Syzkaller reports use-after-free Read as follows:
------------[ cut here ]------------
BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
BUG: KASAN: use-after-free in search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165
Read of size 4 at addr ffff8880715ee014 by task syz-executor352/3611
CPU: 0 PID: 3611 Comm: syz-executor352 Not tainted 5.19.0-rc1-syzkaller-00263-g1c27f1fc1549 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165
reiserfs_find_entry.part.0+0x139/0xdf0 fs/reiserfs/namei.c:322
reiserfs_find_entry fs/reiserfs/namei.c:368 [inline]
reiserfs_lookup+0x24a/0x490 fs/reiserfs/namei.c:368
__lookup_slow+0x24c/0x480 fs/namei.c:1701
lookup_one_len+0x16a/0x1a0 fs/namei.c:2730
reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:980
reiserfs_fill_super+0x21bb/0x2fb0 fs/reiserfs/super.c:2176
mount_bdev+0x34d/0x410 fs/super.c:1367
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001c57b80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x715ee
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c57bc8 ffff8880b9a403c0 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
Memory state around the buggy address:
ffff8880715edf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880715edf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880715ee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880715ee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880715ee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
The root cause is that the value of rbound in bin_search_in_dir_item()
is out of bounds.
To be more specific, struct buffer_head's b_data field
contains the directory entry headers array, according to
set_de_item_location(). So the array's length should be less
than the size of b_data, or it may access the invalid memory.
This patch solves it by comparing the array's size with b_data's size.
Reported-by: syzbot+ffe24b1afbc4cb5ae8fb@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Hawkins Jiawei <yin31149@xxxxxxxxx>
---
fs/reiserfs/namei.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index 3d7a35d6a18b..c4c056ffafde 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -33,7 +33,11 @@ static int bin_search_in_dir_item(struct reiserfs_dir_entry *de, loff_t off)
int rbound, lbound, j;
lbound = 0;
- rbound = ih_entry_count(ih) - 1;
+ if (ih_location(ih) + ih_entry_count(ih) * IH_SIZE >=
+ de->de_bh->b_size)
+ rbound = (de->de_bh->b_size - ih_location(ih)) / IH_SIZE - 1;
+ else
+ rbound = ih_entry_count(ih) - 1;
for (j = (rbound + lbound) / 2; lbound <= rbound;
j = (rbound + lbound) / 2) {
--
2.25.1
