KASAN: slab-out-of-bounds Read in ntfs_test_inode

From: Sanan Hasanov
Date: Wed Jan 25 2023 - 18:59:24 EST

Next message: Sanan Hasanov: "kernel BUG in page_add_anon_rmap"
Previous message: Sanan Hasanov: "UBSAN: shift-out-of-bounds in fbcon_set_font"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.2.0-rc5-next-20230124
Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1gufgF45viKoO91FN6MNaC3yu_ZSC7cBS/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

ntfs: volume version 3.1.
==================================================================
BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: slab-out-of-bounds in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-out-of-bounds in NInoAttr fs/ntfs/inode.h:200 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_test_inode+0x9a/0x2f0 fs/ntfs/inode.c:55
Read of size 8 at addr ffff88804360fec0 by task syz-executor.0/7772

CPU: 0 PID: 7772 Comm: syz-executor.0 Not tainted 6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x156/0x455 mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x144/0x190 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
NInoAttr fs/ntfs/inode.h:200 [inline]
ntfs_test_inode+0x9a/0x2f0 fs/ntfs/inode.c:55
find_inode+0xe4/0x220 fs/inode.c:916
ilookup5_nowait fs/inode.c:1429 [inline]
ilookup5 fs/inode.c:1458 [inline]
iget5_locked+0xb6/0x270 fs/inode.c:1239
ntfs_iget+0xa1/0x180 fs/ntfs/inode.c:168
load_and_check_logfile fs/ntfs/super.c:1216 [inline]
load_system_files fs/ntfs/super.c:1949 [inline]
ntfs_fill_super+0x5988/0x9250 fs/ntfs/super.c:2900
mount_bdev+0x351/0x410 fs/super.c:1359
legacy_get_tree+0x109/0x220 fs/fs_context.c:610
vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
do_new_mount fs/namespace.c:3031 [inline]
path_mount+0x675/0x1e20 fs/namespace.c:3361
do_mount fs/namespace.c:3374 [inline]
__do_sys_mount fs/namespace.c:3583 [inline]
__se_sys_mount fs/namespace.c:3560 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3560
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f815329176e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8154488a08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f815329176e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f8154488a60
RBP: 00007f8154488aa0 R08: 00007f8154488aa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f8154488a60 R15: 0000000020076700
</TASK>

Allocated by task 7394:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:769 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc_lru+0x20e/0x580 mm/slub.c:3483
__d_alloc+0x32/0x980 fs/dcache.c:1769
d_alloc+0x4e/0x240 fs/dcache.c:1849
__lookup_hash+0xc8/0x180 fs/namei.c:1598
filename_create+0x1d6/0x4a0 fs/namei.c:3809
do_mkdirat+0x9d/0x310 fs/namei.c:4053
__do_sys_mkdirat fs/namei.c:4076 [inline]
__se_sys_mkdirat fs/namei.c:4074 [inline]
__x64_sys_mkdirat+0x119/0x170 fs/namei.c:4074
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbf/0xd0 mm/kasan/generic.c:488
__call_rcu_common.constprop.0+0x99/0x790 kernel/rcu/tree.c:2624
dentry_free+0xc3/0x160 fs/dcache.c:377
__dentry_kill+0x4c8/0x640 fs/dcache.c:621
dentry_kill fs/dcache.c:745 [inline]
dput+0x6b5/0xe10 fs/dcache.c:913
do_unlinkat+0x3ef/0x670 fs/namei.c:4319
__do_sys_unlink fs/namei.c:4364 [inline]
__se_sys_unlink fs/namei.c:4362 [inline]
__x64_sys_unlink+0xca/0x110 fs/namei.c:4362
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbf/0xd0 mm/kasan/generic.c:488
__call_rcu_common.constprop.0+0x99/0x790 kernel/rcu/tree.c:2624
dentry_free+0xc3/0x160 fs/dcache.c:377
__dentry_kill+0x4c8/0x640 fs/dcache.c:621
shrink_dentry_list+0x12c/0x4f0 fs/dcache.c:1201
shrink_dcache_parent+0xa7/0x3f0 fs/dcache.c:1652
vfs_rmdir fs/namei.c:4125 [inline]
vfs_rmdir+0x2fa/0x630 fs/namei.c:4098
do_rmdir+0x329/0x390 fs/namei.c:4180
__do_sys_unlinkat fs/namei.c:4358 [inline]
__se_sys_unlinkat fs/namei.c:4352 [inline]
__x64_sys_unlinkat+0xef/0x130 fs/namei.c:4352
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88804360fd60
which belongs to the cache dentry of size 312
The buggy address is located 40 bytes to the right of
312-byte region [ffff88804360fd60, ffff88804360fe98)

The buggy address belongs to the physical page:
page:0000000042a7ca23 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4360e
head:0000000042a7ca23 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff88810021b2c0 ffffea00010d3280 dead000000000003
raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88804360fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88804360fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804360fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88804360ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804360ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Next message: Sanan Hasanov: "kernel BUG in page_add_anon_rmap"
Previous message: Sanan Hasanov: "UBSAN: shift-out-of-bounds in fbcon_set_font"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]