https://bugzilla.kernel.org/show_bug.cgi?id=215838 Bug ID: 215838 Summary: FUZZ: KASAN: use-after-free in fs/ext4/namei.c:ext4_insert_dentry() when mount and operate on a corrupted image Product: File System Version: 2.5 Kernel Version: 5.18-rc1, 5.4.171 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wenqingliu0120@xxxxxxxxx Regression: No Created attachment 300760 --> https://bugzilla.kernel.org/attachment.cgi?id=300760&action=edit poc and .config - Overview KASAN: use-after-free in fs/ext4/namei.c:ext4_insert_dentry() when mount and operate on a corrupted image - Reproduce tested on kernel 5.18-rc1, 5.4.X # mkdir test_crash # cd test_crash # unzip tmp42.zip # mkdir mnt # ./single_test.sh ext4 42 Sometimes need to unzip the file again and ran several times to reproduce - Kernel dump [ 188.103345] loop6: detected capacity change from 0 to 32768 [ 188.156064] EXT4-fs (loop6): mounted filesystem with ordered data mode. Quota mode: none. [ 188.158361] ext4 filesystem being mounted at /home/wq/test_crashes/mnt supports timestamps until 2038 (0x7fffffff) [ 188.296756] ================================================================== [ 188.298129] BUG: KASAN: use-after-free in ext4_insert_dentry+0x37c/0x650 [ 188.300278] Write of size 96 at addr ffff888147adeffc by task tmp42/1272 [ 188.303236] CPU: 2 PID: 1272 Comm: tmp42 Tainted: G D 5.18.0-rc1 #1 [ 188.304687] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 188.306164] Call Trace: [ 188.307646] <TASK> [ 188.309062] dump_stack_lvl+0x45/0x5a [ 188.310454] print_report.cold+0xef/0x67b [ 188.311799] ? ext4_insert_dentry+0x37c/0x650 [ 188.313123] kasan_report+0xa9/0x120 [ 188.314513] ? ext4_insert_dentry+0x37c/0x650 [ 188.315834] kasan_check_range+0x140/0x1b0 [ 188.317135] memcpy+0x39/0x60 [ 188.318420] ext4_insert_dentry+0x37c/0x650 [ 188.319709] add_dirent_to_buf+0x201/0x8a0 [ 188.321023] ? ext4_handle_dirty_dirblock+0x450/0x450 [ 188.322385] ? ext4_insert_dentry+0x650/0x650 [ 188.323661] ? __ext4_journal_get_write_access+0x17c/0x3b0 [ 188.324932] ext4_dx_add_entry+0x31b/0x2d30 [ 188.326221] ? __ext4_handle_dirty_metadata+0xdd/0x670 [ 188.327453] ? add_dirent_to_buf+0x8a0/0x8a0 [ 188.328674] ? ext4_mark_iloc_dirty+0x55b/0x19d0 [ 188.329921] ? ext4_reserve_inode_write+0x157/0x220 [ 188.331130] ext4_add_entry+0x5f2/0xa90 [ 188.332425] ? ext4_expand_extra_isize+0x540/0x540 [ 188.333742] ? make_indexed_dir+0x10f0/0x10f0 [ 188.335031] ? ext4_init_new_dir+0x2e8/0x410 [ 188.336230] ext4_mkdir+0x368/0x920 [ 188.337373] ? ext4_init_new_dir+0x410/0x410 [ 188.338545] ? from_kgid+0x84/0xc0 [ 188.339644] vfs_mkdir+0x498/0x800 [ 188.340728] do_mkdirat+0x1c1/0x230 [ 188.341799] ? do_file_open_root+0x3e0/0x3e0 [ 188.342825] ? getname_flags+0xfd/0x4e0 [ 188.343827] __x64_sys_mkdir+0x61/0x80 [ 188.344795] do_syscall_64+0x38/0x90 [ 188.345759] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 188.346699] RIP: 0033:0x7f24fdc5076d [ 188.347629] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48 [ 188.349559] RSP: 002b:00007ffe582e1108 EFLAGS: 00000217 ORIG_RAX: 0000000000000053 [ 188.350493] RAX: ffffffffffffffda RBX: 58666e5745624249 RCX: 00007f24fdc5076d [ 188.351401] RDX: 00007f24fdc5076d RSI: ffffffffffffff80 RDI: 00007ffe582e1650 [ 188.352313] RBP: 00007ffe582e5860 R08: 00007ffe582e5958 R09: 00007ffe582e5958 [ 188.353208] R10: 00007ffe582e5958 R11: 0000000000000217 R12: 756d685933654469 [ 188.354109] R13: 00007ffe582e5950 R14: 4554477647466448 R15: 4e54356e77513250 [ 188.354958] </TASK> [ 188.356588] The buggy address belongs to the physical page: [ 188.357409] page:0000000079ad8a85 refcount:2 mapcount:0 mapping:00000000b7222df2 index:0x97 pfn:0x147ade [ 188.358294] memcg:ffff8881250b8000 [ 188.359118] aops:def_blk_aops ino:700006 [ 188.359928] flags: 0x17ffffc0002032(referenced|lru|active|private|node=0|zone=2|lastcpupid=0x1fffff) [ 188.360791] raw: 0017ffffc0002032 ffffea00051a5008 ffffea00051eb548 ffff888100480b80 [ 188.361686] raw: 0000000000000097 ffff88810b1c87e0 00000002ffffffff ffff8881250b8000 [ 188.362561] page dumped because: kasan: bad access detected [ 188.364302] Memory state around the buggy address: [ 188.365189] ffff888147adef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 188.366115] ffff888147adef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 188.367012] >ffff888147adf000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 188.367924] ^ [ 188.368835] ffff888147adf080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 188.369794] ffff888147adf100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 188.370723] ================================================================== -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
