Bug: use-after-free in udf_statfs in fs/udf/super.c:2415
From: Kun Hu
Date: Wed Jan 01 2025 - 04:09:22 EST
Hello,
When using fuzzer tool to fuzz the latest Linux kernel, the following crash
was triggered.
HEAD commit: dbfac60febfa806abb2d384cb6441e77335d2799
git tree: upstream
Console output: https://drive.google.com/file/d/1-YGytaKuh9M4hI6x27YjsE0vSyRFngf5/view?usp=sharing
Kernel config: https://drive.google.com/file/d/1m1mk_YusR-tyusNHFuRbzdj8KUzhkeHC/view?usp=sharing
C reproducer: /
Syzlang reproducer: /
It seems that the issue originates from the udf_statfs function at line 2415, where
lvidiu might have been prematurely freed, leading to a Use-After-Free (UAF).
This could potentially pose some security risks. However, there is currently
no stable reproducer for this issue.
It is also unclear whether this might have been caused by a race condition, potentially
involving premature freeing in another thread.
Could you please help check if this needs to be addressed?
If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>, Jiaji Qin <jjtan24@xxxxxxxxxxxxxx>
==================================================================
BUG: KASAN: use-after-free in udf_statfs+0x1203/0x12c0 fs/udf/super.c:2415
Read of size 4 at addr ff1100002fd1a468 by task syz.1.197/2973
CPU: 2 UID: 0 PID: 2973 Comm: syz.1.197 Not tainted 6.13.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcf/0x5f0 mm/kasan/report.c:489
kasan_report+0x93/0xc0 mm/kasan/report.c:602
udf_statfs+0x1203/0x12c0 fs/udf/super.c:2415
statfs_by_dentry+0x138/0x220 fs/statfs.c:66
vfs_statfs+0x44/0x2f0 fs/statfs.c:90
fd_statfs+0x49/0x90 fs/statfs.c:121
__do_sys_fstatfs+0x7a/0xf0 fs/statfs.c:214
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd696e1571d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd695a68ba8 EFLAGS: 00000246 ORIG_RAX: 000000000000008a
RAX: ffffffffffffffda RBX: 00007fd696fd7f80 RCX: 00007fd696e1571d
RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000004
RBP: 00007fd696e8a425 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd696fd7f8c R14: 00007fd696fd8018 R15: 00007fd695a68d40
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2442 pfn:0x2fd1a
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000002442 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ff1100002fd1a300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff1100002fd1a380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ff1100002fd1a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ff1100002fd1a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff1100002fd1a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---------------
thanks,
Kun Hu