KASAN: use-after-free Read in poly1305_core_blocks

From: Liebes Wang
Date: Mon Dec 30 2024 - 01:28:53 EST

Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **KASAN: use-after-free Read in poly1305_core_blocks**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The KASAN report is (The full report is attached):

BUG: KASAN: use-after-free in get_unaligned_le64 include/linux/unaligned.h:28 [inline]
BUG: KASAN: use-after-free in poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline]
BUG: KASAN: use-after-free in poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32
Read of size 8 at addr ff11000187440000 by task syz.0.5831/33784

CPU: 0 UID: 0 PID: 33784 Comm: syz.0.5831 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xcb/0x620 mm/kasan/report.c:488
 kasan_report+0xbd/0xf0 mm/kasan/report.c:601
 get_unaligned_le64 include/linux/unaligned.h:28 [inline]
 poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline]
 poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32
 crypto_poly1305_update+0x83/0x1e0 crypto/poly1305_generic.c:93
 bch2_checksum+0x1da/0x2a0 fs/bcachefs/checksum.c:238
 bch2_btree_node_read_done+0xfa4/0x4e70 fs/bcachefs/btree_io.c:1101
 btree_node_read_work+0x63e/0xf70 fs/bcachefs/btree_io.c:1327
 bch2_btree_node_read+0x76c/0xdf0 fs/bcachefs/btree_io.c:1712
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
 bch2_btree_root_read+0x2c5/0x460 fs/bcachefs/btree_io.c:1775
 read_btree_roots fs/bcachefs/recovery.c:523 [inline]
 bch2_fs_recovery+0x1db7/0x3c60 fs/bcachefs/recovery.c:853
 bch2_fs_start+0x2d8/0x610 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xfda/0x15d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x94/0x380 fs/super.c:1814
 do_new_mount fs/namespace.c:3507 [inline]
 path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount fs/namespace.c:4034 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Feel free to reach out if additional information or clarifications are needed. We hope this report aids in identifying and fixing the bug.

Best regards,  

Haichi Wang

Tianjin University

Attachment: report
Description: Binary data

Attachment: repro.c
Description: Binary data

Attachment: config
Description: Binary data