lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CADCV8sqrBRjUYWyi4UWJ09shwMmV6myynvfxbszX6vNncCE18w@mail.gmail.com>
Date: Fri, 3 Jan 2025 14:52:24 +0800
From: Liebes Wang <wanghaichi0403@...il.com>
To: mark@...heh.com, jlbec@...lplan.org, joseph.qi@...ux.alibaba.com, 
	ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Cc: syzkaller@...glegroups.com
Subject: KASAN: use-after-free Read in ocfs2_claim_suballoc_bits

Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **KASAN: use-after-free Read in
poly1305_core_blocks**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is
also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The KASAN report is (The full report is attached):

audit: type=1400 audit(1734100146.072:51): avc:  denied  { associate } for
 pid=7211 comm="syz.1.286" name="file2"
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
==================================================================
BUG: KASAN: use-after-free in ocfs2_find_victim_chain
fs/ocfs2/suballoc.c:1445 [inline]
BUG: KASAN: use-after-free in ocfs2_claim_suballoc_bits+0x1c33/0x1f90
fs/ocfs2/suballoc.c:1982
Read of size 4 at addr ff1100014d194000 by task syz.1.286/7214

CPU: 1 UID: 0 PID: 7214 Comm: syz.1.286 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xcb/0x620 mm/kasan/report.c:488
 kasan_report+0xbd/0xf0 mm/kasan/report.c:601
 ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline]
 ocfs2_claim_suballoc_bits+0x1c33/0x1f90 fs/ocfs2/suballoc.c:1982
 ocfs2_claim_new_inode+0x2e4/0x8b0 fs/ocfs2/suballoc.c:2267
 ocfs2_mknod_locked.constprop.0+0xe6/0x290 fs/ocfs2/namei.c:633
 ocfs2_mknod+0xcf9/0x24c0 fs/ocfs2/namei.c:379
 ocfs2_create+0x167/0x420 fs/ocfs2/namei.c:672
 lookup_open.isra.0+0x106e/0x1450 fs/namei.c:3595
 open_last_lookups fs/namei.c:3694 [inline]
 path_openat+0xcb9/0x2940 fs/namei.c:3930
 do_filp_open+0x1c7/0x410 fs/namei.c:3960
 do_sys_openat2+0x164/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x140/0x1f0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Content of type "text/html" skipped

Download attachment "report0" of type "application/octet-stream" (6155 bytes)

Download attachment "repro.c" of type "application/octet-stream" (85048 bytes)

Download attachment "config" of type "application/octet-stream" (148405 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