KASAN: slab-out-of-bounds Read in ntfs_attr_find
From: Palash Oswal
Date: Tue Feb 21 2023 - 23:46:19 EST
Hello,
I found the following issue using syzkaller on:
HEAD commit : e60276b8c11ab4a8be23807bc67b04
8cfb937dfa (v6.0.8)
git tree: stable
C Reproducer : https://gist.github.com/oswalpalash/cb298c137f3dbfb95a609671a61103fb
Kernel .config :
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb
I found a related discussion in the past about a similar bug here :
https://groups.google.com/g/syzkaller-bugs/c/BFLa1ZwXyG0/m/UIh6Pl2GBAAJ
Console log :
loop3: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0xb87/0xce0
Read of size 2 at addr ffff888106fc30ab by task syz-executor.3/11599
CPU: 0 PID: 11599 Comm: syz-executor.3 Not tainted 6.0.8-pasta #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
print_report.cold+0xe5/0x63a
kasan_report+0x8a/0x1b0
ntfs_attr_find+0xb87/0xce0
ntfs_attr_lookup+0x1051/0x2040
ntfs_read_locked_inode+0xb0c/0x5ab0
ntfs_iget+0x12d/0x180
ntfs_fill_super+0x1ed0/0x8590
mount_bdev+0x34d/0x410
legacy_get_tree+0x105/0x220
vfs_get_tree+0x89/0x2f0
path_mount+0x121b/0x1cb0
do_mount+0xf3/0x110
__x64_sys_mount+0x18f/0x230
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0e85e9146e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0e849fda08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f0e85e9146e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f0e849fda60
RBP: 00007f0e849fdaa0 R08: 00007f0e849fdaa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f0e849fda60 R15: 0000000020000040
</TASK>
Allocated by task 1:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x85/0xb0
kmem_cache_alloc+0x204/0xcc0
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
sysfs_add_file_mode_ns+0x20f/0x3f0
internal_create_group+0x314/0xba0
internal_create_groups.part.0+0x90/0x140
sysfs_create_groups+0x25/0x50
kobject_add_internal+0x318/0x8f0
kobject_init_and_add+0x101/0x160
netdev_queue_update_kobjects+0x1fe/0x4e0
netdev_register_kobject+0x333/0x400
register_netdevice+0xbe9/0x1390
bond_create+0xb4/0x120
bonding_init+0x9f/0x114
do_one_initcall+0xfe/0x650
kernel_init_freeable+0x6c3/0x74c
kernel_init+0x1a/0x1d0
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888106fc3000
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 3 bytes to the right of
168-byte region [ffff888106fc3000, ffff888106fc30a8)
The buggy address belongs to the physical page:
page:ffffea00041bf0c0 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x106fc3
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 ffffea00041bc848 ffffea00041a9fc8 ffff88810006f200
raw: 0000000000000000 ffff888106fc3000 0000000100000011 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE),
pid 1, tgid 1 (swapper/0), ts 8385653965, free_ts 0
prep_new_page+0x2c6/0x350
get_page_from_freelist+0xae9/0x3a80
__alloc_pages+0x321/0x710
cache_grow_begin+0x75/0x360
kmem_cache_alloc+0xb69/0xcc0
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
kernfs_create_dir_ns+0x48/0x150
sysfs_create_dir_ns+0x127/0x290
kobject_add_internal+0x2c9/0x8f0
kobject_init_and_add+0x101/0x160
net_rx_queue_update_kobjects+0x264/0x510
netdev_register_kobject+0x278/0x400
register_netdevice+0xbe9/0x1390
bond_create+0xb4/0x120
bonding_init+0x9f/0x114
page_owner free stack trace missing
Memory state around the buggy address:
ffff888106fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888106fc3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888106fc3080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
^
ffff888106fc3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888106fc3180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================