Bug 200109 - BUG: KASAN: use-after-free in ext4_xattr_set_entry fs/ext4/xattr.c:1598
Summary: BUG: KASAN: use-after-free in ext4_xattr_set_entry fs/ext4/xattr.c:1598
Status: RESOLVED DUPLICATE of bug 200001
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-18 03:05 UTC by icytxw
Modified: 2018-06-18 05:39 UTC (History)
1 user (show)

See Also:
Kernel Version: v4.17
Tree: Mainline
Regression: No


Attachments
found this with modified syzkaller (1.01 MB, text/plain)
2018-06-18 03:05 UTC, icytxw
Details
attachment-16671-0.html (6.67 KB, text/html)
2018-06-18 05:39 UTC, icytxw
Details

Description icytxw 2018-06-18 03:05:12 UTC
Created attachment 276629 [details]
found this with modified syzkaller

==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x2c6c/0x2f60 fs/ext4/xattr.c:1598
Read of size 4 at addr ffff880069696a64 by task syz-executor1/11113

CPU: 0 PID: 11113 Comm: syz-executor1 Not tainted 4.17.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Call Trace:

The buggy address belongs to the page:
page:ffffea0001a5a580 count:0 mapcount:-128 mapping:0000000000000000 index:0x1
flags: 0x100000000000000()
raw: 0100000000000000 ffffea00019e4008 ffffea000172ee08 0000000000000000
raw: 0000000000000001 0000000000000001 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880069696900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880069696980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff880069696a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff880069696a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880069696b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 11113 Comm: syz-executor1 Tainted: G    B             4.17.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Call Trace:
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
Comment 1 icytxw 2018-06-18 03:12:15 UTC

*** This bug has been marked as a duplicate of bug 200001 ***
Comment 2 Theodore Tso 2018-06-18 04:57:42 UTC
Thanks for reporting this bug and marking it as a duplicate.   Please note that Syzkaller is really terrible at creating an actionable bug report.   But at least the mainline Syzkaller creates a repro.c file which a developer can run --- instead of having to paw through a one megabyte log file which apparently has a huge number of unrelated test programs.

Syzkaller programs are also not in as stable language, so unless you know exactly what version of syzkaller was used to create a syzkaller repro, it's mostly useless.   Indeed, Dmitry has essentially advised me to ignore the syzkaller repro, since otherwise you have to check out the precise version of syzkaller used to create the repro, and use it to run the syzkaller repro.   I personally think that's a terrible design, but at least there is the alternative of using the repro.c file.

I'd strongly encourage that you work on enhancing Syzkaller so it can generate a sample image file combined with a poc.c file, the way Wen Xu's fuzzing system works.  It results in a much more developer-friendly report that is much easier for me to act upon --- with the result that his work has far more impact.

See:

https://bugzilla.kernel.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&component=ext4&email1=wen.xu%40gatech.edu&emailreporter1=1&emailtype1=substring&known_name=Open%20Wen%27s%20problems&list_id=990219&query_based_on=Open%20Wen%27s%20problems&query_format=advanced
Comment 3 icytxw 2018-06-18 05:39:54 UTC
Created attachment 276641 [details]
attachment-16671-0.html

Thanks for your advise, I also know that syzkaller's log file is not so easy to understand.
And because the possibility of some bug being triggered is very small, it is not so easy to 
generate a .c file. In the next time, I will work on how to reproduce possible bugs just like 
Wen Xu’s fuzzing system.

Thanks again

发件人: bugzilla-daemon@bugzilla.kernel.org
发送时间: 2018年6月18日 12:57
收件人: icytxw@gmail.com
主题: [Bug 200109] BUG: KASAN: use-after-free in ext4_xattr_set_entryfs/ext4/xattr.c:1598

https://bugzilla.kernel.org/show_bug.cgi?id=200109

Theodore Tso (tytso@mit.edu) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tytso@mit.edu

--- Comment #2 from Theodore Tso (tytso@mit.edu) ---
Thanks for reporting this bug and marking it as a duplicate.   Please note that
Syzkaller is really terrible at creating an actionable bug report.   But at
least the mainline Syzkaller creates a repro.c file which a developer can run
--- instead of having to paw through a one megabyte log file which apparently
has a huge number of unrelated test programs.

Syzkaller programs are also not in as stable language, so unless you know
exactly what version of syzkaller was used to create a syzkaller repro, it's
mostly useless.   Indeed, Dmitry has essentially advised me to ignore the
syzkaller repro, since otherwise you have to check out the precise version of
syzkaller used to create the repro, and use it to run the syzkaller repro.   I
personally think that's a terrible design, but at least there is the
alternative of using the repro.c file.

I'd strongly encourage that you work on enhancing Syzkaller so it can generate
a sample image file combined with a poc.c file, the way Wen Xu's fuzzing system
works.  It results in a much more developer-friendly report that is much easier
for me to act upon --- with the result that his work has far more impact.

See:

https://bugzilla.kernel.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&component=ext4&email1=wen.xu%40gatech.edu&emailreporter1=1&emailtype1=substring&known_name=Open%20Wen%27s%20problems&list_id=990219&query_based_on=Open%20Wen%27s%20problems&query_format=advanced

Note You need to log in before you can comment on or make changes to this bug.