[Bug 215818] New: FUZZ: KASAN: slab-out-of-bounds in fs/ext4/xattr.c: ext4_xattr_set_entry()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=215818

            Bug ID: 215818
           Summary: FUZZ: KASAN: slab-out-of-bounds in fs/ext4/xattr.c:
                    ext4_xattr_set_entry()
           Product: File System
           Version: 2.5
    Kernel Version: 5.18-rc1, 5.4.X
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx
          Reporter: wenqingliu0120@xxxxxxxxx
        Regression: No

Created attachment 300714
  --> https://bugzilla.kernel.org/attachment.cgi?id=300714&action=edit
poc and .config

- Overview 
KASAN: slab-out-of-bounds in fs/ext4/xattr.c: ext4_xattr_set_entry() when mount
and operate a corrupted image

- Reproduce 
tested on kernel 5.18-rc1, 5.4.X

# mkdir test_crash
# cd test_crash 
# unzip tmp37.zip
# mkdir mnt
# ./single_test.sh ext4 37

- Kernel dump

[  220.523685] loop3: detected capacity change from 0 to 32768
[  220.567579] EXT4-fs (loop3): mounted filesystem with ordered data mode.
Quota mode: none.
[  220.567594] ext4 filesystem being mounted at /home/wq/test_crashes/mnt
supports timestamps until 2038 (0x7fffffff)
[  220.740936]
==================================================================
[  220.741129] BUG: KASAN: slab-out-of-bounds in
ext4_xattr_set_entry+0x189f/0x3530
[  220.741257] Write of size 4286513180 at addr ffff88811e105be4 by task
tmp37/1223

[  220.741410] CPU: 2 PID: 1223 Comm: tmp37 Not tainted 5.18.0-rc1 #1
[  220.741507] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[  220.741641] Call Trace:
[  220.741700]  <TASK>
[  220.741739]  dump_stack_lvl+0x45/0x5a
[  220.741807]  print_report.cold+0xef/0x67b
[  220.741875]  ? __stack_depot_save+0x1e7/0x530
[  220.741982]  ? ext4_xattr_set_entry+0x189f/0x3530
[  220.742081]  kasan_report+0xa9/0x120
[  220.742163]  ? kasan_save_stack+0x1/0x40
[  220.742247]  ? ext4_xattr_set_entry+0x189f/0x3530
[  220.742346]  kasan_check_range+0x140/0x1b0
[  220.742436]  memset+0x20/0x40
[  220.742507]  ext4_xattr_set_entry+0x189f/0x3530
[  220.742605]  ? _raw_spin_unlock+0x15/0x30
[  220.742696]  ? find_revoke_record+0x14e/0x1a0
[  220.742792]  ? __brelse+0x66/0x80
[  220.742867]  ? jbd2_journal_cancel_revoke+0x35b/0x4c0
[  220.742974]  ? __jbd2_journal_file_buffer+0x2b2/0x5e0
[  220.743081]  ? ext4_xattr_release_block+0x7c0/0x7c0
[  220.743195]  ? kasan_unpoison+0x3e/0x70
[  220.743310]  ? __kasan_slab_alloc+0x52/0xc0
[  220.743403]  ? __kasan_kmalloc+0xa9/0xd0
[  220.743489]  ? __kmalloc+0x18e/0x330
[  220.743566]  ? ext4_xattr_block_set+0x1205/0x27f0
[  220.743666]  ext4_xattr_block_set+0xd53/0x27f0
[  220.743759]  ? _raw_spin_lock_irq+0xe0/0xe0
[  220.743852]  ? folio_mark_accessed+0x5c/0x420
[  220.743946]  ? __find_get_block+0x1a3/0x8b0
[  220.744037]  ? ext4_xattr_block_find.isra.0+0x650/0x650
[  220.744146]  ? __getblk_gfp+0x2d/0x880
[  220.744228]  ? jbd2_write_access_granted+0x164/0x1f0
[  220.744334]  ? xattr_find_entry+0x198/0x270
[  220.744424]  ? ext4_xattr_block_find.isra.0+0x44b/0x650
[  220.744543]  ext4_xattr_set_handle+0xd63/0x12d0
[  220.744639]  ? new_slab+0x23a/0x450
[  220.744723]  ? ext4_xattr_ibody_set+0x270/0x270
[  220.744824]  ? kmem_cache_alloc+0x152/0x4c0
[  220.744912]  ? down_read+0x126/0x210
[  220.748153]  __ext4_set_acl+0x2d3/0x560
[  220.751357]  ext4_set_acl+0x27c/0x450
[  220.754540]  ? ext4_get_acl+0x5f0/0x5f0
[  220.757613]  ? posix_xattr_acl+0x56/0x70
[  220.760561]  ? set_posix_acl+0x11f/0x2a0
[  220.763439]  __vfs_removexattr+0xdb/0x130
[  220.766245]  ? __vfs_getxattr+0x120/0x120
[  220.768374]  ? ima_inode_removexattr+0x2d/0xb0
[  220.770249]  __vfs_removexattr_locked+0x17e/0x380
[  220.772099]  ? path_removexattr+0x81/0x140
[  220.773484]  vfs_removexattr+0xc9/0x230
[  220.774828]  ? __vfs_removexattr_locked+0x380/0x380
[  220.776210]  ? strncpy_from_user+0x5e/0x240
[  220.777482]  removexattr+0x9f/0xf0
[  220.778594]  ? vfs_removexattr+0x230/0x230
[  220.779717]  ? __check_object_size+0x2a5/0x370
[  220.780834]  ? kasan_quarantine_put+0x55/0x180
[  220.781956]  ? preempt_count_add+0x79/0x150
[  220.782891]  ? __mnt_want_write+0x15e/0x240
[  220.783832]  ? mnt_want_write+0xca/0x240
[  220.784759]  path_removexattr+0x111/0x140
[  220.785685]  ? removexattr+0xf0/0xf0
[  220.786605]  ? do_sys_truncate.part.0+0x82/0x100
[  220.787468]  ? fpregs_assert_state_consistent+0x4a/0xb0
[  220.788276]  __x64_sys_removexattr+0x55/0x80
[  220.789084]  ? syscall_exit_to_user_mode+0x22/0x40
[  220.789895]  do_syscall_64+0x38/0x90
[  220.790701]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  220.791522] RIP: 0033:0x7f17b36a176d
[  220.792304] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
[  220.793868] RSP: 002b:00007ffc3185af58 EFLAGS: 00000286 ORIG_RAX:
00000000000000c5
[  220.794685] RAX: ffffffffffffffda RBX: 7876354364585078 RCX:
00007f17b36a176d
[  220.795517] RDX: ffffffffffffff80 RSI: 00007ffc3185b060 RDI:
00007ffc3185c380
[  220.796344] RBP: 00007ffc31863b60 R08: 00007ffc31863c58 R09:
00007ffc31863c58
[  220.797164] R10: 00007ffc31863c58 R11: 0000000000000286 R12:
794f746f48686843
[  220.797907] R13: 49616e6972484539 R14: 394f554a34587135 R15:
6957562f36675555
[  220.798660]  </TASK>

