From: Zubin Mithra <zsm@chromium.org>
To: stable@vger.kernel.org
Cc: gregkh@linuxfoundation.org, groeck@chromium.org,
daniel@iogearbox.net, ast@kernel.org, kafai@fb.com,
songliubraving@fb.com, yhs@fb.com
Subject: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
Date: Tue, 16 Apr 2019 13:29:59 -0700 [thread overview]
Message-ID: <20190416202958.GA3821@google.com> (raw)
Hello,
Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace.
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc8/0x129 lib/dump_stack.c:113
print_address_description+0x67/0x230 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x24e/0x28c mm/kasan/report.c:412
get_link fs/namei.c:1152 [inline]
trailing_symlink+0x593/0x677 fs/namei.c:2326
path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382
filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411
filename_lookup fs/namei.c:2405 [inline]
user_path_at_empty+0x59/0x6c fs/namei.c:2677
user_path include/linux/namei.h:62 [inline]
do_mount+0x15c/0x17a4 fs/namespace.c:2773
ksys_mount+0x98/0xcc fs/namespace.c:3052
__do_sys_mount fs/namespace.c:3066 [inline]
__se_sys_mount fs/namespace.c:3063 [inline]
__x64_sys_mount+0xd0/0xdb fs/namespace.c:3063
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Allocated by task 8112:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553
slab_post_alloc_hook+0x31/0x55 mm/slab.h:444
slab_alloc_node mm/slub.c:2706 [inline]
slab_alloc mm/slub.c:2714 [inline]
__kmalloc_track_caller+0x100/0x148 mm/slub.c:4290
kstrdup+0x39/0x63 mm/util.c:56
bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356
vfs_symlink2+0xfc/0x12b fs/namei.c:4238
do_symlinkat+0x14a/0x1d5 fs/namei.c:4271
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8116:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521
slab_free_hook mm/slub.c:1371 [inline]
slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398
slab_free mm/slub.c:2953 [inline]
kfree+0x177/0x212 mm/slub.c:3906
bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565
evict+0x30b/0x4ce fs/inode.c:558
iput_final fs/inode.c:1550 [inline]
iput+0x541/0x551 fs/inode.c:1576
do_unlinkat+0x2fc/0x403 fs/namei.c:4180
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Could the following patch be applied to 4.19.y?
1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
Tests run:
* Chrome OS tryjobs
* Syzkaller reproducer
Thanks,
- Zubin
next reply other threads:[~2019-04-16 20:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-16 20:29 Zubin Mithra [this message]
2019-04-17 16:00 ` 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Sasha Levin
2019-04-17 18:03 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190416202958.GA3821@google.com \
--to=zsm@chromium.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=kafai@fb.com \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.