Re: [syzbot] [ext4?] KASAN: out-of-bounds Read in ext4_ext_remove_space

From: Muhammad Usama Anjum
Date: Thu Sep 07 2023 - 14:19:47 EST

Next message: Tim Chen: "[PATCH] sched/fair: Fix SMT4 group_smt_balance handling"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH 05/15] drm/mediatek: Support alpha blending in display driver"
Next in thread: Muhammad Usama Anjum: "Re: [syzbot] [ext4?] KASAN: out-of-bounds Read in ext4_ext_remove_space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/14/23 4:50 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 06c2afb862f9 Linux 6.5-rc1
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d550a2a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=29fd3392a08741ef
> dashboard link: https://syzkaller.appspot.com/bug?extid=6e5f2db05775244c73b7
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11fc4702a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172a98eca80000
The last crash on upstream/mainline happened at e6fda526d9db. On the latest
mainline 7ba2090ca64ea, there is no crash. I've searched on mailing lists
if some fix has been merged. I've not found anything. The same bug is
present on LTS kernels.

In fs/ext4/extents.c:

memmove(ex, ex+1,
(EXT_LAST_EXTENT(eh) - ex) * sizeof(struct ext4_extent));

When crash happens:
EXT_LAST_EXTENT(eh) = 0xFFFF888130260000
ex = 0xFFFF88813026006C

These are wrong values. EXT_LAST_EXTENT(eh) - ex results in negative value
as ex is bigger. The bigger ex is bug in itself. ex is the member of this
list with header eh. Any help would be much appreciated.

