Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: KASAN: slab-out-of-bounds Read in ntfs_get_ea
affected file: fs/ntfs3/xattr.c
kernel version: 5.19-rc6
kernel commit: 32346491ddf24599decca06190ebca03ff9de7f8
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=cd73026ceaed1402
crash reproducer: attached
======================================================
Crash log:
======================================================
[ 738.753019][T21243] BUG: KASAN: slab-out-of-bounds in ntfs_get_ea+0x5c3/0x610
[ 738.753838][T21243] Read of size 1 at addr ffff88802c60867d by task
syz-executor.2/21243
[ 738.754732][T21243]
[ 738.755004][T21243] CPU: 0 PID: 21243 Comm: syz-executor.2 Not
tainted 5.19.0-rc6-g2eae0556bb9d #1
[ 738.755983][T21243] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 738.757063][T21243] Call Trace:
[ 738.757440][T21243] <TASK>
[ 738.757773][T21243] dump_stack_lvl+0xcd/0x134
[ 738.758311][T21243] print_report.cold+0xe5/0x659
[ 738.758856][T21243] ? ntfs_get_ea+0x5c3/0x610
[ 738.759377][T21243] kasan_report+0x8a/0x1b0
[ 738.759879][T21243] ? ntfs_get_ea+0x5c3/0x610
[ 738.760398][T21243] ntfs_get_ea+0x5c3/0x610
[ 738.760907][T21243] ? ntfs_setxattr+0xb60/0xb60
[ 738.761012][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.761435][T21243] ? up_read+0x1a8/0x750
[ 738.762539][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.762989][T21243] ntfs_get_wsl_perm+0x94/0x360
[ 738.764007][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.764519][T21243] ? ni_enum_attr_ex+0x281/0x400
[ 738.765606][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.766129][T21243] ? ntfs_save_wsl_perm+0x3b0/0x3b0
[ 738.767148][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.767692][T21243] ? ni_fname_type.part.0+0x1e0/0x1e0
[ 738.768769][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.769341][T21243] ? __sanitizer_cov_trace_switch+0x50/0x90
[ 738.771071][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 738.771682][T21243] ? indx_init+0x398/0x5d0
[ 738.772180][T21243] ? write_comp_data+0x1c/0x70
[ 738.772714][T21243] ntfs_iget5+0xe4a/0x3230
[ 738.773224][T21243] ? ntfs_write_end+0x840/0x840
[ 738.773766][T21243] ? indx_find_buffer+0x630/0x630
[ 738.774327][T21243] ? __kasan_kmalloc+0xb5/0xe0
[ 738.774861][T21243] dir_search_u+0x36a/0x3f0
[ 738.775369][T21243] ? ntfs_nls_to_utf16+0x800/0x800
[ 738.775945][T21243] ntfs_lookup+0x174/0x1e0
[ 738.776445][T21243] __lookup_slow+0x255/0x490
[ 738.776968][T21243] ? page_get_link+0x7c0/0x7c0
[ 738.777504][T21243] ? kasan_check_range+0x108/0x1f0
[ 738.778076][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 738.778690][T21243] walk_component+0x40f/0x6a0
[ 738.779215][T21243] ? handle_dots.part.0+0x1590/0x1590
[ 738.779812][T21243] ? walk_component+0x6a0/0x6a0
[ 738.780358][T21243] path_lookupat.isra.0+0x190/0x580
[ 738.780944][T21243] filename_lookup+0x1ca/0x410
[ 738.781480][T21243] ? may_linkat+0x480/0x480
[ 738.781990][T21243] ? do_raw_spin_lock+0x120/0x2d0
[ 738.782551][T21243] ? kasan_check_range+0x57/0x1f0
[ 738.783112][T21243] ? __lock_acquire+0x1829/0x5840
[ 738.783673][T21243] ? ___slab_alloc+0xb62/0x1140
[ 738.784216][T21243] vfs_statx+0x144/0x360
[ 738.784697][T21243] ? vfs_getattr+0x60/0x60
[ 738.785205][T21243] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 738.785791][T21243] ? lock_release+0xa1/0x6d0
[ 738.786306][T21243] ? find_held_lock+0x2d/0x110
[ 738.786842][T21243] do_statx+0xd9/0x160
[ 738.787304][T21243] ? __ia32_sys_readlink+0xb0/0xb0
[ 738.787877][T21243] ? __check_object_size+0x187/0x700
[ 738.788463][T21243] ? kasan_check_range+0x57/0x1f0
[ 738.789028][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 738.789642][T21243] ? __phys_addr_symbol+0x2c/0x70
[ 738.790161][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.790191][T21243] ? write_comp_data+0x1c/0x70
