Re: KASAN: use-after-free Read in poly1305_core_blocks

From: Ard Biesheuvel
Date: Mon Dec 30 2024 - 03:51:43 EST


(cc linux-bcachefs)



On Mon, 30 Dec 2024 at 07:28, Liebes Wang <wanghaichi0403@xxxxxxxxx> wrote:
>
> Dear Linux maintainers and reviewers:
>
> We are reporting a Linux kernel bug titled **KASAN: use-after-free Read in poly1305_core_blocks**, discovered using a modified version of Syzkaller.
>

This looks like a bcachefs problem.


> Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
> The test case and kernel config is in attach.
>
> The KASAN report is (The full report is attached):
>
> BUG: KASAN: use-after-free in get_unaligned_le64 include/linux/unaligned.h:28 [inline]
> BUG: KASAN: use-after-free in poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline]
> BUG: KASAN: use-after-free in poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32
> Read of size 8 at addr ff11000187440000 by task syz.0.5831/33784
>
> CPU: 0 UID: 0 PID: 33784 Comm: syz.0.5831 Not tainted 6.12.0-rc6 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0xcb/0x620 mm/kasan/report.c:488
> kasan_report+0xbd/0xf0 mm/kasan/report.c:601
> get_unaligned_le64 include/linux/unaligned.h:28 [inline]
> poly1305_core_blocks lib/crypto/poly1305-donna64.c:64 [inline]
> poly1305_core_blocks+0x404/0x480 lib/crypto/poly1305-donna64.c:32
> crypto_poly1305_update+0x83/0x1e0 crypto/poly1305_generic.c:93
> bch2_checksum+0x1da/0x2a0 fs/bcachefs/checksum.c:238
> bch2_btree_node_read_done+0xfa4/0x4e70 fs/bcachefs/btree_io.c:1101
> btree_node_read_work+0x63e/0xf70 fs/bcachefs/btree_io.c:1327
> bch2_btree_node_read+0x76c/0xdf0 fs/bcachefs/btree_io.c:1712
> __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
> bch2_btree_root_read+0x2c5/0x460 fs/bcachefs/btree_io.c:1775
> read_btree_roots fs/bcachefs/recovery.c:523 [inline]
> bch2_fs_recovery+0x1db7/0x3c60 fs/bcachefs/recovery.c:853
> bch2_fs_start+0x2d8/0x610 fs/bcachefs/super.c:1036
> bch2_fs_get_tree+0xfda/0x15d0 fs/bcachefs/fs.c:2170
> vfs_get_tree+0x94/0x380 fs/super.c:1814
> do_new_mount fs/namespace.c:3507 [inline]
> path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
> do_mount fs/namespace.c:3847 [inline]
> __do_sys_mount fs/namespace.c:4057 [inline]
> __se_sys_mount fs/namespace.c:4034 [inline]
> __x64_sys_mount+0x283/0x300 fs/namespace.c:4034
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Feel free to reach out if additional information or clarifications are needed. We hope this report aids in identifying and fixing the bug.
>
> Best regards,
>
> Haichi Wang
>
> Tianjin University