Hi, there is a use-after-free bug in btrfsic_print_rem_link in
fs/btrfs/check-integrity.c. in the latest kernel and I reproduce it on
the 6.2.0-rc8 kernel.
Briefly describe it, when call btrfsic_unmount to unmount, there would
free blocks and block_links
btrfsic_unmount
```
void btrfsic_unmount(struct btrfs_fs_devices *fs_devices)
{
........
/*
* Don't care about keeping the lists' state up to date,
* just free all memory that was allocated dynamically.
* Free the blocks and the block_links.
*/
list_for_each_entry_safe(b_all, tmp_all, &state->all_blocks_list,
all_blocks_node) {
struct btrfsic_block_link *l, *tmp;
list_for_each_entry_safe(l, tmp, &b_all->ref_to_list,
node_ref_to) {
if (state->print_mask & BTRFSIC_PRINT_MASK_VERBOSE)
btrfsic_print_rem_link(state, l); ///// [1]
l->ref_cnt--;
if (0 == l->ref_cnt)
btrfsic_block_link_free(l);
}
.......
```
[1] if state->print_mask was set. it would call
btrfsic_print_rem_link to print data.
```
static void btrfsic_print_rem_link(const struct btrfsic_state *state,
const struct btrfsic_block_link *l)
{
pr_info("rem %u* link from %c @%llu (%pg/%llu/%d) to %c @%llu (%pg/%llu/%d)\n",
l->ref_cnt,
btrfsic_get_block_type(state, l->block_ref_from),
l->block_ref_from->logical_bytenr,
l->block_ref_from->dev_state->bdev,
l->block_ref_from->dev_bytenr, l->block_ref_from->mirror_num,
btrfsic_get_block_type(state, l->block_ref_to),
l->block_ref_to->logical_bytenr,
l->block_ref_to->dev_state->bdev, l->block_ref_to->dev_bytenr,
l->block_ref_to->mirror_num);
}
```
but there occurs a UAF or NULL-pointer-dereference bug.
##crash log
#KASAN open.
==================================================================
BUG: KASAN: use-after-free in btrfsic_print_rem_link+0xd1/0x26f
fs/btrfs/check-integrity.c:2391
Read of size 8 at addr ffff888024ad0a08 by task syz-executor.2/8047
CPU: 0 PID: 8047 Comm: syz-executor.2 Not tainted 6.2.0-rc8 #130
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
btrfsic_print_rem_link+0xd1/0x26f fs/btrfs/check-integrity.c:2391
btrfsic_unmount.cold+0x10/0xfc fs/btrfs/check-integrity.c:2846
close_ctree+0xdba/0xe3d fs/btrfs/disk-io.c:4821
generic_shutdown_super+0x158/0x410 fs/super.c:492
kill_anon_super+0x3a/0x60 fs/super.c:1086
btrfs_kill_super+0x3c/0x50 fs/btrfs/super.c:2132
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1821e9202b
Code: Unable to access opcode bytes at 0x7f1821e92001.
