KASAN: use-after-free Write in bpf_tcp_close

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+31025a5f3f7650081204@syzkaller.appspotmail.com>
To: ast@kernel.org, daniel@iogearbox.net,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: KASAN: use-after-free Write in bpf_tcp_close
Date: Sun, 27 May 2018 13:06:02 -0700	[thread overview]
Message-ID: <000000000000cb4149056d3587f5@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    ff4fb475cea8 Merge branch 'btf-uapi-cleanups'
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12b3d577800000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=31025a5f3f7650081204
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=109a2f37800000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171a727b800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+31025a5f3f7650081204@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in cmpxchg_size  
include/asm-generic/atomic-instrumented.h:355 [inline]
BUG: KASAN: use-after-free in bpf_tcp_close+0x6f5/0xf80  
kernel/bpf/sockmap.c:265
Write of size 8 at addr ffff8801ca277680 by task syz-executor749/9723

CPU: 0 PID: 9723 Comm: syz-executor749 Not tainted 4.17.0-rc4+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
  print_address_description+0x6c/0x20b mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
  check_memory_region_inline mm/kasan/kasan.c:260 [inline]
  check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
  kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
  cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline]
  bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265
  inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
  inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
  sock_release+0x96/0x1b0 net/socket.c:594
  sock_close+0x16/0x20 net/socket.c:1149
  __fput+0x34d/0x890 fs/file_table.c:209
  ____fput+0x15/0x20 fs/file_table.c:243
  task_work_run+0x1e4/0x290 kernel/task_work.c:113
  exit_task_work include/linux/task_work.h:22 [inline]
  do_exit+0x1aee/0x2730 kernel/exit.c:865
  do_group_exit+0x16f/0x430 kernel/exit.c:968
  __do_sys_exit_group kernel/exit.c:979 [inline]
  __se_sys_exit_group kernel/exit.c:977 [inline]
  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440a59
RSP: 002b:00007ffdadf92488 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440a59
RDX: 0000000000440a59 RSI: 0000000000000020 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000004002c8 R09: 0000000000401ea0
R10: 00000000004002c8 R11: 0000000000000206 R12: 000000000001b5ac
R13: 0000000000401ea0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 9723:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
  __do_kmalloc_node mm/slab.c:3682 [inline]
  __kmalloc_node+0x47/0x70 mm/slab.c:3689
  kmalloc_node include/linux/slab.h:554 [inline]
  bpf_map_area_alloc+0x3f/0x90 kernel/bpf/syscall.c:144
  sock_map_alloc+0x376/0x410 kernel/bpf/sockmap.c:1555
  find_and_alloc_map kernel/bpf/syscall.c:126 [inline]
  map_create+0x393/0x1010 kernel/bpf/syscall.c:448
  __do_sys_bpf kernel/bpf/syscall.c:2128 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:2105 [inline]
  __x64_sys_bpf+0x300/0x4f0 kernel/bpf/syscall.c:2105
  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 4521:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xd9/0x260 mm/slab.c:3813
  kvfree+0x61/0x70 mm/util.c:440
  bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:155
  sock_map_remove_complete kernel/bpf/sockmap.c:1443 [inline]
  sock_map_free+0x408/0x540 kernel/bpf/sockmap.c:1619
  bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259
  process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
  worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
  kthread+0x345/0x410 kernel/kthread.c:238
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at ffff8801ca277680
  which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 0 bytes inside of
  1024-byte region [ffff8801ca277680, ffff8801ca277a80)
The buggy address belongs to the page:
page:ffffea0007289d80 count:1 mapcount:0 mapping:ffff8801ca276000 index:0x0  
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801ca276000 0000000000000000 0000000100000007
raw: ffffea0006d12b20 ffffea000763bba0 ffff8801da800ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801ca277580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801ca277600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801ca277680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                    ^
  ffff8801ca277700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8801ca277780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

next             reply	other threads:[~2018-05-27 20:06 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-27 20:06 syzbot [this message]
2018-05-27 22:15 ` KASAN: use-after-free Write in bpf_tcp_close Daniel Borkmann
2018-06-07 16:58   ` Dmitry Vyukov
2018-06-08 16:03     ` John Fastabend
2018-07-02 18:55 ` John Fastabend

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000cb4149056d3587f5@google.com \
    --to=syzbot+31025a5f3f7650081204@syzkaller.appspotmail.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.