KASAN: use-after-free Read in seccomp_notify_release (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com>
To: ast@kernel.org, bpf@vger.kernel.org, coreteam@netfilter.org,
	daniel@iogearbox.net, davem@davemloft.net, fw@strlen.de,
	kadlec@blackhole.kfki.hu, kafai@fb.com, keescook@chromium.org,
	linux-kernel@vger.kernel.org, luto@amacapital.net,
	netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
	pablo@netfilter.org, songliubraving@fb.com,
	syzkaller-bugs@googlegroups.com, wad@chromium.org,
	wenxu@ucloud.cn, yhs@fb.com
Subject: KASAN: use-after-free Read in seccomp_notify_release (2)
Date: Mon, 25 Mar 2019 01:02:04 -0700	[thread overview]
Message-ID: <000000000000c8f45a0584e69ea9@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    1bdd3dbf Merge tag 'io_uring-20190323' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12ae5b93200000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9a31fb246de2a622
dashboard link: https://syzkaller.appspot.com/bug?extid=b562969adb2e04af3442
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=162ca25d200000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1733b53b200000

The bug was bisected to:

commit a799aea0988ea0d1b1f263e996fdad2f6133c680
Author: wenxu <wenxu@ucloud.cn>
Date:   Wed Jan 9 02:40:11 2019 +0000

     netfilter: nft_flow_offload: Fix reverse route lookup

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10dcc517200000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=12dcc517200000
console output: https://syzkaller.appspot.com/x/log.txt?x=14dcc517200000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com
Fixes: a799aea0988e ("netfilter: nft_flow_offload: Fix reverse route  
lookup")

==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2d5e/0x3fb0  
kernel/locking/lockdep.c:3573
Read of size 8 at addr ffff8880a621d080 by task syz-executor365/8267

CPU: 0 PID: 8267 Comm: syz-executor365 Not tainted 5.1.0-rc1+ #35
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
  print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
  kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
  __lock_acquire+0x2d5e/0x3fb0 kernel/locking/lockdep.c:3573
  lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
  __mutex_lock_common kernel/locking/mutex.c:925 [inline]
  __mutex_lock+0xf7/0x1310 kernel/locking/mutex.c:1072
  mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
  seccomp_notify_release+0x62/0x280 kernel/seccomp.c:984
  __fput+0x2e5/0x8d0 fs/file_table.c:278
  ____fput+0x16/0x20 fs/file_table.c:309
  task_work_run+0x14a/0x1c0 kernel/task_work.c:113
  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
  exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
  prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
  do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x405621
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48  
83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48  
89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe1ebba1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000405621
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
RBP: 0000000000000064 R08: 00007f28ae4ca700 R09: 0000000000000000
R10: 00007ffe1ebba1f0 R11: 0000000000000293 R12: 00000000006dbc30
R13: 0000000000000002 R14: 00000000006dbc3c R15: 000000000000002d

Allocated by task 8278:
  save_stack+0x45/0xd0 mm/kasan/common.c:75
  set_track mm/kasan/common.c:87 [inline]
  __kasan_kmalloc mm/kasan/common.c:497 [inline]
  __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
  kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
  kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3621
  kmalloc include/linux/slab.h:545 [inline]
  kzalloc include/linux/slab.h:740 [inline]
  seccomp_prepare_filter kernel/seccomp.c:453 [inline]
  seccomp_prepare_user_filter kernel/seccomp.c:493 [inline]
  seccomp_set_mode_filter kernel/seccomp.c:1262 [inline]
  do_seccomp+0x743/0x2250 kernel/seccomp.c:1376
  __do_sys_seccomp kernel/seccomp.c:1395 [inline]
  __se_sys_seccomp kernel/seccomp.c:1392 [inline]
  __x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
  do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8278:
  save_stack+0x45/0xd0 mm/kasan/common.c:75
  set_track mm/kasan/common.c:87 [inline]
  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xcf/0x230 mm/slab.c:3821
  seccomp_filter_free kernel/seccomp.c:567 [inline]
  seccomp_filter_free kernel/seccomp.c:563 [inline]
  seccomp_set_mode_filter kernel/seccomp.c:1317 [inline]
  do_seccomp+0xb00/0x2250 kernel/seccomp.c:1376
  __do_sys_seccomp kernel/seccomp.c:1395 [inline]
  __se_sys_seccomp kernel/seccomp.c:1392 [inline]
  __x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
  do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a621d000
  which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
  192-byte region [ffff8880a621d000, ffff8880a621d0c0)
The buggy address belongs to the page:
page:ffffea0002988740 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002981048 ffffea0002988048 ffff88812c3f0040
raw: 0000000000000000 ffff8880a621d000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8880a621cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8880a621d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a621d080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                    ^
  ffff8880a621d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8880a621d180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

next             reply	other threads:[~2019-03-25  8:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-25  8:02 syzbot [this message]
2019-04-23 21:39 ` KASAN: use-after-free Read in seccomp_notify_release (2) Kees Cook
2019-04-23 21:51   ` Tycho Andersen
2019-04-23 22:06     ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000c8f45a0584e69ea9@google.com \
    --to=syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=kafai@fb.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=songliubraving@fb.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=wad@chromium.org \
    --cc=wenxu@ucloud.cn \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.