Re: [syzbot] KASAN: use-after-free Read in LZ4_decompress_safe_partial

[Gao Xiang]

Hi,

(+cc Chengyang Fan)

On Fri, Oct 29, 2021 at 07:55:27AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    87066fdd2e30 Revert "mm/secretmem: use refcount_t instead ..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10c2c88cb00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=59f3ef2b4077575
> dashboard link: https://syzkaller.appspot.com/bug?extid=63d688f1d899c588fb71
> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17032c4ab00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=170f8c3cb00000
> 
> The issue was bisected to:
> 
> commit f86cf25a609107960cf05263e491463feaae1f99
> Author: Gao Xiang <gaoxiang25@xxxxxxxxxx>
> Date:   Tue Aug 28 03:39:48 2018 +0000
> 
>     Revert "staging: erofs: disable compiling temporarile"
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11de0328b00000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=13de0328b00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=15de0328b00000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+63d688f1d899c588fb71@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: f86cf25a6091 ("Revert "staging: erofs: disable compiling temporarile"")
> 
> ==================================================================
> BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline]
> BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
> BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline]
> BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0xff8/0x1580 lib/lz4/lz4_decompress.c:469
> Read of size 2 at addr ffff88806dd1f000 by task kworker/u5:0/150
> 
> CPU: 1 PID: 150 Comm: kworker/u5:0 Not tainted 5.15.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: erofs_unzipd z_erofs_decompressqueue_work
> Call Trace:
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
>  print_address_description+0x66/0x3e0 mm/kasan/report.c:256
>  __kasan_report mm/kasan/report.c:442 [inline]
>  kasan_report+0x19a/0x1f0 mm/kasan/report.c:459
>  get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline]
>  LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
>  LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline]
>  LZ4_decompress_safe_partial+0xff8/0x1580 lib/lz4/lz4_decompress.c:469
>  z_erofs_lz4_decompress+0x4c3/0x1100 fs/erofs/decompressor.c:226
>  z_erofs_decompress_generic fs/erofs/decompressor.c:354 [inline]
>  z_erofs_decompress+0xa8e/0xe30 fs/erofs/decompressor.c:407
>  z_erofs_decompress_pcluster+0x15e4/0x2550 fs/erofs/zdata.c:977
>  z_erofs_decompress_queue fs/erofs/zdata.c:1055 [inline]
>  z_erofs_decompressqueue_work+0x123/0x1a0 fs/erofs/zdata.c:1066
>  process_one_work+0x853/0x1140 kernel/workqueue.c:2297
>  worker_thread+0xac1/0x1320 kernel/workqueue.c:2444
>  kthread+0x453/0x480 kernel/kthread.c:319
>  ret_from_fork+0x1f/0x30
> 

It's quite similar to
https://lore.kernel.org/r/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@xxxxxx

But I'm not sure if Chengyang Fan is still working on this stuff.

Anyway, it can only be reproduced by specific craft compressed data.

Thanks,
Gao Xiang