https://bugzilla.kernel.org/show_bug.cgi?id=205609 --- Comment #1 from Tristan (tristmd@xxxxxxxxx) --- BUG 1 - UAF write in __ext4_expand_extra_isize === KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924 Write of size 189 Details: BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924 Write of size 189 at addr ffff88802232ffa0 by task syz-executor.1/2654 CPU: 0 PID: 2654 Comm: syz-executor.1 Not tainted 5.4.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x75/0xae lib/dump_stack.c:113 print_address_description.constprop.6+0x16/0x220 mm/kasan/report.c:374 __kasan_report.cold.9+0x1a/0x40 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:634 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192 memset+0x1f/0x40 mm/kasan/common.c:105 __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5976 [inline] ext4_mark_inode_dirty+0x586/0x6c0 fs/ext4/inode.c:6052 ext4_ext_truncate+0x8b/0x1d0 fs/ext4/extents.c:4583 ext4_truncate+0x974/0xf30 fs/ext4/inode.c:4511 ext4_evict_inode+0x73f/0xf80 fs/ext4/inode.c:289 evict+0x2d3/0x640 fs/inode.c:574 iput_final fs/inode.c:1563 [inline] ../.. NB: Full report attached BUG 2 - OOB write === EXT4-fs error (device sda): htree_dirblock_to_tree:1025: inode #15297: block 10531: comm syz-fuzzer: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0, size=4096 BUG: KASAN: out-of-bounds in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924 Write of size 991 at addr ffff8880177a1fa0 by task syz-executor.3/443 CPU: 1 PID: 443 Comm: syz-executor.3 Not tainted 5.4.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x75/0xae lib/dump_stack.c:113 print_address_description.constprop.6+0x16/0x220 mm/kasan/report.c:374 __kasan_report.cold.9+0x1a/0x40 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:634 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192 memset+0x1f/0x40 mm/kasan/common.c:105 __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5976 [inline] ext4_mark_inode_dirty+0x586/0x6c0 fs/ext4/inode.c:6052 ext4_dirty_inode+0x71/0xa0 fs/ext4/inode.c:6086 __mark_inode_dirty+0x3d4/0xd30 fs/fs-writeback.c:2255 generic_update_time+0x1b4/0x2d0 fs/inode.c:1667 update_time fs/inode.c:1683 [inline] touch_atime+0x20e/0x270 fs/inode.c:1754 file_accessed include/linux/fs.h:2202 [inline] iterate_dir+0x2e5/0x540 fs/readdir.c:70 ksys_getdents64+0x11a/0x230 fs/readdir.c:372 __do_sys_getdents64 fs/readdir.c:391 [inline] __se_sys_getdents64 fs/readdir.c:388 [inline] __x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:388 do_syscall_64+0x9a/0x330 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x483157 Code: 04 48 81 ec 80 00 00 00 e8 b6 12 f9 ff 48 81 c4 80 00 00 00 5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 bc ff ff ff f7 d8 64 89 02 48 RSP: 002b:00007ffd2d74f558 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 0000000001dcdc30 RCX: 0000000000483157 RDX: 0000000000008000 RSI: 0000000001dcdc60 RDI: 0000000000000004 RBP: 0000000001dcdc60 R08: 0000000000000003 R09: 0000000000000076 R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffbc R13: 0000000000000016 R14: 00000000004a54ec R15: 00000000ffffffff The buggy address belongs to the page: page:ffffea00005de840 refcount:2 mapcount:0 mapping:ffff888035848d78 index:0x4de 0xffffffff8aeb2e20 flags: 0x100000000002032(referenced|lru|active|private) raw: 0100000000002032 ffffea00005df188 ffffea0000d81d48 ffff888035848d78 raw: 00000000000004de ffff888023614000 00000002ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880177a1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880177a1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880177a2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8880177a2080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880177a2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== NB: Full report attached -- You are receiving this mail because: You are watching the assignee of the bug.
