Bug: slab-out-of-bounds Read in hfsplus_bnode_read
From: Kun Hu
Date: Thu Dec 26 2024 - 00:31:16 EST
Hello,
When using fuzzer tool to fuzz the latest Linux kernel, the following crash
was triggered.
HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
git tree: upstream
Console output: https://drive.google.com/file/d/15-pUlAQaNa1apmm9gsDSsfzdkcTYtmVN/view?usp=drive_link
Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1TUgttZR9cp21RgHqhzQiRlGnafQ9SLIj/view?usp=sharing
Syzlang reproducer: https://drive.google.com/file/d/1v3qlPSNRIWP5fPyInSHsjo5f2g8sGA-i/view?usp=sharing
This bug seems to have been reported and fixed in the old kernel, which seems to be a regression issue? If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0xd6/0xe0 lib/crc-itu-t.c:60
Read of size 1 at addr ff11000013290000 by task syz-executor243/419
CPU: 2 UID: 0 PID: 419 Comm: syz-executor243 Not tainted 6.13.0-rc3 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcf/0x5f0 mm/kasan/report.c:489
kasan_report+0x93/0xc0 mm/kasan/report.c:602
crc_itu_t+0xd6/0xe0 lib/crc-itu-t.c:60
udf_finalize_lvid+0xe0/0x1e0 fs/udf/super.c:2039
udf_sync_fs+0xee/0x160 fs/udf/super.c:2384
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x110/0x2a0 fs/sync.c:30
generic_shutdown_super+0x74/0x380 fs/super.c:621
kill_block_super+0x3b/0x90 fs/super.c:1710
deactivate_locked_super+0xbb/0x130 fs/super.c:473
deactivate_super fs/super.c:506 [inline]
deactivate_super+0xb1/0xd0 fs/super.c:502
cleanup_mnt+0x378/0x510 fs/namespace.c:1373
task_work_run+0x173/0x280 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa68/0x2fe0 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
x64_sys_call+0xf6a/0x1890 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa75df2f5a6
Code: Unable to access opcode bytes at 0x7fa75df2f57c.
RSP: 002b:00007ffe768a10b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa75dfb52d0 RCX: 00007fa75df2f5a6
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
R10: 00007fa75dfb3720 R11: 0000000000000246 R12: 00007fa75dfb52d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x219 pfn:0x13290
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 ffd40000004ccbc8 ffd40000004ca448 0000000000000000
raw: 0000000000000219 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ff1100001328ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff1100001328ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ff11000013290000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ff11000013290080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff11000013290100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
BUG: unable to handle page fault for address: ffe21c001864e9b8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7fdd7067 P4D 7fdd6067 PUD 7fdd5067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 419 Comm: syz-executor243 Tainted: G B 6.13.0-rc3 #3
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:udf_close_lvid+0x136/0x5e0 fs/udf/super.c:2090
Code: 8d 83 c0 00 00 00 31 f6 48 89 c7 48 89 44 24 08 e8 1f 68 92 06 49 8d 7f 18 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <0f> b6 14 11 48 89 f9 83 e1 07 38 ca 7f 08 84 d2 0f 85 ca 03 00 00
RSP: 0018:ffa0000003747bf0 EFLAGS: 00010216
RAX: 0000000000000000 RBX: ff11000008f94000 RCX: 1fe220001864e9b8
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: ff110000c3274dc0
RBP: ff110000120cd570 R08: 0000000000000000 R09: fffffbfff33379c3
R10: ffa0000003747bf0 R11: ffffffff999bce17 R12: ff1100000b5d4000
R13: ff11000013280400 R14: 0000000000000000 R15: ff110000c3274da8
FS: 0000000000000000(0000) GS:ff1100006a200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffe21c001864e9b8 CR3: 00000000376f0002 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
udf_put_super+0x186/0x1e0 fs/udf/super.c:2366
generic_shutdown_super+0x14e/0x380 fs/super.c:642
kill_block_super+0x3b/0x90 fs/super.c:1710
deactivate_locked_super+0xbb/0x130 fs/super.c:473
deactivate_super fs/super.c:506 [inline]
deactivate_super+0xb1/0xd0 fs/super.c:502
cleanup_mnt+0x378/0x510 fs/namespace.c:1373
task_work_run+0x173/0x280 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa68/0x2fe0 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
x64_sys_call+0xf6a/0x1890 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa75df2f5a6
Code: Unable to access opcode bytes at 0x7fa75df2f57c.
RSP: 002b:00007ffe768a10b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa75dfb52d0 RCX: 00007fa75df2f5a6
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
R10: 00007fa75dfb3720 R11: 0000000000000246 R12: 00007fa75dfb52d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
CR2: ffe21c001864e9b8
---[ end trace 0000000000000000 ]---
RIP: 0010:udf_close_lvid+0x136/0x5e0 fs/udf/super.c:2090
Code: 8d 83 c0 00 00 00 31 f6 48 89 c7 48 89 44 24 08 e8 1f 68 92 06 49 8d 7f 18 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <0f> b6 14 11 48 89 f9 83 e1 07 38 ca 7f 08 84 d2 0f 85 ca 03 00 00
RSP: 0018:ffa0000003747bf0 EFLAGS: 00010216
RAX: 0000000000000000 RBX: ff11000008f94000 RCX: 1fe220001864e9b8
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: ff110000c3274dc0
RBP: ff110000120cd570 R08: 0000000000000000 R09: fffffbfff33379c3
R10: ffa0000003747bf0 R11: ffffffff999bce17 R12: ff1100000b5d4000
R13: ff11000013280400 R14: 0000000000000000 R15: ff110000c3274da8
FS: 0000000000000000(0000) GS:ff1100006a200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffe21c001864e9b8 CR3: 00000000376f0002 CR4: 0000000000771ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 8d 83 c0 00 00 00 lea 0xc0(%rbx),%eax
6: 31 f6 xor %esi,%esi
8: 48 89 c7 mov %rax,%rdi
b: 48 89 44 24 08 mov %rax,0x8(%rsp)
10: e8 1f 68 92 06 callq 0x6926834
15: 49 8d 7f 18 lea 0x18(%r15),%rdi
19: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
20: fc ff df
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 0f b6 14 11 movzbl (%rcx,%rdx,1),%edx <-- trapping instruction
2e: 48 89 f9 mov %rdi,%rcx
31: 83 e1 07 and $0x7,%ecx
34: 38 ca cmp %cl,%dl
36: 7f 08 jg 0x40
38: 84 d2 test %dl,%dl
3a: 0f 85 ca 03 00 00 jne 0x40a
——————
Thanks,
Kun Hu