2023-02-03 18:56:50

by Sanan Hasanov

[permalink] [raw]
Subject: KASAN: slab-out-of-bounds Read in f2fs_iget

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.2.0-rc6-next-20230201
Kernel config:?https://drive.google.com/file/d/17UnUG1E5HyCPGz_HN8--CTXXxSHV2e6z/view?usp=sharing
C Reproducer:?https://drive.google.com/file/d/1SUoN_Bud8DW-FHrE4bV-azXaAdITStS9/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): Found nat_bits in checkpoint
==================================================================
BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x4acd/0x5550
Read of size 4 at addr ffff888111be9bf8 by task syz-executor941/5911

CPU: 3 PID: 5911 Comm: syz-executor941 Not tainted 6.2.0-rc6-next-20230201 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
?<TASK>
?dump_stack_lvl+0x178/0x260
?print_report+0xc1/0x5e0
?kasan_report+0xc0/0xf0
?f2fs_iget+0x4acd/0x5550
?f2fs_fill_super+0x4131/0x8490
?mount_bdev+0x332/0x400
?legacy_get_tree+0x109/0x220
?vfs_get_tree+0x8d/0x350
?path_mount+0x675/0x1e30
?__x64_sys_mount+0x283/0x300
?do_syscall_64+0x39/0x80
?entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f5b5d4a67ee
Code: 48 c7 c0 ff ff ff ff eb aa e8 ce 05 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffecd308d08 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffecd308d60 RCX: 00007f5b5d4a67ee
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffecd308d20
RBP: 0000000000000003 R08: 00007ffecd308d60 R09: 00005555ffffffff
R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffecd308d20
R13: 0000000000000004 R14: 0000000000000026 R15: 0000000000000000
?</TASK>

Allocated by task 1:
?kasan_save_stack+0x22/0x40
?kasan_set_track+0x25/0x30
?__kasan_kmalloc+0x7c/0x90
?snd_info_create_entry+0x51/0x420
?snd_pcm_new_stream+0x4d2/0x1530
?_snd_pcm_new+0x246/0x3f0
?snd_pcm_new+0x3e/0x50
?loopback_pcm_new+0x95/0x200
?loopback_probe+0x294/0xe90
?platform_probe+0xba/0x1b0
?really_probe+0x236/0x8f0
?__driver_probe_device+0x252/0x2d0
?driver_probe_device+0x4c/0x1a0
?__device_attach_driver+0x1ce/0x290
?bus_for_each_drv+0x163/0x1e0
?__device_attach+0x1f2/0x490
?bus_probe_device+0x1e8/0x2a0
?device_add+0x10d4/0x1c90
?platform_device_add+0x35a/0x6f0
?platform_device_register_full+0x396/0x4e0
?alsa_card_loopback_init+0x167/0x2c0
?do_one_initcall+0x141/0x860
?kernel_init_freeable+0x5e4/0x8f0
?kernel_init+0x1e/0x2c0
?ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff888111be9800
?which belongs to the cache kmalloc-512 of size 512
The buggy address is located 752 bytes to the right of
?allocated 264-byte region [ffff888111be9800, ffff888111be9908)

The buggy address belongs to the physical page:
page:00000000acf7864d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111be9
flags: 0x17ffe0000000200(slab|node=0|zone=2|lastcpupid=0x3fff)
raw: 017ffe0000000200 ffff888100040600 ffffea000446fa90 ffffea0004470e10
raw: 0000000000000000 ffff888111be9000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
?ffff888111be9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
?ffff888111be9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888111be9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^
?ffff888111be9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
?ffff888111be9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) is with extra_attr, but extra_attr feature is off
F2FS-fs (loop0): Failed to read root inode