Potential Linux Crash: KASAN use-after-free Read in ext4_ext_remove_space in Linux kernel v6.13-rc5

From: Luka
Date: Wed Mar 05 2025 - 21:57:27 EST

Next message: Jain, Ayush: "Re: [PATCH v2] ktest: Fix Test Failures Due to Missing LOG_FILE Directories"
Previous message: Eric Biggers: "Re: [PATCH] x86/crc32: optimize tail handling for crc32c short inputs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Linux Kernel Experts,

Hello!

I am a security researcher focused on testing Linux kernel
vulnerabilities. Recently, while testing the v6.13-rc5 Linux kernel,
we encountered a crash related to the fs/ext4 kernel module. We have
successfully captured the call trace information for this crash.

Unfortunately, we have not been able to reproduce the issue in our
local environment, so we are unable to provide a PoC (Proof of
Concept) at this time.

We fully understand the complexity and importance of Linux kernel
maintenance, and we would like to share this finding with you for
further analysis and confirmation of the root cause. Below is a
summary of the relevant information:

Kernel Version: v6.13.0-rc5

Kernel Module: fs/ext4/extents.c

————————————————CallTrace————————————————

BUG: KASAN: use-after-free in ext4_ext_rm_leaf fs/ext4/extents.c:2623 [inline]
BUG: KASAN: use-after-free in ext4_ext_remove_space+0x3401/0x37f0
fs/ext4/extents.c:2961
Read of size 4 at addr ffff888116add7f8 by task syz-executor.5/9417

CPU: 2 UID: 0 PID: 9417 Comm: syz-executor.5 Not tainted
6.13.0-rc5-00012-g0bc21e701a6f #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x7b/0xa0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x660 mm/kasan/report.c:489
kasan_report+0xc6/0x100 mm/kasan/report.c:602
ext4_ext_rm_leaf fs/ext4/extents.c:2623 [inline]
ext4_ext_remove_space+0x3401/0x37f0 fs/ext4/extents.c:2961
ext4_ext_truncate+0x1c6/0x260 fs/ext4/extents.c:4466
ext4_truncate+0x6bb/0xea0 fs/ext4/inode.c:4217
ext4_evict_inode+0x64c/0x1330 fs/ext4/inode.c:263
evict+0x337/0x7c0 fs/inode.c:796
iput_final fs/inode.c:1946 [inline]
iput fs/inode.c:1972 [inline]
iput+0x4c3/0x6a0 fs/inode.c:1958
do_unlinkat+0x4fa/0x690 fs/namei.c:4594
__do_sys_unlink fs/namei.c:4635 [inline]
__se_sys_unlink fs/namei.c:4633 [inline]
__x64_sys_unlink+0xbc/0x100 fs/namei.c:4633
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f381a667b7b
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66
2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffec5a26028 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f381a667b7b
RDX: 00007ffec5a26050 RSI: 00007ffec5a260e0 RDI: 00007ffec5a260e0
RBP: 00007ffec5a260e0 R08: 0000000000000000 R09: 00007ffec5a25eb0
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffec5a271e0
R13: 00007f381a72667b R14: 000000000002b7da R15: 000000000000001d
</TASK>

————————————————CallTrace————————————————

If you need more details or additional test results, please feel free
to let us know. Thank you so much for your attention! Please don't
hesitate to reach out if you have any suggestions or need further
communication.

Best regards,
Luka

Next message: Jain, Ayush: "Re: [PATCH v2] ktest: Fix Test Failures Due to Missing LOG_FILE Directories"
Previous message: Eric Biggers: "Re: [PATCH] x86/crc32: optimize tail handling for crc32c short inputs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]