| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFRLqsU-k2GYx4D9HUmu+tSTvmMbY_ea9aYwE+2yvHwLP_+JDQ@mail.gmail.com>
Date: Mon, 21 Jul 2025 11:29:36 +0800
From: cen zhang <zzzccc427@...il.com>
To: cem@...nel.org
Cc: linux-kernel@...r.kernel.org, baijiaju1990@...il.com,
zhenghaoran154@...il.com, r33s3n6@...il.com, gality365@...il.com,
linux-xfs@...r.kernel.org
Subject: [BUG] xfs: Assertion failed in xfs_iwalk_args triggered by XFS_IOC_INUMBERS
Hello maintainers,
This is a bug report for a kernel BUG found by Syzkaller on the XFS filesystem.
The crash occurs on kernel 6.16.0-rc6 at git commit 155a3c003e55. It
is an assertion failure in xfs_iwalk_args.constprop.0() located in
fs/xfs/xfs_iwalk.c:548.
The assertion that fails is !(flags & ~XFS_IWALK_FLAGS_ALL). This
seems to be triggered by an ioctl call with the command
XFS_IOC_INUMBERS (0x80405880), where the provided arguments contain
invalid flags.
Here is the full kernel oops log:
================================================================
kernel BUG at fs/xfs/xfs_message.c:102!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 3 UID: 0 PID: 281 Comm: syz-executor167 Not tainted
6.16.0-rc6-00002-g155a3c003e55 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:assfail+0x9d/0xa0 fs/xfs/xfs_message.c:102
Code: 75 22 e8 76 88 3a ff 90 0f 0b 90 5b 5d 41 5c 41 5d e9 87 2d 78
02 48 c7 c7 78 af c3 89 e8 eb 59 6f ff eb ca e8 54 88 3a ff 90 <0f> 0b
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f
RSP: 0018:ffff8881107877c0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff86122a6c
RDX: ffff8881114e9e80 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10220f0e8d
R10: 0000000000000001 R11: 737341203a534658 R12: ffffffff88bcbee0
R13: 0000000000000224 R14: ffffffff8611baf0 R15: 0000000000000000
FS: 00005555560fd3c0(0000) GS:ffff8882652aa000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000010 CR3: 000000012023a000 CR4: 00000000000006f0
Call Trace:
<TASK>
xfs_iwalk_args.constprop.0+0x325/0x3e0 fs/xfs/xfs_iwalk.c:548
xfs_inobt_walk+0x11c/0x170 fs/xfs/xfs_iwalk.c:758
xfs_inumbers+0x294/0x3a0 fs/xfs/xfs_itable.c:471
xfs_ioc_inumbers.constprop.0+0x1d1/0x2b0 fs/xfs/xfs_ioctl.c:340
xfs_file_ioctl+0x11b1/0x1c40 fs/xfs/xfs_ioctl.c:1241
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa8/0x270 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f444b67600d
Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffbb37fa88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fffbb37fc88 RCX: 00007f444b67600d
RDX: 0000000020000080 RSI: 0000000080405880 RDI: 0000000000000004
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007fffbb37fc88
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fffbb37fc78 R14: 00007f444b6f3530 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:assfail+0x9d/0xa0 fs/xfs/xfs_message.c:102
Code: 75 22 e8 76 88 3a ff 90 0f 0b 90 5b 5d 41 5c 41 5d e9 87 2d 78
02 48 c7 c7 78 af c3 89 e8 eb 59 6f ff eb ca e8 54 88 3a ff 90 <0f> 0b
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f
RSP: 0018:ffff8881107877c0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff86122a6c
RDX: ffff8881114e9e80 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10220f0e8d
R10: 0000000000000001 R11: 737341203a534658 R12: ffffffff88bcbee0
R13: 0000000000000224 R14: ffffffff8611baf0 R15: 0000000000000000
FS: 00005555560fd3c0(0000) GS:ffff8882652aa000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000010 CR3: 000000012023a000 CR4: 00000000000006f0
journal-offline (282) used greatest stack depth: 25016 bytes left
================================================================
Below is a C reproducer generated by Syzkaller:
================================================================
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000000, "/mnt/xfs/testdir\000", 17);
syscall(__NR_open, /*dir=*/0x20000000ul, /*flags=*/0x8441ul, /*mode=*/0ul);
memcpy((void*)0x20000040, "/mnt/xfs/testdir\000", 17);
res = syscall(__NR_open, /*dir=*/0x20000040ul, /*flags=*/0ul, /*mode=*/0ul);
if (res != -1)
r[0] = res;
*(uint64_t*)0x20000080 = 0;
*(uint64_t*)0x20000088 = 0x8000000000000005;
*(uint64_t*)0x20000090 = 0;
syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80405880, /*arg=*/0x20000080ul);
return 0;
}
================================================================
Best regards,
Cen Zhang
Powered by blists - more mailing lists