[ 738.791286][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.791788][T21243] ? __check_object_size+0x2de/0x700
[ 738.793408][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 738.794017][T21243] ? strncpy_from_user+0x287/0x3c0
[ 738.794588][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 738.795198][T21243] ? getname_flags+0x275/0x5b0
[ 738.795734][T21243] __x64_sys_statx+0x157/0x1b0
[ 738.796271][T21243] do_syscall_64+0x35/0xb0
[ 738.796773][T21243] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 738.797433][T21243] RIP: 0033:0x7f35e1a8d4ed
[ 738.797937][T21243] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3
0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
[ 738.800014][T21243] RSP: 002b:00007f35e2b8bbe8 EFLAGS: 00000246
ORIG_RAX: 000000000000014c
[ 738.800931][T21243] RAX: ffffffffffffffda RBX: 00007f35e1babf60
RCX: 00007f35e1a8d4ed
[ 738.801751][T16045] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 738.801778][T21243] RDX: 0000000000000100 RSI: 0000000020003cc0
RDI: 0000000000000005
[ 738.803406][T21243] RBP: 00007f35e1af92e1 R08: 0000000000000000
R09: 0000000000000000
[ 738.804260][T21243] R10: 0000000000000008 R11: 0000000000000246
R12: 0000000000000000
[ 738.805119][T21243] R13: 00007ffec4434f4f R14: 00007f35e1babf60
R15: 00007f35e2b8bd80
[ 738.805979][T21243] </TASK>
[ 738.806323][T21243]
[ 738.806589][T21243] Allocated by task 21243:
[ 738.807080][T21243] kasan_save_stack+0x1e/0x40
[ 738.807606][T21243] __kasan_kmalloc+0xb5/0xe0
[ 738.808118][T21243] __kmalloc+0x1c9/0x4c0
[ 738.808591][T21243] ntfs_read_ea+0x3dd/0x850
[ 738.809104][T21243] ntfs_get_ea+0x196/0x610
[ 738.809601][T21243] ntfs_get_wsl_perm+0x94/0x360
[ 738.810142][T21243] ntfs_iget5+0xe4a/0x3230
[ 738.810637][T21243] dir_search_u+0x36a/0x3f0
[ 738.811142][T21243] ntfs_lookup+0x174/0x1e0
[ 738.811639][T21243] __lookup_slow+0x255/0x490
[ 738.812152][T21243] walk_component+0x40f/0x6a0
[ 738.812675][T21243] path_lookupat.isra.0+0x190/0x580
[ 738.813256][T21243] filename_lookup+0x1ca/0x410
[ 738.813787][T21243] vfs_statx+0x144/0x360
[ 738.814264][T21243] do_statx+0xd9/0x160
[ 738.814727][T21243] __x64_sys_statx+0x157/0x1b0
[ 738.815267][T21243] do_syscall_64+0x35/0xb0
[ 738.815764][T21243] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 738.816411][T21243]
[ 738.816678][T21243] The buggy address belongs to the object at
ffff88802c608640
[ 738.816678][T21243] which belongs to the cache kmalloc-64 of size 64
[ 738.818144][T21243] The buggy address is located 61 bytes inside of
[ 738.818144][T21243] 64-byte region [ffff88802c608640, ffff88802c608680)
[ 738.819526][T21243]
[ 738.819792][T21243] The buggy address belongs to the physical page:
[ 738.820484][T21243] page:ffffea0000b18200 refcount:1 mapcount:0
mapping:0000000000000000 index:0xffff88802c608740 pfn:0x2c608
[ 738.821725][T21243] flags:
0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 738.822549][T21243] raw: 00fff00000000200 ffffea0000b230c8
ffff8880118406c8 ffff8880118427c0
[ 738.823479][T21243] raw: ffff88802c608740 0000000000100007
00000001ffffffff 0000000000000000
[ 738.824397][T21243] page dumped because: kasan: bad access detected
[ 738.825098][T21243] page_owner tracks the page as allocated
[ 738.825711][T21243] page last allocated via order 0, migratetype
Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), 5
[ 738.827628][T21243] prep_new_page+0x297/0x330
[ 738.828146][T21243] get_page_from_freelist+0x2142/0x3c80
[ 738.828756][T21243] __alloc_pages+0x321/0x710
[ 738.829276][T21243] alloc_pages+0x119/0x250
[ 738.829770][T21243] new_slab+0x2a9/0x3f0
[ 738.830238][T21243] ___slab_alloc+0xd5a/0x1140
[ 738.830757][T21243] __slab_alloc.isra.0+0x4d/0xa0
[ 738.831305][T21243] __kmalloc+0x3a9/0x4c0
[ 738.831776][T21243] tomoyo_encode2.part.0+0xec/0x3b0
[ 738.832353][T21243] tomoyo_encode+0x28/0x50
[ 738.832850][T21243] tomoyo_realpath_from_path+0x186/0x620
