ 74.962599][ T8082] reiserfs_lookup_privroot (fs/reiserfs/xattr.c:979) 
[ 74.963064][ T8082] reiserfs_fill_super (fs/reiserfs/super.c:2173) 
[ 74.963533][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) 
[ 74.964025][ T8082] ? snprintf (lib/vsprintf.c:2954) 
[ 74.964400][ T8082] ? __pfx_snprintf (lib/vsprintf.c:2954) 
[ 74.964814][ T8082] ? errseq_sample (lib/errseq.c:131) 
[ 74.965228][ T8082] ? setup_bdev_super (fs/super.c:1574) 
[ 74.965676][ T8082] mount_bdev (fs/super.c:1659) 
[ 74.966062][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) 
[ 74.966551][ T8082] ? __pfx_mount_bdev (fs/super.c:1636) 
[ 74.966984][ T8082] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2648) 
[ 74.967475][ T8082] ? cap_capable (security/commoncap.c:103) 
[ 74.967884][ T8082] ? __pfx_get_super_block (fs/reiserfs/super.c:2599) 
[ 74.968348][ T8082] legacy_get_tree (fs/fs_context.c:664) 
[ 74.968750][ T8082] vfs_get_tree (fs/super.c:1780) 
[ 74.969129][ T8082] ? mount_capable (fs/super.c:695) 
[ 74.969526][ T8082] path_mount (fs/namespace.c:3353 fs/namespace.c:3679) 
[ 74.969912][ T8082] ? putname (fs/namei.c:274) 
[ 74.970276][ T8082] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350) 
[ 74.970688][ T8082] ? __pfx_path_mount (fs/namespace.c:3606) 
[ 74.971102][ T8082] ? putname (fs/namei.c:274) 
[ 74.971463][ T8082] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875) 
[ 74.971869][ T8082] ? __pfx___x64_sys_mount (fs/namespace.c:3875) 
[ 74.972328][ T8082] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822) 
[ 74.972861][ T8082] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 74.973271][ T8082] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   74.973788][ T8082] RIP: 0033:0x7fda67001c7e
[ 74.974181][ T8082] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d8
All code
========
   0:	48 8b 0d 15 c2 0c 00 	mov    0xcc215(%rip),%rcx        # 0xcc21c
   7:	f7 d8                	neg    %eax
   9:	64 89 01             	mov    %eax,%fs:(%rcx)
   c:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  10:	c3                   	ret    
  11:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  18:	00 00 00 
  1b:	90                   	nop
  1c:	f3 0f 1e fa          	endbr64 
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 a5 00 00 00       	mov    $0xa5,%eax
  28:	0f 05                	syscall 
  2a:*	48                   	rex.W		<-- trapping instruction
  2b:	d8                   	.byte 0xd8