RSP: 002b:00007fff08141548 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f1821e9202b
RDX: 00007f1821e28980 RSI: 000000000000000a RDI: 00007fff08141610
RBP: 00007fff08141610 R08: 00007f1821efba15 R09: 00007fff081413d0
R10: 00000000fffffffb R11: 0000000000000246 R12: 00007f1821efb9ee
R13: 00007fff081426b0 R14: 0000555555a89d90 R15: 0000000000000032
</TASK>
Allocated by task 13803:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
kzalloc include/linux/slab.h:720 [inline]
btrfsic_dev_state_alloc fs/btrfs/check-integrity.c:417 [inline]
btrfsic_mount+0x572/0x1900 fs/btrfs/check-integrity.c:2772
open_ctree+0x3b9f/0x46ef fs/btrfs/disk-io.c:3858
btrfs_fill_super fs/btrfs/super.c:1151 [inline]
btrfs_mount_root.cold+0x15/0x162 fs/btrfs/super.c:1520
legacy_get_tree+0x109/0x220 fs/fs_context.c:610
vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
fc_mount fs/namespace.c:1149 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1179
vfs_kern_mount+0x40/0x60 fs/namespace.c:1166
btrfs_mount+0x23f/0x9e0 fs/btrfs/super.c:1580
legacy_get_tree+0x109/0x220 fs/fs_context.c:610
vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
do_new_mount fs/namespace.c:3145 [inline]
path_mount+0x132a/0x1e20 fs/namespace.c:3475
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount fs/namespace.c:3674 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 8047:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x3b0 mm/slub.c:3800
btrfsic_dev_state_free fs/btrfs/check-integrity.c:428 [inline]
btrfsic_unmount+0x30c/0x7c0 fs/btrfs/check-integrity.c:2824
close_ctree+0xdba/0xe3d fs/btrfs/disk-io.c:4821
generic_shutdown_super+0x158/0x410 fs/super.c:492
kill_anon_super+0x3a/0x60 fs/super.c:1086
btrfs_kill_super+0x3c/0x50 fs/btrfs/super.c:2132
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
#KASAN not open
[ 50.746259][ C1] bio_end_io(err=0) for S @65536 (loop0/65536/1)
[ 50.760395][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5287936 (loop0/5287936/1)
[ 50.763655][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5345280 (loop0/5345280/1)
[ 50.764208][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5292032 (loop0/5292032/1)
[ 50.764756][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5308416 (loop0/5308416/1)
[ 50.765331][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5255168 (loop0/5255168/1)
[ 50.765924][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @6885376 (loop0/6885376/0)
[ 50.766607][ T7972] BUG: kernel NULL pointer dereference, address:
0000000000000008
[ 50.767072][ T7972] #PF: supervisor read access in kernel mode
[ 50.767415][ T7972] #PF: error_code(0x0000) - not-present page
[ 50.767756][ T7972] PGD 169a2067 P4D 169a2067 PUD fa7e067 PMD 0
[ 50.768201][ T7972] Oops: 0000 [#1] PREEMPT SMP
[ 50.768566][ T7972] CPU: 1 PID: 7972 Comm: btrfsic_print_r Not
tainted 6.2.0-rc8-00021-ge1c04510f521 #27
[ 50.769255][ T7972] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 50.769940][ T7972] RIP: 0010:btrfsic_print_rem_link+0x4e/0x69
[ 50.770338][ T7972] Code: 48 8b 56 10 48 c7 c7 60 3c d7 84 4c 8b 4e
18 48 8b 4e 20 8b 6b 04 4c 8b 42 08 0f b6 d0 41 8b 43 08 50 41 ff 73
18 49 8b 43 10 <ff> 70 08 43
[ 50.771696][ T7972] RSP: 0018:ffffc9000c99fd98 EFLAGS: 00010206
[ 50.772120][ T7972] RAX: 0000000000000000 RBX: ffff888050c0c420
RCX: 0000000000690000
[ 50.772685][ T7972] RDX: 000000000000004d RSI: ffff888048906840
