KASAN: slab-out-of-bounds Read in f2fs_iget
From: Sanan Hasanov
Date: Fri Feb 03 2023 - 13:56:50 EST
Good day, dear maintainers,
We found a bug using a modified kernel configuration file used by syzbot.
We enhanced the coverage of the configuration file using our tool, klocalizer.
Kernel Branch: 6.2.0-rc6-next-20230201
Kernel config: https://drive.google.com/file/d/17UnUG1E5HyCPGz_HN8--CTXXxSHV2e6z/view?usp=sharing
C Reproducer: https://drive.google.com/file/d/1SUoN_Bud8DW-FHrE4bV-azXaAdITStS9/view?usp=sharing
Thank you!
Best regards,
Sanan Hasanov
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): Found nat_bits in checkpoint
==================================================================
BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x4acd/0x5550
Read of size 4 at addr ffff888111be9bf8 by task syz-executor941/5911
CPU: 3 PID: 5911 Comm: syz-executor941 Not tainted 6.2.0-rc6-next-20230201 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x178/0x260
print_report+0xc1/0x5e0
kasan_report+0xc0/0xf0
f2fs_iget+0x4acd/0x5550
f2fs_fill_super+0x4131/0x8490
mount_bdev+0x332/0x400
legacy_get_tree+0x109/0x220
vfs_get_tree+0x8d/0x350
path_mount+0x675/0x1e30
__x64_sys_mount+0x283/0x300
do_syscall_64+0x39/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f5b5d4a67ee
Code: 48 c7 c0 ff ff ff ff eb aa e8 ce 05 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffecd308d08 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffecd308d60 RCX: 00007f5b5d4a67ee
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffecd308d20
RBP: 0000000000000003 R08: 00007ffecd308d60 R09: 00005555ffffffff
R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffecd308d20
R13: 0000000000000004 R14: 0000000000000026 R15: 0000000000000000
</TASK>
Allocated by task 1:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_kmalloc+0x7c/0x90
snd_info_create_entry+0x51/0x420
snd_pcm_new_stream+0x4d2/0x1530
_snd_pcm_new+0x246/0x3f0
snd_pcm_new+0x3e/0x50
loopback_pcm_new+0x95/0x200
loopback_probe+0x294/0xe90
platform_probe+0xba/0x1b0
really_probe+0x236/0x8f0
__driver_probe_device+0x252/0x2d0
driver_probe_device+0x4c/0x1a0
__device_attach_driver+0x1ce/0x290
bus_for_each_drv+0x163/0x1e0
__device_attach+0x1f2/0x490
bus_probe_device+0x1e8/0x2a0
device_add+0x10d4/0x1c90
platform_device_add+0x35a/0x6f0
platform_device_register_full+0x396/0x4e0
alsa_card_loopback_init+0x167/0x2c0
do_one_initcall+0x141/0x860
kernel_init_freeable+0x5e4/0x8f0
kernel_init+0x1e/0x2c0
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888111be9800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 752 bytes to the right of
allocated 264-byte region [ffff888111be9800, ffff888111be9908)
The buggy address belongs to the physical page:
page:00000000acf7864d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111be9
flags: 0x17ffe0000000200(slab|node=0|zone=2|lastcpupid=0x3fff)
raw: 017ffe0000000200 ffff888100040600 ffffea000446fa90 ffffea0004470e10
raw: 0000000000000000 ffff888111be9000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888111be9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888111be9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888111be9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888111be9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888111be9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) is with extra_attr, but extra_attr feature is off
F2FS-fs (loop0): Failed to read root inode