[<prev] [next>] [day] [month] [year] [list]
Message-Id: <B6DA8027-DC43-41ED-828B-4740DC0CC571@gmail.com>
Date: Tue, 14 May 2024 00:41:05 -0400
From: Shuangpeng Bai <shuangpengbai@...il.com>
To: brauner@...nel.org,
jack@...e.cz,
jlayton@...nel.org,
viro@...iv.linux.org.uk
Cc: reiserfs-devel@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: KASAN: use-after-free in search_by_entry_key in kernel v6.9
Hi Kernel Maintainers,
Our tool found a kernel bug KASAN: use-after-free in search_by_entry_key. Please see the details below.
Kenrel commit: v6.9 (Commits on May 12, 2024)
Kernel config: attachment
C/Syz reproducer: attachment
We find this bug was reported and marked as fixed recently. Seems Syzbot could not trigger this bug in recent kernels. (https://syzkaller.appspot.com/bug?extid=ffe24b1afbc4cb5ae8fb)
Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly.
Please let me know for anything I can help.
Best,
Shuangpeng
Download attachment ".config" of type "application/octet-stream" (247338 bytes)
Download attachment "repro.c" of type "application/octet-stream" (309676 bytes)
[ 74.947073][ T8082] ==================================================================
[ 74.947711][ T8082] BUG: KASAN: use-after-free in search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 74.948339][ T8082] Read of size 4 at addr ffff8881585e6fc4 by task a.out/8082
[ 74.948921][ T8082]
[ 74.949117][ T8082] CPU: 1 PID: 8082 Comm: a.out Not tainted 6.9.0 #7
[ 74.949650][ T8082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 74.950389][ T8082] Call Trace:
[ 74.950670][ T8082] <TASK>
[ 74.950921][ T8082] dump_stack_lvl (lib/dump_stack.c:117)
[ 74.951327][ T8082] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
[ 74.951711][ T8082] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4))
[ 74.952104][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 74.952548][ T8082] kasan_report (mm/kasan/report.c:603)
[ 74.952920][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 74.953374][ T8082] search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 74.953805][ T8082] reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:324)
[ 74.954269][ T8082] ? __pfx_reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:305)
[ 74.954771][ T8082] ? __d_alloc (fs/dcache.c:1626)
[ 74.955124][ T8082] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 74.955524][ T8082] ? d_set_d_op (fs/dcache.c:1784 (discriminator 3))
[ 74.955901][ T8082] reiserfs_lookup (fs/reiserfs/namei.c:370)
[ 74.956307][ T8082] ? __pfx_reiserfs_lookup (fs/reiserfs/namei.c:355)
[ 74.956763][ T8082] ? d_alloc (fs/dcache.c:1717)
[ 74.957138][ T8082] ? d_alloc_parallel (fs/dcache.c:2458)
[ 74.957584][ T8082] ? avc_has_perm_noaudit (security/selinux/avc.c:1168)
[ 74.958047][ T8082] ? reiserfs_check_lock_depth (fs/reiserfs/lock.c:91)
[ 74.958524][ T8082] ? generic_permission (fs/namei.c:442)
[ 74.958961][ T8082] __lookup_slow (./include/linux/dcache.h:371 /include/linux/dcache.h:376 fs/namei.c:1693)
[ 74.959368][ T8082] ? __pfx___lookup_slow (fs/namei.c:1668)
[ 74.959808][ T8082] ? __d_lookup (fs/dcache.c:2331)
[ 74.960197][ T8082] ? d_lookup (fs/dcache.c:2259)
[ 74.960551][ T8082] lookup_one_len (fs/namei.c:2756 (discriminator 1))
[ 74.960946][ T8082] ? __pfx_lookup_one_len (fs/namei.c:2744)
[ 74.961386][ T8082] ? __pfx_down_write (kernel/locking/rwsem.c:1577)
[ 74.961795][ T8082] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545)
[ 74.962179][ T8082] ? __pfx_mutex_unlock (kernel/locking/mutex.c:543)
[ 74.962599][ T8082] reiserfs_lookup_privroot (fs/reiserfs/xattr.c:979)
[ 74.963064][ T8082] reiserfs_fill_super (fs/reiserfs/super.c:2173)
[ 74.963533][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888)
[ 74.964025][ T8082] ? snprintf (lib/vsprintf.c:2954)
[ 74.964400][ T8082] ? __pfx_snprintf (lib/vsprintf.c:2954)
[ 74.964814][ T8082] ? errseq_sample (lib/errseq.c:131)
[ 74.965228][ T8082] ? setup_bdev_super (fs/super.c:1574)
[ 74.965676][ T8082] mount_bdev (fs/super.c:1659)
[ 74.966062][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888)
[ 74.966551][ T8082] ? __pfx_mount_bdev (fs/super.c:1636)
[ 74.966984][ T8082] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2648)
[ 74.967475][ T8082] ? cap_capable (security/commoncap.c:103)
[ 74.967884][ T8082] ? __pfx_get_super_block (fs/reiserfs/super.c:2599)
[ 74.968348][ T8082] legacy_get_tree (fs/fs_context.c:664)
