We found BUG: unable to handle kernel paging request in lookup_one_len
From: yang lan
Date: Fri Apr 28 2023 - 07:38:38 EST
Hi,
We use our modified Syzkaller to fuzz the Linux kernel and find a bug
in the reiserfs file system.
This bug can be reproduced on the Linux kernel version 5.10.50.
commit 43b0742ef44c30f202afbf8355e9326710af9ca1
I compile the kernel with the .config provided. And booting the
kernel, compiling, and running the binary in the guest, which leads to
a crash.
root@syzkaller:~# uname -a
Linux syzkaller 5.10.50 #1 SMP PREEMPT Fri Apr 28 16:36:15 CST 2023
x86_64 GNU/Linux
root@syzkaller:~# gcc poc_lookup.c -o poc_lookup
[ 72.792156][ T7592] as (7592) used greatest stack depth: 22240 bytes left
root@syzkaller:~# ./poc_lookup
[ 78.742588][ T7595] REISERFS (device loop0): found reiserfs format
"3.6" with non-standard journal
[ 78.745674][ T7595] REISERFS (device loop0): using ordered data mode
[ 78.746115][ T7595] reiserfs: using flush barriers
[ 78.747016][ T7595] REISERFS (device loop0): journal params: device
loop0, size 512, journal first block 18, max trans len 256, max batch
225, max commit age 30, max trans age 30
[ 78.749039][ T7595] REISERFS (device loop0): checking transaction log (loop0)
[ 78.791572][ T7595] init_special_inode: bogus i_mode (174534) for
inode loop0:2
[ 78.792229][ T7595] REISERFS (device loop0): Using rupasov hash to sort names
[ 78.792891][ T7595] BUG: kernel NULL pointer dereference, address:
0000000000000000
[ 78.793421][ T7595] #PF: supervisor instruction fetch in kernel mode
[ 78.793843][ T7595] #PF: error_code(0x0010) - not-present page
[ 78.794235][ T7595] PGD 16db9067 P4D 16db9067 PUD fcee067 PMD 0
[ 78.794646][ T7595] Oops: 0010 [#1] PREEMPT SMP KASAN
[ 78.794990][ T7595] CPU: 0 PID: 7595 Comm: poc_lookup Not tainted 5.10.50 #1
[ 78.795460][ T7595] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.12.0-1 04/01/2014
[ 78.796058][ T7595] RIP: 0010:0x0
[ 78.796289][ T7595] Code: Unable to access opcode bytes at RIP
0xffffffffffffffd6.
[ 78.796789][ T7595] RSP: 0018:ffff8880426ff7f8 EFLAGS: 00010246
[ 78.797203][ T7595] RAX: dffffc0000000000 RBX: ffff888048b0a178
RCX: ffffffff81bbdde8
[ 78.797717][ T7595] RDX: 0000000000000000 RSI: ffff888048b0a178
RDI: ffff88801ade0190
[ 78.798230][ T7595] RBP: 1ffff110084dff03 R08: ffff8880142ca140
R09: fffffbfff1c1a7c2
[ 78.798741][ T7595] R10: ffffffff8e0d3e0f R11: fffffbfff1c1a7c1
R12: ffff88801ade0190
[ 78.799252][ T7595] R13: ffffffff88fc15c0 R14: ffff8880426ff838
R15: dffffc0000000000
[ 78.799766][ T7595] FS: 00007fc04269c440(0000)
GS:ffff88802d000000(0000) knlGS:0000000000000000
[ 78.800339][ T7595] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.800763][ T7595] CR2: ffffffffffffffd6 CR3: 0000000016d7b000
CR4: 0000000000350ef0
[ 78.801279][ T7595] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[ 78.801792][ T7595] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[ 78.802303][ T7595] Call Trace:
[ 78.802523][ T7595] __lookup_slow+0x267/0x490
[ 78.802824][ T7595] ? vfs_unlink+0x610/0x610
[ 78.803122][ T7595] ? d_lookup+0xd4/0x130
[ 78.803400][ T7595] lookup_one_len+0x163/0x190
[ 78.803704][ T7595] ? __lookup_slow+0x490/0x490
[ 78.804018][ T7595] ? down_write_killable_nested+0x170/0x170
[ 78.804407][ T7595] reiserfs_lookup_privroot+0x92/0x290
[ 78.804768][ T7595] reiserfs_fill_super+0x1f22/0x2d80
