| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <769a3e07.13f8f.197fa09e50d.Coremail.baishuoran@hrbeu.edu.cn>
Date: Fri, 11 Jul 2025 23:10:41 +0800 (GMT+08:00)
From: 白烁冉 <baishuoran@...eu.edu.cn>
To: "Mark Fasheh" <mark@...heh.com>, "Joel Becker" <jlbec@...lplan.org>,
"Joseph Qi" <joseph.qi@...ux.alibaba.com>
Cc: "Kun Hu" <huk23@...udan.edu.cn>, "Jiaji Qin" <jjtan24@...udan.edu.cn>,
syzkaller@...glegroups.com, linux-kernel@...r.kernel.org
Subject: KASAN: use-after-free Read in __ocfs2_find_path
Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (123th)was triggered.
HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/KASAN%3A%20slab-out-of-bounds%20Read%20in%20__ocfs2_find_path/123report.txt
Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/KASAN%3A%20slab-out-of-bounds%20Read%20in%20__ocfs2_find_path/123repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/KASAN%3A%20slab-out-of-bounds%20Read%20in%20__ocfs2_find_path/123repro.txt
Our reproducer uses mounts a constructed filesystem image.
The error occurred around line 1848 of the code, where the function ocfs2_read_extent_block successfully read the extent block into buffer_head. After the reading was completed, the page was released by another process before accessing bh->b_data. When the code execution reached eb = (struct ocfs2_extent_block *) bh->b_data, the page pointed to by bh->b_data had already been freed.
We have reproduced this issue several times on 6.14 again.
If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x5b4/0x630
Read of size 4 at addr ffff88805ba57000 by task syz-executor251/9500
CPU: 0 UID: 0 PID: 9500 Comm: syz-executor251 Not tainted 6.14.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1b0
print_report+0xc1/0x630
kasan_report+0x93/0xc0
__ocfs2_find_path+0x5b4/0x630
ocfs2_find_leaf+0x99/0x1f0
ocfs2_get_clusters_nocache.isra.0+0x41d/0x1200
ocfs2_get_clusters+0x313/0xbf0
ocfs2_extent_map_get_blocks+0x180/0x640
ocfs2_read_virt_blocks+0x271/0x9c0
ocfs2_read_dir_block+0xb5/0x5a0
ocfs2_find_entry_el+0x80d/0xed0
ocfs2_find_entry+0x62b/0xe50
ocfs2_find_files_on_disk+0xad/0x3b0
ocfs2_lookup_ino_from_name+0x9c/0xf0
ocfs2_get_system_file_inode+0x37f/0x890
ocfs2_initialize_super.isra.0+0x1e24/0x3290
ocfs2_fill_super+0x3ed/0x2f30
get_tree_bdev_flags+0x38c/0x620
vfs_get_tree+0x93/0x340
path_mount+0x1290/0x1bc0
do_mount+0xb4/0x110
__x64_sys_mount+0x193/0x230
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f99f01f190e
Code: 83 c4 08 5b 5d c3 66 0f 1f 44 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeaa955428 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f99f01f190e
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007ffeaa955440
RBP: 00007ffeaa955440 R08: 00007ffeaa955480 R09: 0000000000000000
R10: 0000000001000000 R11: 0000000000000282 R12: 000055555916c840
R13: 00007ffeaa955480 R14: 0000000001000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f99e7c09 pfn:0x5ba57
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00016e9608 ffff88802b844e70 0000000000000000
raw: 00000007f99e7c09 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 9500, tgid 9500 (syz-executor251), ts 99773393775, free_ts 100039210186
prep_new_page+0x1b0/0x1e0
get_page_from_freelist+0x19a2/0x3250
__alloc_frozen_pages_noprof+0x324/0x6b0
alloc_pages_mpol+0x20a/0x550
folio_alloc_mpol_noprof+0x38/0x2f0
vma_alloc_folio_noprof+0xe4/0x1a0
do_pte_missing+0x1402/0x4080
__handle_mm_fault+0xebe/0x29c0
handle_mm_fault+0x403/0xe00
do_user_addr_fault+0x77e/0x1910
exc_page_fault+0x98/0x170
asm_exc_page_fault+0x26/0x30
page last free pid 9500 tgid 9500 stack trace:
free_unref_folios+0xa87/0x1730
folios_put_refs+0x4bd/0x760
free_pages_and_swap_cache+0x318/0x460
tlb_flush_mmu+0x168/0x750
tlb_finish_mmu+0x97/0x3c0
vms_clear_ptes.part.0+0x4c2/0x6b0
vms_complete_munmap_vmas+0x709/0xa50
do_vmi_align_munmap+0x647/0x810
do_vmi_munmap+0x20b/0x3e0
__vm_munmap+0x19a/0x390
__x64_sys_munmap+0x59/0x80
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805ba56f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88805ba56f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88805ba57000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805ba57080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805ba57100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
2025/07/10 22:51:36 reproducing crash 'KASAN: slab-out-of-bounds Read in __ocfs2_find_path': final repro crashed as (corrupted=false):
loop0: detected capacity change from 0 to 32768
==================================================================
thanks,
Kun Hu
Powered by blists - more mailing lists