[ 74.968750][ T8082] vfs_get_tree (fs/super.c:1780)
[ 74.969129][ T8082] ? mount_capable (fs/super.c:695)
[ 74.969526][ T8082] path_mount (fs/namespace.c:3353 fs/namespace.c:3679)
[ 74.969912][ T8082] ? putname (fs/namei.c:274)
[ 74.970276][ T8082] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350)
[ 74.970688][ T8082] ? __pfx_path_mount (fs/namespace.c:3606)
[ 74.971102][ T8082] ? putname (fs/namei.c:274)
[ 74.971463][ T8082] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875)
[ 74.971869][ T8082] ? __pfx___x64_sys_mount (fs/namespace.c:3875)
[ 74.972328][ T8082] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822)
[ 74.972861][ T8082] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 74.973271][ T8082] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 74.973788][ T8082] RIP: 0033:0x7fda67001c7e
[ 74.974181][ T8082] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d8
All code
========
0: 48 8b 0d 15 c2 0c 00 mov 0xcc215(%rip),%rcx # 0xcc21c
7: f7 d8 neg %eax
9: 64 89 01 mov %eax,%fs:(%rcx)
c: 48 83 c8 ff or $0xffffffffffffffff,%rax
10: c3 ret
11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
18: 00 00 00
1b: 90 nop
1c: f3 0f 1e fa endbr64
20: 49 89 ca mov %rcx,%r10
23: b8 a5 00 00 00 mov $0xa5,%eax
28: 0f 05 syscall
2a:* 48 rex.W <-- trapping instruction
2b: d8 .byte 0xd8
Code starting with the faulting instruction
===========================================
0: 48 rex.W
1: d8 .byte 0xd8
[ 74.975799][ T8082] RSP: 002b:00007ffd1c71f278 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 74.976515][ T8082] RAX: ffffffffffffffda RBX: 000055ce1c1c6c80 RCX: 00007fda67001c7e
[ 74.977192][ T8082] RDX: 0000000020010000 RSI: 0000000020000b00 RDI: 00007ffd1c71f300
[ 74.977871][ T8082] RBP: 00007ffd1c71f450 R08: 00007ffd1c71f340 R09: 0000000000000000
[ 74.978542][ T8082] R10: 0000000000000000 R11: 0000000000000286 R12: 000055ce1c1c5320
[ 74.979214][ T8082] R13: 00007ffd1c71f560 R14: 0000000000000000 R15: 0000000000000000
[ 74.979888][ T8082] </TASK>
[ 74.980159][ T8082]
[ 74.980368][ T8082] The buggy address belongs to the physical page:
[ 74.980910][ T8082] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1585e6
[ 74.981664][ T8082] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
[ 74.982277][ T8082] page_type: 0xffffffff()
[ 74.982654][ T8082] raw: 057ff00000000000 ffffea00056179c8 ffffea0005617948 0000000000000000
[ 74.983385][ T8082] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 74.984111][ T8082] page dumped because: kasan: bad access detected
[ 74.984651][ T8082] page_owner info is not present (never set?)
[ 74.985166][ T8082]
[ 74.985380][ T8082] Memory state around the buggy address:
[ 74.985859][ T8082] ffff8881585e6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 74.986536][ T8082] ffff8881585e6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 74.987218][ T8082] >ffff8881585e6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 74.987898][ T8082] ^
[ 74.988424][ T8082] ffff8881585e7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 74.989108][ T8082] ffff8881585e7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 74.989858][ T8082] ==================================================================
[ 74.992095][ T8082] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 74.993811][ T8082] CPU: 0 PID: 8082 Comm: a.out Not tainted 6.9.0 #7
[ 74.995323][ T8082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 74.997411][ T8082] Call Trace:
[ 74.998206][ T8082] <TASK>
[ 74.998905][ T8082] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4))
[ 74.999917][ T8082] panic (kernel/panic.c:348)
[ 75.000351][ T8082] ? __pfx_panic (kernel/panic.c:282)
[ 75.000844][ T8082] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:12)
[ 75.001430][ T8082] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927)
[ 75.002018][ T8082] ? check_panic_on_warn (kernel/panic.c:240)
[ 75.002571][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 75.003144][ T8082] check_panic_on_warn (kernel/panic.c:241)
[ 75.003684][ T8082] end_report (mm/kasan/report.c:226)
[ 75.004147][ T8082] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606)
[ 75.004636][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 75.005365][ T8082] search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165)
[ 75.005926][ T8082] reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:324)