[  220.800131] Allocated by task 1223:
[  220.800866]  kasan_save_stack+0x1e/0x40
[  220.800869]  __kasan_kmalloc+0xa9/0xd0
[  220.800872]  __kmalloc+0x18e/0x330
[  220.800873]  ext4_xattr_block_set+0x1205/0x27f0
[  220.800876]  ext4_xattr_set_handle+0xd63/0x12d0
[  220.800878]  __ext4_set_acl+0x2d3/0x560
[  220.800880]  ext4_set_acl+0x27c/0x450
[  220.800882]  __vfs_removexattr+0xdb/0x130
[  220.800885]  __vfs_removexattr_locked+0x17e/0x380
[  220.800887]  vfs_removexattr+0xc9/0x230
[  220.800889]  removexattr+0x9f/0xf0
[  220.800891]  path_removexattr+0x111/0x140
[  220.800893]  __x64_sys_removexattr+0x55/0x80
[  220.800896]  do_syscall_64+0x38/0x90
[  220.800898]  entry_SYSCALL_64_after_hwframe+0x44/0xae

[  220.801618] The buggy address belongs to the object at ffff88811e105800
                which belongs to the cache kmalloc-1k of size 1024
[  220.803007] The buggy address is located 996 bytes inside of
                1024-byte region [ffff88811e105800, ffff88811e105c00)

[  220.805048] The buggy address belongs to the physical page:
[  220.805745] page:00000000e7ab286d refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x11e100
[  220.805752] head:00000000e7ab286d order:3 compound_mapcount:0
compound_pincount:0
[  220.805754] flags:
0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[  220.805759] raw: 0017ffffc0010200 0000000000000000 dead000000000122
ffff888100042dc0
[  220.805764] raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
[  220.805765] page dumped because: kasan: bad access detected

[  220.806453] Memory state around the buggy address:
[  220.807149]  ffff88811e105b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  220.807811]  ffff88811e105b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  220.808462] >ffff88811e105c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  220.809120]                    ^
[  220.809773]  ffff88811e105c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  220.810450]  ffff88811e105d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  220.811119]
==================================================================
[  220.811845] Disabling lock debugging due to kernel taint
[  220.826595] EXT4-fs error (device loop3): ext4_mb_mark_diskspace_used:3821:
comm kworker/u8:0: Allocating blocks 8434-8441 which overlap fs metadata
[  220.828184] EXT4-fs (loop3): Delayed block allocation failed for inode 13 at
logical offset 1 with max blocks 7 with error 117
[  220.829979] EXT4-fs (loop3): This should not happen!! Data will be lost

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux