4880 – [ANCK 5.10] BUG: use-after-free in ext4_xattr_set_entry

Bug 4880 - [ANCK 5.10] BUG: use-after-free in ext4_xattr_set_entry

Summary: [ANCK 5.10] BUG: use-after-free in ext4_xattr_set_entry

Status:	RESOLVED FIXED

Alias:	None

Product:	ANCK 5.10 Dev
Classification:	ANCK
Component:	fs (show other bugs)	fs
Sub Component:
Version:	5.10.y-15
Hardware:	All Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	Joseph Qi
QA Contact:	shuming

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-06 17:27 UTC by ljubomir
Modified:	2023-07-10 21:02 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ljubomir inspur_group

2023-05-06 17:27:23 UTC

Description of problem:

BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500
    Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092

    CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17
    Call Trace:
    [...]
     memcpy+0x34/0x50 mm/kasan/kasan.c:303
     ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747
     ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205
     ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386
     ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498
     __vfs_setxattr+0x112/0x170 fs/xattr.c:149
     __vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180
     __vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238
     vfs_setxattr+0xed/0x270 fs/xattr.c:255
     setxattr+0x235/0x330 fs/xattr.c:520
     path_setxattr+0x176/0x190 fs/xattr.c:539
     __do_sys_lsetxattr fs/xattr.c:561 [inline]
     __se_sys_lsetxattr fs/xattr.c:557 [inline]
     __x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557
     do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x459fe9
    RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
    RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9
    RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140
    RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000
    R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80
    [...]

Comment 1 小龙 admin

2023-05-06 17:32:58 UTC

The PR Link: https://gitee.com/anolis/cloud-kernel/pulls/1612

Comment 2 Joseph Qi alibaba_cloud_group

2023-05-06 18:42:29 UTC

(In reply to 小龙 from comment #1)
> The PR Link: https://gitee.com/anolis/cloud-kernel/pulls/1612

This is a series, not a single patch:
https://lore.kernel.org/all/20220616021358.2504451-1-libaokun1@huawei.com/

Comment 3 小龙 admin

2023-05-08 15:02:59 UTC

The PR Link: https://gitee.com/anolis/cloud-kernel/pulls/1614

Comment 4 Joseph Qi alibaba_cloud_group

2023-05-11 11:11:02 UTC

merged

Comment 5 ZiyangZhang alibaba_cloud_group

2023-05-30 10:05:28 UTC

*** Bug 5270 has been marked as a duplicate of this bug. ***