[ 78.805115][ T7595] ? finish_unfinished+0x1190/0x1190
[ 78.805467][ T7595] ? vsnprintf+0x1bd/0x15c0
[ 78.805763][ T7595] ? pointer+0x790/0x790
[ 78.806041][ T7595] ? down_write_killable_nested+0x170/0x170
[ 78.806427][ T7595] ? wait_for_completion+0x250/0x250
[ 78.806775][ T7595] ? finish_unfinished+0x1190/0x1190
[ 78.807120][ T7595] mount_bdev+0x320/0x400
[ 78.807407][ T7595] ? reiserfs_kill_sb+0x1e0/0x1e0
[ 78.807739][ T7595] legacy_get_tree+0x103/0x210
[ 78.808052][ T7595] vfs_get_tree+0x86/0x2f0
[ 78.808343][ T7595] path_mount+0x6d3/0x1c90
[ 78.808636][ T7595] ? strncpy_from_user+0x2e4/0x460
[ 78.808971][ T7595] ? finish_automount+0x8a0/0x8a0
[ 78.809309][ T7595] ? getname_flags+0x268/0x5a0
[ 78.809623][ T7595] do_mount+0xf1/0x110
[ 78.809892][ T7595] ? path_mount+0x1c90/0x1c90
[ 78.810202][ T7595] ? copy_mount_options+0xed/0x180
[ 78.810541][ T7595] ? __get_user_nocheck_8+0x10/0x13
[ 78.810884][ T7595] __x64_sys_mount+0x1d5/0x220
[ 78.811202][ T7595] do_syscall_64+0x2d/0x70
[ 78.811495][ T7595] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 78.811883][ T7595] RIP: 0033:0x7fc0421c848a
[ 78.812175][ T7595] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83
c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d de f9 2a 00 f7 d8
64 89 01 48
[ 78.813472][ T7595] RSP: 002b:00007ffcc92e4558 EFLAGS: 00000202
ORIG_RAX: 00000000000000a5
[ 78.814034][ T7595] RAX: ffffffffffffffda RBX: 0000000000000000
RCX: 00007fc0421c848a
[ 78.814545][ T7595] RDX: 0000000020000000 RSI: 0000000020000100
RDI: 00007ffcc92e4690
[ 78.815054][ T7595] RBP: 00007ffcc92e4710 R08: 00007ffcc92e4590
R09: 00007ffcc92e46d4
[ 78.815566][ T7595] R10: 0000000000000000 R11: 0000000000000202
R12: 00005579d7800ad0
[ 78.816075][ T7595] R13: 00007ffcc92e4820 R14: 0000000000000000
R15: 0000000000000000
[ 78.816591][ T7595] Modules linked in:
[ 78.816850][ T7595] CR2: 0000000000000000
[ 78.817131][ T7595] ---[ end trace 1163668d158b38e5 ]---
[ 78.817482][ T7595] RIP: 0010:0x0
[ 78.817709][ T7595] Code: Unable to access opcode bytes at RIP
0xffffffffffffffd6.
[ 78.818205][ T7595] RSP: 0018:ffff8880426ff7f8 EFLAGS: 00010246
[ 78.818598][ T7595] RAX: dffffc0000000000 RBX: ffff888048b0a178
RCX: ffffffff81bbdde8
[ 78.819112][ T7595] RDX: 0000000000000000 RSI: ffff888048b0a178
RDI: ffff88801ade0190
[ 78.819623][ T7595] RBP: 1ffff110084dff03 R08: ffff8880142ca140
R09: fffffbfff1c1a7c2
[ 78.820136][ T7595] R10: ffffffff8e0d3e0f R11: fffffbfff1c1a7c1
R12: ffff88801ade0190
[ 78.820649][ T7595] R13: ffffffff88fc15c0 R14: ffff8880426ff838
R15: dffffc0000000000
[ 78.821168][ T7595] FS: 00007fc04269c440(0000)
GS:ffff88802d000000(0000) knlGS:0000000000000000
[ 78.821746][ T7595] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.822174][ T7595] CR2: ffffffffffffffd6 CR3: 0000000016d7b000
CR4: 0000000000350ef0
[ 78.822692][ T7595] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[ 78.823208][ T7595] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[ 78.823724][ T7595] Kernel panic - not syncing: Fatal exception
[ 78.824426][ T7595] Kernel Offset: disabled
[ 78.824732][ T7595] Rebooting in 86400 seconds..
Attachment:
kernel_config
Description: Binary data
Attachment:
log
Description: Binary data
Attachment:
poc_lookup.c
Description: Binary data
Attachment:
poc_syz
Description: Binary data