[ 738.833478][T21243] tomoyo_check_open_permission+0x26d/0x370
[ 738.834127][T21243] tomoyo_file_open+0x9d/0xc0
[ 738.834652][T21243] security_file_open+0x52/0x640
[ 738.835202][T21243] do_dentry_open+0x349/0x11f0
[ 738.835737][T21243] path_openat+0x1c51/0x2890
[ 738.836251][T21243] page last free stack trace:
[ 738.836329][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 738.836750][T21243] free_pcp_prepare+0x51f/0xd00
[ 738.838403][T21243] free_unref_page+0x19/0x5b0
[ 738.838926][T21243] __vunmap+0x6ff/0xaa0
[ 738.839011][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.839379][T21243] free_work+0x58/0x70
[ 738.840866][T21243] process_one_work+0x9cc/0x1650
[ 738.841425][T21243] worker_thread+0x623/0x1070
[ 738.841949][T21243] kthread+0x2e9/0x3a0
[ 738.842406][T21243] ret_from_fork+0x1f/0x30
[ 738.842904][T21243]
[ 738.843171][T21243] Memory state around the buggy address:
[ 738.843266][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 738.843770][T21243] ffff88802c608500: fc fc fc fc fc fc fc fc 00
00 00 00 00 00 00 fc
[ 738.845740][T21243] ffff88802c608580: fc fc fc fc fc fc fc fc fc
fc fc fc fc fc fc fc
[ 738.846016][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.846594][T21243] >ffff88802c608600: fc fc fc fc fc fc fc fc 00
00 00 00 00 00 00 04
[ 738.848486][T21243]
^
[ 738.849345][T21243] ffff88802c608680: fc fc fc fc fc fc fc fc fc
fc fc fc fc fc fc fc
[ 738.849858][T16045] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
[ 738.850197][T21243] ffff88802c608700: fc fc fc fc fc fc fc fc fc
fc fc fc fc fc fc fc
[ 738.850209][T21243]
==================================================================
[ 738.854633][T16045] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.859751][T16045] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 738.871317][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link
becomes ready
[ 738.872745][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link
becomes ready
[ 738.874105][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 738.875428][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 738.878109][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 738.890651][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0:
link becomes ready
[ 738.897425][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv:
link becomes ready
[ 738.904411][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link
becomes ready
[ 738.915482][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link
becomes ready
[ 738.922074][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0:
link becomes ready
[ 738.927750][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv:
link becomes ready
[ 738.934806][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1:
link becomes ready
[ 738.941303][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv:
link becomes ready
[ 738.949095][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 738.966600][T15885] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 738.984589][T16054] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.985739][T16054] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.986776][T16054] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.987880][T16054] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.988922][T16054] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.993632][T16054] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.994980][T16054] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 738.996172][T16054] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 738.997294][T16054] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
[ 739.001902][T16054] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 739.013680][T16054] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 739.016943][T21243] Kernel panic - not syncing: panic_on_warn set ...
