KASAN: use-after-free Read in diFree

From: Sanan Hasanov
Date: Thu Feb 16 2023 - 16:44:29 EST

Next message: Sanan Hasanov: "KASAN: use-after-free Read in f2fs_iget"
Previous message: Uwe Kleine-König: "Re: [PATCH v7 10/10] pwm: dwc: use clock rate in hz to avoid rounding issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.2.0-rc7-next-20230213
Kernel config: https://drive.google.com/file/d/1yVvlPL4-MMdjARqrwJ0QoKuPv_3lFQIR/view?usp=sharing
Unfortunately, we do not have a reproducer yet.

Thank you!

Best regards,
Sanan Hasanov

==================================================================
BUG: KASAN: use-after-free in diFree+0x19b3/0x2b90
Read of size 4 at addr ffff888077b90004 by task syz-executor.2/24105

CPU: 5 PID: 24105 Comm: syz-executor.2 Not tainted 6.2.0-rc7-next-20230213+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x17f/0x260
print_report+0xc5/0x5e0
kasan_report+0xd7/0x110
__asan_report_load4_noabort+0x18/0x20
diFree+0x19b3/0x2b90
jfs_evict_inode+0x36d/0x430
evict+0x305/0x6f0
iput+0x541/0x8c0
diFreeSpecial+0x7b/0xa0
jfs_umount+0x13e/0x340
jfs_fill_super+0x9ab/0xc00
mount_bdev+0x332/0x400
jfs_do_mount+0x39/0x50
legacy_get_tree+0x10c/0x220
vfs_get_tree+0x92/0x360
path_mount+0x6cf/0x1fa0
__x64_sys_mount+0x2ae/0x340
do_syscall_64+0x39/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f592ba9176e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f592cc8ca08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f592ba9176e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f592cc8ca60
RBP: 00007f592cc8caa0 R08: 00007f592cc8caa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f592cc8ca60 R15: 00000000200000c0
</TASK>

The buggy address belongs to the physical page:
page:000000004cb7d93b refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77b90
flags: 0xfffe0000000000(node=0|zone=1|lastcpupid=0x3fff)
raw: 00fffe0000000000 ffffea0000594408 ffffe8ffffc82420 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888077b8ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888077b8ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888077b90000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888077b90080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888077b90100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
imap: 00000000fcdc15ea: 00000ecc 00000000 00000000 00000000
imap: 00000000d740174b: 00000000 00000001 00000000 00000000
ERROR: (device loop2): diFree: inum = 16, iagno = 0, nextiag = 0

Next message: Sanan Hasanov: "KASAN: use-after-free Read in f2fs_iget"
Previous message: Uwe Kleine-König: "Re: [PATCH v7 10/10] pwm: dwc: use clock rate in hz to avoid rounding issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]