>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/b66ebf11f3d4/disk-06c2afb8.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e277ce7d54f6/vmlinux-06c2afb8.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5d0b981e9278/bzImage-06c2afb8.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/c48fda4748ae/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6e5f2db05775244c73b7@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> EXT4-fs error (device loop0) in ext4_mb_clear_bb:6537: Corrupt filesystem
> ==================================================================
> BUG: KASAN: out-of-bounds in ext4_ext_rm_leaf fs/ext4/extents.c:2736 [inline]
> BUG: KASAN: out-of-bounds in ext4_ext_remove_space+0x2482/0x4d90 fs/ext4/extents.c:2958
> Read of size 18446744073709551508 at addr ffff888073aea078 by task syz-executor420/6443
>
> CPU: 1 PID: 6443 Comm: syz-executor420 Not tainted 6.5.0-rc1-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
> print_address_description mm/kasan/report.c:364 [inline]
> print_report+0x163/0x540 mm/kasan/report.c:475
> kasan_report+0x175/0x1b0 mm/kasan/report.c:588
> kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
> __asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
> ext4_ext_rm_leaf fs/ext4/extents.c:2736 [inline]
> ext4_ext_remove_space+0x2482/0x4d90 fs/ext4/extents.c:2958
> ext4_punch_hole+0x7a0/0xc10 fs/ext4/inode.c:3977
> ext4_fallocate+0x311/0x1f90 fs/ext4/extents.c:4706
> vfs_fallocate+0x551/0x6b0 fs/open.c:324
> do_vfs_ioctl+0x22cb/0x2b30 fs/ioctl.c:849
> __do_sys_ioctl fs/ioctl.c:868 [inline]
> __se_sys_ioctl+0x81/0x170 fs/ioctl.c:856
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7ff03605dce9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ff02dc072f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007ff0360e27c0 RCX: 00007ff03605dce9
> RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000004
> RBP: 00007ff0360af678 R08: 00007ff02dc07700 R09: 0000000000000000
> R10: 00007ff02dc07700 R11: 0000000000000246 R12: 65766f6365726f6e
> R13: 0031656c69662f2e R14: 6f6f6c2f7665642f R15: 00007ff0360e27c8
> </TASK>
>
> The buggy address belongs to the physical page:
> page:ffffea0001ceba80 refcount:2 mapcount:0 mapping:ffff88801e21cd80 index:0x2b pfn:0x73aea
> memcg:ffff888141652000
> aops:def_blk_aops ino:700000
> flags: 0xfff00000002036(referenced|uptodate|lru|active|private|node=0|zone=1|lastcpupid=0x7ff)
> page_type: 0xffffffff()
> raw: 00fff00000002036 ffffea0001c164c8 ffffea0001f600c8 ffff88801e21cd80
> raw: 000000000000002b ffff8880729c1d98 00000002ffffffff ffff888141652000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 6428, tgid 6426 (syz-executor420), ts 165572616396, free_ts 165556735464
> set_page_owner include/linux/page_owner.h:31 [inline]
> post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1570
> prep_new_page mm/page_alloc.c:1577 [inline]
> get_page_from_freelist+0x31e8/0x3370 mm/page_alloc.c:3221
> __alloc_pages+0x255/0x670 mm/page_alloc.c:4477
> folio_alloc+0x1e/0x60 mm/mempolicy.c:2289
> filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
> __filemap_get_folio+0x323/0xa00 mm/filemap.c:1933
> grow_dev_page fs/buffer.c:1063 [inline]
> grow_buffers fs/buffer.c:1123 [inline]
> __getblk_slow fs/buffer.c:1150 [inline]
> __getblk_gfp+0x218/0x630 fs/buffer.c:1445
> sb_getblk_gfp include/linux/buffer_head.h:376 [inline]
> ext4_ext_grow_indepth fs/ext4/extents.c:1334 [inline]
> ext4_ext_create_new_leaf fs/ext4/extents.c:1435 [inline]
> ext4_ext_insert_extent+0xfe3/0x4e60 fs/ext4/extents.c:2102
> ext4_ext_map_blocks+0x1bdc/0x71d0 fs/ext4/extents.c:4306
> ext4_map_blocks+0xa2f/0x1cb0 fs/ext4/inode.c:621
> _ext4_get_block+0x238/0x6a0 fs/ext4/inode.c:763
> ext4_block_write_begin+0x53d/0x1570 fs/ext4/inode.c:1043
> ext4_write_begin+0x619/0x10b0
> ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2867
> generic_perform_write+0x31b/0x630 mm/filemap.c:3923
> ext4_buffered_write_iter+0xc6/0x350 fs/ext4/file.c:299
> page last free stack trace:
> reset_page_owner include/linux/page_owner.h:24 [inline]
> free_pages_prepare mm/page_alloc.c:1161 [inline]
> free_unref_page_prepare+0x903/0xa30 mm/page_alloc.c:2348
> free_unref_page_list+0x596/0x830 mm/page_alloc.c:2489
> release_pages+0x2193/0x2470 mm/swap.c:1042
> tlb_batch_pages_flush mm/mmu_gather.c:97 [inline]
> tlb_flush_mmu_free mm/mmu_gather.c:292 [inline]
> tlb_flush_mmu+0x100/0x210 mm/mmu_gather.c:299
> tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:391
> unmap_region+0x258/0x2a0 mm/mmap.c:2317
> do_vmi_align_munmap+0x135d/0x1630 mm/mmap.c:2556
> do_vmi_munmap+0x24d/0x2d0 mm/mmap.c:2623
> __vm_munmap+0x230/0x450 mm/mmap.c:2905
> __do_sys_munmap mm/mmap.c:2922 [inline]
> __se_sys_munmap mm/mmap.c:2919 [inline]
> __x64_sys_munmap+0x69/0x80 mm/mmap.c:2919
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Memory state around the buggy address:
> ffff888073ae9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888073ae9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ffff888073aea000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ^
> ffff888073aea080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888073aea100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

--
BR,
Muhammad Usama Anjum

Next message: Tim Chen: "[PATCH] sched/fair: Fix SMT4 group_smt_balance handling"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH 05/15] drm/mediatek: Support alpha blending in display driver"
Next in thread: Muhammad Usama Anjum: "Re: [syzbot] [ext4?] KASAN: out-of-bounds Read in ext4_ext_remove_space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]