[ 739.017680][T21243] CPU: 0 PID: 21243 Comm: syz-executor.2 Not
tainted 5.19.0-rc6-g2eae0556bb9d #1
[ 739.017964][T16053] device veth1_vlan entered promiscuous mode
[ 739.019286][T21243] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 739.020340][T21243] Call Trace:
[ 739.020708][T21243] <TASK>
[ 739.021043][T21243] dump_stack_lvl+0xcd/0x134
[ 739.021561][T21243] panic+0x2d7/0x636
[ 739.022002][T21243] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 739.022658][T21243] ? preempt_schedule_thunk+0x16/0x18
[ 739.023252][T21243] ? preempt_schedule_common+0x5e/0xc0
[ 739.023856][T21243] ? ntfs_get_ea+0x5c3/0x610
[ 739.024370][T21243] ? preempt_schedule_thunk+0x16/0x18
[ 739.024970][T21243] ? ntfs_get_ea+0x5c3/0x610
[ 739.025485][T21243] end_report.part.0+0x3f/0x7c
[ 739.026015][T21243] kasan_report.cold+0x8/0x12
[ 739.026537][T21243] ? ntfs_get_ea+0x5c3/0x610
[ 739.027053][T21243] ntfs_get_ea+0x5c3/0x610
[ 739.027552][T21243] ? ntfs_setxattr+0xb60/0xb60
[ 739.028086][T21243] ? up_read+0x1a8/0x750
[ 739.028561][T21243] ntfs_get_wsl_perm+0x94/0x360
[ 739.029108][T21243] ? ni_enum_attr_ex+0x281/0x400
[ 739.029659][T21243] ? ntfs_save_wsl_perm+0x3b0/0x3b0
[ 739.030234][T21243] ? ni_fname_type.part.0+0x1e0/0x1e0
[ 739.030827][T21243] ? __sanitizer_cov_trace_switch+0x50/0x90
[ 739.031473][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 739.032079][T21243] ? indx_init+0x398/0x5d0
[ 739.032574][T21243] ? write_comp_data+0x1c/0x70
[ 739.033108][T21243] ntfs_iget5+0xe4a/0x3230
[ 739.033608][T21243] ? ntfs_write_end+0x840/0x840
[ 739.034146][T21243] ? indx_find_buffer+0x630/0x630
[ 739.034703][T21243] ? __kasan_kmalloc+0xb5/0xe0
[ 739.035235][T21243] dir_search_u+0x36a/0x3f0
[ 739.035741][T21243] ? ntfs_nls_to_utf16+0x800/0x800
[ 739.036312][T21243] ntfs_lookup+0x174/0x1e0
[ 739.036809][T21243] __lookup_slow+0x255/0x490
[ 739.037331][T21243] ? page_get_link+0x7c0/0x7c0
[ 739.037864][T21243] ? kasan_check_range+0x108/0x1f0
[ 739.038432][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 739.039042][T21243] walk_component+0x40f/0x6a0
[ 739.039565][T21243] ? handle_dots.part.0+0x1590/0x1590
[ 739.040158][T21243] ? walk_component+0x6a0/0x6a0
[ 739.040699][T21243] path_lookupat.isra.0+0x190/0x580
[ 739.041281][T21243] filename_lookup+0x1ca/0x410
[ 739.041814][T21243] ? may_linkat+0x480/0x480
[ 739.042318][T21243] ? do_raw_spin_lock+0x120/0x2d0
[ 739.042876][T21243] ? kasan_check_range+0x57/0x1f0
[ 739.043433][T21243] ? __lock_acquire+0x1829/0x5840
[ 739.043990][T21243] ? ___slab_alloc+0xb62/0x1140
[ 739.044529][T21243] vfs_statx+0x144/0x360
[ 739.045012][T21243] ? vfs_getattr+0x60/0x60
[ 739.045509][T21243] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 739.046090][T21243] ? lock_release+0xa1/0x6d0
[ 739.046601][T21243] ? find_held_lock+0x2d/0x110
[ 739.047132][T21243] do_statx+0xd9/0x160
[ 739.047592][T21243] ? __ia32_sys_readlink+0xb0/0xb0
[ 739.048160][T21243] ? __check_object_size+0x187/0x700
[ 739.048743][T21243] ? kasan_check_range+0x57/0x1f0
[ 739.049304][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 739.049910][T21243] ? __phys_addr_symbol+0x2c/0x70