[ 75.006540][ T8082] ? __pfx_reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:305)
[ 75.007088][ T8082] ? __d_alloc (fs/dcache.c:1626)
[ 75.007475][ T8082] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 75.007897][ T8082] ? d_set_d_op (fs/dcache.c:1784 (discriminator 3))
[ 75.008297][ T8082] reiserfs_lookup (fs/reiserfs/namei.c:370)
[ 75.008721][ T8082] ? __pfx_reiserfs_lookup (fs/reiserfs/namei.c:355)
[ 75.009182][ T8082] ? d_alloc (fs/dcache.c:1717)
[ 75.009564][ T8082] ? d_alloc_parallel (fs/dcache.c:2458)
[ 75.010006][ T8082] ? avc_has_perm_noaudit (security/selinux/avc.c:1168)
[ 75.010472][ T8082] ? reiserfs_check_lock_depth (fs/reiserfs/lock.c:91)
[ 75.010960][ T8082] ? generic_permission (fs/namei.c:442)
[ 75.011415][ T8082] __lookup_slow (./include/linux/dcache.h:371 /include/linux/dcache.h:376 fs/namei.c:1693)
[ 75.011823][ T8082] ? __pfx___lookup_slow (fs/namei.c:1668)
[ 75.012272][ T8082] ? __d_lookup (fs/dcache.c:2331)
[ 75.012671][ T8082] ? d_lookup (fs/dcache.c:2259)
[ 75.013039][ T8082] lookup_one_len (fs/namei.c:2756 (discriminator 1))
[ 75.013470][ T8082] ? __pfx_lookup_one_len (fs/namei.c:2744)
[ 75.013926][ T8082] ? __pfx_down_write (kernel/locking/rwsem.c:1577)
[ 75.014358][ T8082] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545)
[ 75.014759][ T8082] ? __pfx_mutex_unlock (kernel/locking/mutex.c:543)
[ 75.015200][ T8082] reiserfs_lookup_privroot (fs/reiserfs/xattr.c:979)
[ 75.015678][ T8082] reiserfs_fill_super (fs/reiserfs/super.c:2173)
[ 75.016159][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888)
[ 75.016669][ T8082] ? snprintf (lib/vsprintf.c:2954)
[ 75.017058][ T8082] ? __pfx_snprintf (lib/vsprintf.c:2954)
[ 75.017495][ T8082] ? errseq_sample (lib/errseq.c:131)
[ 75.017925][ T8082] ? setup_bdev_super (fs/super.c:1574)
[ 75.018389][ T8082] mount_bdev (fs/super.c:1659)
[ 75.018793][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888)
[ 75.019300][ T8082] ? __pfx_mount_bdev (fs/super.c:1636)
[ 75.019749][ T8082] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2648)
[ 75.020259][ T8082] ? cap_capable (security/commoncap.c:103)
[ 75.020679][ T8082] ? __pfx_get_super_block (fs/reiserfs/super.c:2599)
[ 75.021157][ T8082] legacy_get_tree (fs/fs_context.c:664)
[ 75.021597][ T8082] vfs_get_tree (fs/super.c:1780)
[ 75.022004][ T8082] ? mount_capable (fs/super.c:695)
[ 75.022433][ T8082] path_mount (fs/namespace.c:3353 fs/namespace.c:3679)
[ 75.022847][ T8082] ? putname (fs/namei.c:274)
[ 75.023234][ T8082] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350)
[ 75.023682][ T8082] ? __pfx_path_mount (fs/namespace.c:3606)
[ 75.024119][ T8082] ? putname (fs/namei.c:274)
[ 75.024494][ T8082] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875)
[ 75.024923][ T8082] ? __pfx___x64_sys_mount (fs/namespace.c:3875)
[ 75.025419][ T8082] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822)
[ 75.025972][ T8082] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 75.026389][ T8082] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 75.026903][ T8082] RIP: 0033:0x7fda67001c7e
[ 75.027298][ T8082] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d8
All code
========
0: 48 8b 0d 15 c2 0c 00 mov 0xcc215(%rip),%rcx # 0xcc21c
7: f7 d8 neg %eax
9: 64 89 01 mov %eax,%fs:(%rcx)
c: 48 83 c8 ff or $0xffffffffffffffff,%rax
10: c3 ret
11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
18: 00 00 00
1b: 90 nop
1c: f3 0f 1e fa endbr64
20: 49 89 ca mov %rcx,%r10
23: b8 a5 00 00 00 mov $0xa5,%eax
28: 0f 05 syscall
2a:* 48 rex.W <-- trapping instruction
2b: d8 .byte 0xd8
Code starting with the faulting instruction
===========================================
0: 48 rex.W
1: d8 .byte 0xd8
[ 75.028940][ T8082] RSP: 002b:00007ffd1c71f278 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 75.029678][ T8082] RAX: ffffffffffffffda RBX: 000055ce1c1c6c80 RCX: 00007fda67001c7e
[ 75.030351][ T8082] RDX: 0000000020010000 RSI: 0000000020000b00 RDI: 00007ffd1c71f300
[ 75.031024][ T8082] RBP: 00007ffd1c71f450 R08: 00007ffd1c71f340 R09: 0000000000000000
[ 75.031695][ T8082] R10: 0000000000000000 R11: 0000000000000286 R12: 000055ce1c1c5320
[ 75.032379][ T8082] R13: 00007ffd1c71f560 R14: 0000000000000000 R15: 0000000000000000
[ 75.033079][ T8082] </TASK>
[ 75.033640][ T8082] Kernel Offset: disabled
Powered by blists - more mailing lists