lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z-bYCp7CJqxVAdF9@li-dc0c254c-257c-11b2-a85c-98b6c1322444.ibm.com>
Date: Fri, 28 Mar 2025 22:40:34 +0530
From: Ojaswin Mujoo <ojaswin@...ux.ibm.com>
To: syzbot <syzbot+ee60e584b5c6bb229126@...kaller.appspotmail.com>
Cc: adilger.kernel@...ger.ca, jack@...e.cz, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org, ritesh.list@...il.com,
        syzkaller-bugs@...glegroups.com, tytso@....edu
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent
 (4)

On Thu, Mar 27, 2025 at 04:44:03PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
> Author: Ojaswin Mujoo <ojaswin@...ux.ibm.com>
> Date:   Sat Mar 25 08:13:39 2023 +0000
> 
>     ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
> start commit:   1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
> git tree:       upstream
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1123343f980000
> 
> Reported-by: syzbot+ee60e584b5c6bb229126@...kaller.appspotmail.com
> Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Okay, so I'm able to replicate this with the patch whereas it does not
hit without it, so the bisect seems right. 

In my environment, at the time UAF hits, I also see the following logs:

[  139.893083][    T9] EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:0: !
[  139.894260][    T9] EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 17
[  139.894278][    T9] EXT4-fs (loop0): This should not happen!! Data will be lost
[  139.894278][    T9]

[  139.897505][ T1098] EXT4-fs error (device loop4): ext4_map_blocks:730: inode #15: block 131075: comm )
[  139.897607][ T1098] EXT4-fs (loop4): Delayed block allocation failed for inode 15 at logical offset 17
[  139.897624][ T1098] EXT4-fs (loop4): This should not happen!! Data will be lost

ext4_ext4_split:1078 is 	
  
	   if (unlikely(path[depth].p_ext > EXT_MAX_EXTENT(path[depth].p_hdr))) {

and ext4_map_blocks:730 is check_block_validity failure in map blocks.
I'm still trying to make sense of the logs and the UAF and will update
when I have more information.

Regards,
ojaswin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