[ 739.050465][T21243] ? write_comp_data+0x1c/0x70
[ 739.050991][T21243] ? __check_object_size+0x2de/0x700
[ 739.051572][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 739.052178][T21243] ? strncpy_from_user+0x287/0x3c0
[ 739.052745][T21243] ? __sanitizer_cov_trace_pc+0x1a/0x40
[ 739.053360][T21243] ? getname_flags+0x275/0x5b0
[ 739.053892][T21243] __x64_sys_statx+0x157/0x1b0
[ 739.054425][T21243] do_syscall_64+0x35/0xb0
[ 739.054921][T21243] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 739.055569][T21243] RIP: 0033:0x7f35e1a8d4ed
[ 739.056108][T21243] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3
0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
[ 739.058163][T21243] RSP: 002b:00007f35e2b8bbe8 EFLAGS: 00000246
ORIG_RAX: 000000000000014c
[ 739.059064][T21243] RAX: ffffffffffffffda RBX: 00007f35e1babf60
RCX: 00007f35e1a8d4ed
[ 739.059916][T21243] RDX: 0000000000000100 RSI: 0000000020003cc0
RDI: 0000000000000005
[ 739.060761][T21243] RBP: 00007f35e1af92e1 R08: 0000000000000000
R09: 0000000000000000
[ 739.061614][T21243] R10: 0000000000000008 R11: 0000000000000246
R12: 0000000000000000
[ 739.062461][T21243] R13: 00007ffec4434f4f R14: 00007f35e1babf60
R15: 00007f35e2b8bd80
[ 739.063315][T21243] </TASK>
--
Thanks and Regards,
Dipanjan
On Fri, Jul 22, 2022 at 5:51 PM Dipanjan Das
<[email protected]> wrote:
>
> Hi,
>
> We would like to report the following bug which has been found by our
> modified version of syzkaller.
>
> ======================================================
> description: KASAN: slab-out-of-bounds Read in ntfs_get_ea
> affected file: fs/ntfs3/xattr.c
> kernel version: 5.19-rc6
> kernel commit: 32346491ddf24599decca06190ebca03ff9de7f8
> git tree: upstream
> kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=cd73026ceaed1402
> crash reproducer: attached
> ======================================================
Here is our initial analysis and findings regarding this crash (when
we run the repro attached to our original report):
In `fs/ntfs3/xattr.c`, the memory size `size` allocated to hold all
the extended attributes is `60` bytes which is pointed to by `ea_all`
in `ntfs_get_ea`. `find_ea` iterates over the `ea_all` by adding an
`offset` to current `ea` address to find a matching `ea`. The offset
is calculated either using the size of the extended attribute in
`ea->size` or using struct size of the `ea`, if `ea->size` is 0. The
loop terminates if (1) one matched extended attribute `ea` is found or
(2) The calculated offset is greater than `size`.
In this case, at one point the calculated `offset` becomes `56` which
does not satisfy any of the terminating conditions and therefore it
still attempts to find the next `ea`. In order to do that, it
calculates the size of the current `ea`. Since current `ea->size` is
0, struct size of the current `ea` is used. During that calculation,
the field value `ea->name` is dereferenced to calculate the size
occupied by that field and the address of `ea->name` falls beyond the
`60` byte slab range. Hence, the slab out of bound occurs.
Please let us know if this helps, or we need to dig in further.
--
Thanks and Regards,
Dipanjan