RDI: ffffffff84d73c60
[ 50.773210][ T7972] RBP: 0000000000000001 R08: ffff888009568000
R09: 0000000000690000
[ 50.773786][ T7972] R10: 0000000000000044 R11: ffff888048906180
R12: ffff888017400000
[ 50.774327][ T7972] R13: ffff888048906840 R14: ffff8880489068a0
R15: ffff8880489068a8
[ 50.774886][ T7972] FS: 00000000018af880(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[ 50.775492][ T7972] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 50.775946][ T7972] CR2: 0000000000000008 CR3: 000000000f97c000
CR4: 00000000000006e0
[ 50.776502][ T7972] Call Trace:
[ 50.776757][ T7972] <TASK>
[ 50.776963][ T7972] btrfsic_unmount.cold+0xb/0x66
[ 50.777308][ T7972] close_ctree+0x528/0x563
[ 50.777633][ T7972] ? evict_inodes+0x165/0x1c0
[ 50.777957][ T7972] generic_shutdown_super+0x78/0x120
[ 50.778321][ T7972] kill_anon_super+0xd/0x30
[ 50.778661][ T7972] btrfs_kill_super+0x11/0x20
[ 50.778997][ T7972] deactivate_locked_super+0x2b/0xa0
[ 50.779356][ T7972] cleanup_mnt+0xfb/0x150
[ 50.779650][ T7972] task_work_run+0x55/0x90
[ 50.779971][ T7972] exit_to_user_mode_prepare+0x23c/0x250
[ 50.780317][ T7972] syscall_exit_to_user_mode+0x1d/0x50
[ 50.780652][ T7972] do_syscall_64+0x46/0xb0
[ 50.780912][ T7972] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 50.781293][ T7972] RIP: 0033:0x45388b
[ 50.781553][ T7972] Code: 07 00 48 83 c4 08 5b 5d c3 66 0f 1f 44 00
00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6
00 00 00 0f 05 <48> 3d 01 f8
[ 50.782794][ T7972] RSP: 002b:00007ffe01182fe8 EFLAGS: 00000206
ORIG_RAX: 00000000000000a6
[ 50.783309][ T7972] RAX: 0000000000000000 RBX: 0000000000400530
RCX: 000000000045388b
[ 50.783776][ T7972] RDX: 00007ffe011830c9 RSI: 000000000000000a
RDI: 00007ffe011830c0
[ 50.784250][ T7972] RBP: 00007ffe011840d0 R08: 000000000049d071
R09: 00007ffe01182e80
[ 50.784735][ T7972] R10: 00000000fffffffb R11: 0000000000000206
R12: 0000000000405600
[ 50.785245][ T7972] R13: 0000000000000000 R14: 00000000004ce018
R15: 0000000000000000
[ 50.785774][ T7972] </TASK>
[ 50.785963][ T7972] Modules linked in:
[ 50.786231][ T7972] CR2: 0000000000000008
[ 50.787215][ T7972] ---[ end trace 0000000000000000 ]---
[ 50.787597][ T7972] RIP: 0010:btrfsic_print_rem_link+0x4e/0x69
[ 50.787940][ T7972] Code: 48 8b 56 10 48 c7 c7 60 3c d7 84 4c 8b 4e
18 48 8b 4e 20 8b 6b 04 4c 8b 42 08 0f b6 d0 41 8b 43 08 50 41 ff 73
18 49 8b 43 10 <ff> 70 08 43
[ 50.791030][ T7972] RSP: 0018:ffffc9000c99fd98 EFLAGS: 00010206
[ 50.791456][ T7972] RAX: 0000000000000000 RBX: ffff888050c0c420
RCX: 0000000000690000
[ 50.791979][ T7972] RDX: 000000000000004d RSI: ffff888048906840
RDI: ffffffff84d73c60
[ 50.792510][ T7972] RBP: 0000000000000001 R08: ffff888009568000
R09: 0000000000690000
[ 50.793027][ T7972] R10: 0000000000000044 R11: ffff888048906180
R12: ffff888017400000
[ 50.793565][ T7972] R13: ffff888048906840 R14: ffff8880489068a0
R15: ffff8880489068a8
[ 50.794083][ T7972] FS: 00000000018af880(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[ 50.794630][ T7972] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 50.795035][ T7972] CR2: 00007f8e3403e148 CR3: 000000000f97c000
CR4: 00000000000006e0
[ 50.795527][ T7972] Kernel panic - not syncing: Fatal exception
[ 50.796040][ T7972] Kernel Offset: disabled
[ 50.796321][ T7972] Rebooting in 86400 seconds..
The attachment is reproduced.
Regards,
butt3rflyh4ck.
--
Active Defense Lab of Venustech