https://bugzilla.kernel.org/show_bug.cgi?id=215905
Bug ID: 215905
Summary: BUG: KASAN: slab-out-of-bounds in
f2fs_allocate_data_block+0x23d0/0x31f0
Product: File System
Version: 2.5
Kernel Version: 5.17
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: [email protected]
Reporter: [email protected]
Regression: No
Created attachment 300829
--> https://bugzilla.kernel.org/attachment.cgi?id=300829&action=edit
case.c
I have encountered a KASAN bug in F2FS file system in kernel v5.17.
I have uploaded the system call sequence as case.c, and a fuzzed image can be
found in google net disk
(https://drive.google.com/file/d/1PKPI0AojESKJLWKaWeBg-nRPNlEPELFb/view?usp=sharing).
The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can
reproduce the bug by running the following commands:
gcc -o case case.c
losetup /dev/loop0 case.img
mount -o
"background_gc=sync,discard,no_heap,nouser_xattr,active_logs=2,inline_data,fastboot,data_flush,checkpoint=disable,noquota,fsync_mode=strict,test_dummy_encryption"
-t f2fs /dev/loop0 /root/mnt
./case
The kernel log is shown below:
3,904,146667379,-;==================================================================
3,905,146667387,-;BUG: KASAN: slab-out-of-bounds in
f2fs_allocate_data_block+0x23d0/0x31f0
3,906,146667396,-;Read of size 4 at addr ffff88810ae96bc4 by task case/2167
3,907,146667399,-;
3,908,146667402,-;CPU: 1 PID: 2167 Comm: case Not tainted 5.17.0 #4
3,909,146667405,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14
09/14/2015
3,910,146667408,-;Call Trace:
3,911,146667410,-; <TASK>
3,912,146667412,-; dump_stack_lvl+0x34/0x44
3,913,146667417,-; print_address_description.constprop.0+0x21/0x150
3,914,146667423,-; ? f2fs_allocate_data_block+0x23d0/0x31f0
3,915,146667426,-; ? f2fs_allocate_data_block+0x23d0/0x31f0
3,916,146667429,-; kasan_report.cold+0x7f/0x11b
3,917,146667434,-; ? f2fs_allocate_data_block+0x23d0/0x31f0
3,918,146667437,-; f2fs_allocate_data_block+0x23d0/0x31f0
3,919,146667441,-; ? _raw_read_lock_bh+0x40/0x40
3,920,146667445,-; ? _raw_spin_lock_irqsave+0x88/0xe0
3,921,146667449,-; do_write_page+0x18d/0x710
3,922,146667453,-; f2fs_outplace_write_data+0x151/0x250
3,923,146667457,-; ? f2fs_do_write_node_page+0x110/0x110
3,924,146667461,-; f2fs_convert_inline_page+0x6f7/0x1300
3,925,146667465,-; ? f2fs_read_inline_data+0x5c0/0x5c0
3,926,146667469,-; ? __get_node_page+0x13c/0xd30
3,927,146667472,-; f2fs_convert_inline_inode+0x99c/0xf40
3,928,146667476,-; ? f2fs_convert_inline_page+0x1300/0x1300
3,929,146667479,-; ? selinux_mount+0x220/0x220
3,930,146667484,-; ? setattr_prepare+0xd5/0x640
3,931,146667487,-; f2fs_setattr+0xb28/0x12e0
3,932,146667491,-; notify_change+0x5a5/0xcc0
3,933,146667494,-; ? down_write_killable+0x120/0x120
3,934,146667498,-; ? do_truncate+0xeb/0x190
3,935,146667501,-; do_truncate+0xeb/0x190
3,936,146667504,-; ? __x64_sys_openat2+0x2a0/0x2a0
3,937,146667508,-; ? __fget_light+0x52/0x500
3,938,146667511,-; ? ksys_read+0xe8/0x1c0
3,939,146667515,-; ? vfs_write+0x7b0/0x7b0
3,940,146667518,-; do_sys_ftruncate+0x2b2/0x4b0
3,941,146667522,-; do_syscall_64+0x3b/0x90
3,942,146667526,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
3,943,146667529,-;RIP: 0033:0x7fd670d5976d
3,944,146667532,-;Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48
89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
3,945,146667536,-;RSP: 002b:00007fff4da961a8 EFLAGS: 00000203 ORIG_RAX:
000000000000004d
3,946,146667540,-;RAX: ffffffffffffffda RBX: 000055b2f5995b60 RCX:
00007fd670d5976d
3,947,146667543,-;RDX: 00007fd670d5976d RSI: 0000000000073460 RDI:
0000000000000003
3,948,146667545,-;RBP: 00007fff4de963e0 R08: 00007fff4de964d8 R09:
00007fff4de964d8
3,949,146667547,-;R10: 00007fff4de964d8 R11: 0000000000000203 R12:
000055b2f59950a0
3,950,146667549,-;R13: 00007fff4de964d0 R14: 0000000000000000 R15:
0000000000000000
3,951,146667552,-; </TASK>
3,952,146667555,-;
3,953,146667558,-;Allocated by task 2157:
4,954,146667572,-; kasan_save_stack+0x1e/0x40
4,955,146667575,-; __kasan_kmalloc+0x81/0xa0
4,956,146667577,-; f2fs_fill_super+0xea/0x64f0
4,957,146667580,-; mount_bdev+0x2c0/0x3a0
4,958,146667583,-; legacy_get_tree+0xea/0x1d0
4,959,146667598,-; vfs_get_tree+0x7f/0x2b0
4,960,146667601,-; path_mount+0x47e/0x19b0
4,961,146667613,-; do_mount+0xc5/0xe0
4,962,146667616,-; __x64_sys_mount+0x127/0x190
4,963,146667619,-; do_syscall_64+0x3b/0x90
4,964,146667621,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
3,965,146667624,-;
3,966,146667625,-;The buggy address belongs to the object at
ffff88810ae96000\x0a which belongs to the cache kmalloc-4k of size 4096
3,967,146667628,-;The buggy address is located 3012 bytes inside of\x0a
4096-byte region [ffff88810ae96000, ffff88810ae97000)
3,968,146667631,-;The buggy address belongs to the page:
4,969,146667633,-;page:00000000d3f90f20 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x10ae90
4,970,146667636,-;head:00000000d3f90f20 order:3 compound_mapcount:0
compound_pincount:0
4,971,146667638,-;flags: 0x200000000010200(slab|head|node=0|zone=2)
4,972,146667643,-;raw: 0200000000010200 dead000000000100 dead000000000122
ffff888100043040
4,973,146667645,-;raw: 0000000000000000 0000000000040004 00000001ffffffff
0000000000000000
4,974,146667646,-;page dumped because: kasan: bad access detected
3,975,146667648,-;
3,976,146667649,-;Memory state around the buggy address:
3,977,146667651,-; ffff88810ae96a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
3,978,146667653,-; ffff88810ae96b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
3,979,146667656,-;>ffff88810ae96b80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
fc fc
3,980,146667657,-; ^
3,981,146667660,-; ffff88810ae96c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
3,982,146667662,-; ffff88810ae96c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
3,983,146667664,-;==================================================================
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