Code starting with the faulting instruction
===========================================
   0:	48                   	rex.W
   1:	d8                   	.byte 0xd8
[   74.975799][ T8082] RSP: 002b:00007ffd1c71f278 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   74.976515][ T8082] RAX: ffffffffffffffda RBX: 000055ce1c1c6c80 RCX: 00007fda67001c7e
[   74.977192][ T8082] RDX: 0000000020010000 RSI: 0000000020000b00 RDI: 00007ffd1c71f300
[   74.977871][ T8082] RBP: 00007ffd1c71f450 R08: 00007ffd1c71f340 R09: 0000000000000000
[   74.978542][ T8082] R10: 0000000000000000 R11: 0000000000000286 R12: 000055ce1c1c5320
[   74.979214][ T8082] R13: 00007ffd1c71f560 R14: 0000000000000000 R15: 0000000000000000
[   74.979888][ T8082]  </TASK>
[   74.980159][ T8082]
[   74.980368][ T8082] The buggy address belongs to the physical page:
[   74.980910][ T8082] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1585e6
[   74.981664][ T8082] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
[   74.982277][ T8082] page_type: 0xffffffff()
[   74.982654][ T8082] raw: 057ff00000000000 ffffea00056179c8 ffffea0005617948 0000000000000000
[   74.983385][ T8082] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[   74.984111][ T8082] page dumped because: kasan: bad access detected
[   74.984651][ T8082] page_owner info is not present (never set?)
[   74.985166][ T8082]
[   74.985380][ T8082] Memory state around the buggy address:
[   74.985859][ T8082]  ffff8881585e6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   74.986536][ T8082]  ffff8881585e6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   74.987218][ T8082] >ffff8881585e6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   74.987898][ T8082]                                            ^
[   74.988424][ T8082]  ffff8881585e7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   74.989108][ T8082]  ffff8881585e7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   74.989858][ T8082] ==================================================================
[   74.992095][ T8082] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   74.993811][ T8082] CPU: 0 PID: 8082 Comm: a.out Not tainted 6.9.0 #7
[   74.995323][ T8082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   74.997411][ T8082] Call Trace:
[   74.998206][ T8082]  <TASK>
[ 74.998905][ T8082] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) 
[ 74.999917][ T8082] panic (kernel/panic.c:348) 
[ 75.000351][ T8082] ? __pfx_panic (kernel/panic.c:282) 
[ 75.000844][ T8082] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:12) 
[ 75.001430][ T8082] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927) 
[ 75.002018][ T8082] ? check_panic_on_warn (kernel/panic.c:240) 
[ 75.002571][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[ 75.003144][ T8082] check_panic_on_warn (kernel/panic.c:241) 
[ 75.003684][ T8082] end_report (mm/kasan/report.c:226) 
[ 75.004147][ T8082] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) 
[ 75.004636][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[ 75.005365][ T8082] search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) 
[ 75.005926][ T8082] reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:324) 
[ 75.006540][ T8082] ? __pfx_reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:305) 
[ 75.007088][ T8082] ? __d_alloc (fs/dcache.c:1626) 
[ 75.007475][ T8082] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 75.007897][ T8082] ? d_set_d_op (fs/dcache.c:1784 (discriminator 3)) 
[ 75.008297][ T8082] reiserfs_lookup (fs/reiserfs/namei.c:370) 
[ 75.008721][ T8082] ? __pfx_reiserfs_lookup (fs/reiserfs/namei.c:355) 
[ 75.009182][ T8082] ? d_alloc (fs/dcache.c:1717) 
[ 75.009564][ T8082] ? d_alloc_parallel (fs/dcache.c:2458) 
[ 75.010006][ T8082] ? avc_has_perm_noaudit (security/selinux/avc.c:1168) 
[ 75.010472][ T8082] ? reiserfs_check_lock_depth (fs/reiserfs/lock.c:91) 
[ 75.010960][ T8082] ? generic_permission (fs/namei.c:442) 
[ 75.011415][ T8082] __lookup_slow (./include/linux/dcache.h:371 /include/linux/dcache.h:376 fs/namei.c:1693) 
[ 75.011823][ T8082] ? __pfx___lookup_slow (fs/namei.c:1668) 
[ 75.012272][ T8082] ? __d_lookup (fs/dcache.c:2331) 
[ 75.012671][ T8082] ? d_lookup (fs/dcache.c:2259) 
[ 75.013039][ T8082] lookup_one_len (fs/namei.c:2756 (discriminator 1)) 
[ 75.013470][ T8082] ? __pfx_lookup_one_len (fs/namei.c:2744) 
[ 75.013926][ T8082] ? __pfx_down_write (kernel/locking/rwsem.c:1577) 
[ 75.014358][ T8082] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545) 
[ 75.014759][ T8082] ? __pfx_mutex_unlock (kernel/locking/mutex.c:543) 
[ 75.015200][ T8082] reiserfs_lookup_privroot (fs/reiserfs/xattr.c:979) 
[ 75.015678][ T8082] reiserfs_fill_super (fs/reiserfs/super.c:2173) 
[ 75.016159][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) 
[ 75.016669][ T8082] ? snprintf (lib/vsprintf.c:2954) 
[ 75.017058][ T8082] ? __pfx_snprintf (lib/vsprintf.c:2954) 
[ 75.017495][ T8082] ? errseq_sample (lib/errseq.c:131) 
[ 75.017925][ T8082] ? setup_bdev_super (fs/super.c:1574) 
[ 75.018389][ T8082] mount_bdev (fs/super.c:1659) 
[ 75.018793][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) 
[ 75.019300][ T8082] ? __pfx_mount_bdev (fs/super.c:1636) 
[ 75.019749][ T8082] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2648) 
[ 75.020259][ T8082] ? cap_capable (security/commoncap.c:103) 
[ 75.020679][ T8082] ? __pfx_get_super_block (fs/reiserfs/super.c:2599) 
[ 75.021157][ T8082] legacy_get_tree (fs/fs_context.c:664) 
[ 75.021597][ T8082] vfs_get_tree (fs/super.c:1780) 
[ 75.022004][ T8082] ? mount_capable (fs/super.c:695) 
[ 75.022433][ T8082] path_mount (fs/namespace.c:3353 fs/namespace.c:3679) 
[ 75.022847][ T8082] ? putname (fs/namei.c:274) 
[ 75.023234][ T8082] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350) 
[ 75.023682][ T8082] ? __pfx_path_mount (fs/namespace.c:3606) 
[ 75.024119][ T8082] ? putname (fs/namei.c:274) 
[ 75.024494][ T8082] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875) 
[ 75.024923][ T8082] ? __pfx___x64_sys_mount (fs/namespace.c:3875) 
[ 75.025419][ T8082] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822) 
[ 75.025972][ T8082] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 75.026389][ T8082] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   75.026903][ T8082] RIP: 0033:0x7fda67001c7e
[ 75.027298][ T8082] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d8
All code
========
   0:	48 8b 0d 15 c2 0c 00 	mov    0xcc215(%rip),%rcx        # 0xcc21c
   7:	f7 d8                	neg    %eax
   9:	64 89 01             	mov    %eax,%fs:(%rcx)
   c:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  10:	c3                   	ret    
  11:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  18:	00 00 00 
  1b:	90                   	nop
  1c:	f3 0f 1e fa          	endbr64 
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 a5 00 00 00       	mov    $0xa5,%eax
  28:	0f 05                	syscall 
  2a:*	48                   	rex.W		<-- trapping instruction
  2b:	d8                   	.byte 0xd8

Code starting with the faulting instruction
===========================================
   0:	48                   	rex.W
   1:	d8                   	.byte 0xd8
[   75.028940][ T8082] RSP: 002b:00007ffd1c71f278 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   75.029678][ T8082] RAX: ffffffffffffffda RBX: 000055ce1c1c6c80 RCX: 00007fda67001c7e
[   75.030351][ T8082] RDX: 0000000020010000 RSI: 0000000020000b00 RDI: 00007ffd1c71f300
[   75.031024][ T8082] RBP: 00007ffd1c71f450 R08: 00007ffd1c71f340 R09: 0000000000000000
[   75.031695][ T8082] R10: 0000000000000000 R11: 0000000000000286 R12: 000055ce1c1c5320
[   75.032379][ T8082] R13: 00007ffd1c71f560 R14: 0000000000000000 R15: 0000000000000000
[   75.033079][ T8082]  </TASK>
[   75.033640][ T8082] Kernel Offset: disabled


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