KASAN: slab-out-of-bounds Read in dtSearch in v6.14-rc4 kernel

From: Strforexc yn
Date: Sun Mar 02 2025 - 20:44:58 EST

Next message: yunhui cui: "Re: [External] [PATCH v2 4/6] riscv: pgtable: unconditionally use tlb_remove_ptdesc()"
Previous message: Strforexc yn: "BUG: unable to handle kernel NULL pointer dereference in __put_partials in v6.14-rc4 kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Maintainers, When using our customized Syzkaller to fuzz the
latest Linux kernel, the following crash was triggered.

Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025)
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config
Kernel Log: attachment
Reproduce: attachment

KASAN detects a slab-out-of-bounds read of size 1 at address
ffff88804ffbbcec in ciCompare (fs/jfs/jfs_dtree.c:3415), called from
dtSearch (fs/jfs/jfs_dtree.c:644). This occurs during a filesystem
lookup operation triggered by Syzkaller.
Location: The fault occurs in ciCompare, called from dtSearch when
comparing a search key against a leaf entry (p->slot[stbl[index]]).

Cause: The access at ffff88804ffbbcec exceeds the jfs_ip object’s
bounds, likely due to:
1. Invalid Index: stbl[index] may exceed p->header.nextindex,
accessing an invalid slot.
2. Buffer Overflow: ciCompare might read beyond p->slot[stbl[index]]
if the entry is corrupted or oversized.

Context: Syzkaller’s openat syscall likely provided a malformed
filename, corrupting the JFS directory tree or exposing a
bounds-checking flaw.

Our knowledge of the kernel is somewhat limited, and we'd appreciate
it if you could determine if there is such an issue. If this issue
doesn't have an impact, please ignore it ☺.

If you fix this issue, please add the following tag to the commit:
Reported-by: Zhizhuo Tang <strforexctzzchange@xxxxxxxxxxx>, Jianzhou
Zhao <xnxc22xnxc22@xxxxxx>, Haoran Liu <cherest_san@xxxxxxx>

==================================================================
BUG: KASAN: slab-out-of-bounds in ciCompare fs/jfs/jfs_dtree.c:3415 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x1fb4/0x2270 fs/jfs/jfs_dtree.c:644
Read of size 1 at addr ffff88804ffbbcec by task syz.2.30/11770

CPU: 0 UID: 0 PID: 11770 Comm: syz.2.30 Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description.constprop.0+0x2c/0x420 mm/kasan/report.c:408
print_report+0xaa/0x270 mm/kasan/report.c:521
kasan_report+0xbd/0x100 mm/kasan/report.c:634
ciCompare fs/jfs/jfs_dtree.c:3415 [inline]
dtSearch+0x1fb4/0x2270 fs/jfs/jfs_dtree.c:644
jfs_lookup+0x18f/0x350 fs/jfs/namei.c:1461
lookup_open.isra.0+0x493/0x1540 fs/namei.c:3629
open_last_lookups+0x82c/0x13b0 fs/namei.c:3750
path_openat+0x182/0x6b0 fs/namei.c:3986
do_filp_open+0x1f8/0x460 fs/namei.c:4016
do_sys_openat2+0x16a/0x1d0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x140/0x200 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f25d7db85ad
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f25d8bcbf98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f25d8045fa0 RCX: 00007f25d7db85ad
RDX: 00000000000026e1 RSI: 0000400000000400 RDI: ffffffffffffff9c
RBP: 00007f25d7e6a8d6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f25d8045fa0 R15: 00007f25d8bac000
</TASK>

The buggy address belongs to the object at ffff88804ffbb750
which belongs to the cache jfs_ip of size 2232
The buggy address is located 1436 bytes inside of
allocated 2232-byte region [ffff88804ffbb750, ffff88804ffbc008)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ffb8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88806eb1f601
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888042e3a000 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 ffff88806eb1f601
head: 04fff00000000040 ffff888042e3a000 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 ffff88806eb1f601
head: 04fff00000000003 ffffea00013fee01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask
0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE),
pid 11661, tgid 11657 (syz.3.22), ts 78200303477, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1a3/0x1d0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0x8a5/0xfa0 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x1d8/0x3b0 mm/page_alloc.c:4739
alloc_pages_mpol+0x1f2/0x550 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab+0x229/0x310 mm/slub.c:2587
___slab_alloc+0x7f3/0x12b0 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xc0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
kmem_cache_alloc_lru_noprof+0x27a/0x410 mm/slub.c:4183
jfs_alloc_inode+0x27/0x70 fs/jfs/super.c:105
alloc_inode+0x64/0x250 fs/inode.c:336
iget_locked+0x2e3/0x880 fs/inode.c:1487
jfs_iget+0x1e/0x4f0 fs/jfs/inode.c:29
jfs_lookup+0x287/0x350 fs/jfs/namei.c:1469
__lookup_slow+0x252/0x480 fs/namei.c:1793
lookup_slow fs/namei.c:1810 [inline]
walk_component+0x34c/0x5b0 fs/namei.c:2114
lookup_last fs/namei.c:2612 [inline]
path_lookupat+0x146/0x6c0 fs/namei.c:2636
page_owner free stack trace missing

Memory state around the buggy address:
ffff88804ffbbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804ffbbc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88804ffbbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88804ffbbd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804ffbbd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Thanks,
Zhizhuo Tang

Attachment: repro.cprog
Description: Binary data

Attachment: repro.prog
Description: Binary data

Attachment: repro.log
Description: Binary data

Attachment: mount_0.gz
Description: GNU Zip compressed data

Attachment: log0
Description: Binary data

Next message: yunhui cui: "Re: [External] [PATCH v2 4/6] riscv: pgtable: unconditionally use tlb_remove_ptdesc()"
Previous message: Strforexc yn: "BUG: unable to handle kernel NULL pointer dereference in __put_partials in v6.14-rc4 kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]