lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251005160518.10000-1-ssranevjti@gmail.com>
Date: Sun,  5 Oct 2025 21:35:18 +0530
From: ssrane_b23@...vjti.ac.in
To: kent.overstreet@...ux.dev
Cc: linux-bcachefs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	syzbot+55c84106264e92ea9ada@...kaller.appspotmail.com,
	Shaurya Rane <ssrane_b23@...vjti.ac.in>,
	syzbot+564efbe31172fe908429@...kaller.appspotmail.com
Subject: [PATCH] bcachefs:fix use-after-free in __bch2_bkey_fsck_err

From: Shaurya Rane <ssrane_b23@...vjti.ac.in>

When mounting a corrupted bcachefs filesystem, KASAN detects a
use-after-free in the error reporting path. This occurs due to a race
between error reporting and key deletion during fsck.

The sequence of events:

1. extent_ptr_validate() detects an invalid extent pointer with a
   corrupt disk offset
2. It calls __bch2_bkey_fsck_err() to report the error
3. The fsck logic decides to delete the corrupt key
4. Meanwhile, __bch2_bkey_fsck_err() calls bch2_bkey_val_to_text()
5. This traverses the extent entries via bch2_extent_ptr_to_text()
6. sector_to_bucket_and_offset() is called with the corrupt offset
7. Memory access occurs on data being concurrently freed

The crash happens in bch2_extent_ptr_to_text() when it attempts to
validate bucket boundaries using already-freed extent pointer data.

Replace bch2_bkey_val_to_text() with bch2_bpos_to_text() to print
only the key position (inode, offset, snapshot) instead of traversing
potentially corrupt or freed extent metadata. The position is part of
the key header and remains safe to read even as the extent data is
being freed. The specific validation error is still printed in the
subsequent lines, providing sufficient context for debugging.

Tested successfully locally using syzbot provided reproducer

Reported-by: syzbot+564efbe31172fe908429@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=564efbe31172fe908429
Fixes: d97de0d017cd ("bcachefs: Make bkey_fsck_err() a wrapper around fsck_err()")
Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
---
 fs/bcachefs/error.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c
index 267e73d9d7e6..b0bf08915aa2 100644
--- a/fs/bcachefs/error.c
+++ b/fs/bcachefs/error.c
@@ -688,7 +688,7 @@ int __bch2_bkey_fsck_err(struct bch_fs *c,
 	bch2_btree_id_to_text(&buf, from.btree);
 	prt_printf(&buf, " level=%u: ", from.level);
 
-	bch2_bkey_val_to_text(&buf, c, k);
+	bch2_bpos_to_text(&buf, k.k->p);
 	prt_newline(&buf);
 
 	va_list args;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