From: Peter Hurley <peter@hurleysoftware.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.com>, LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: use-after-free in tty_check_change
Date: Thu, 26 Nov 2015 08:00:48 -0500 [thread overview]
Message-ID: <56570280.5030505@hurleysoftware.com> (raw)
In-Reply-To: <CACT4Y+YAkc4EQ-cToeUT4m=v9w55ofHPUzMcdz0J+H8Me_WL8w@mail.gmail.com>
Hi Dmitry,
On 11/26/2015 05:31 AM, Dmitry Vyukov wrote:
> Hello,
>
> The following program causes a use-after-free in tty_check_change:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <sys/ioctl.h>
>
> void *thr(void *arg)
> {
> int x = 0;
> ioctl((int)(long)arg, TIOCGETD, &x);
> return 0;
> }
>
> void tty()
> {
> int fd = open("/dev/ptmx", O_RDONLY|O_SYNC);
> pthread_t th;
> pthread_create(&th, 0, thr, (void*)(long)fd);
> int x = 16;
> ioctl(fd, TIOCSETD, &x);
> pthread_join(th, 0);
> }
>
> int main()
> {
> int i;
>
> for (i = 0; i < 10; i++) {
> if (fork() == 0) {
> tty();
> return 0;
> }
> }
> return 0;
> }
>
>
> ==================================================================
> BUG: KASAN: use-after-free in tty_ioctl+0x1f06/0x2140 at addr ffff880061aa0968
> Read of size 8 by task a.out/6241
> =============================================================================
> BUG kmalloc-16 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
Thanks for the report. I think I have the patch that fixes this in
my out-queue as part of a larger patchset.
However, the stack backtrace below and the reported eip don't correspond
to the what I think the problem is:
> BUG: KASAN: use-after-free in tty_ioctl+0x1f06/0x2140 at addr ffff880061aa0968
^^^^^^^^^^^^^^
this offset is off the end of compilation unit for me with gcc 4.8.4
Could you generate a mixed listing file of drivers/tty/tty_io.c and attach
it please?
Regards,
Peter Hurley
> Disabling lock debugging due to kernel taint
> INFO: Allocated in tty_ldisc_get.part.3+0x66/0x140 age=6 cpu=3 pid=6230
> [< none >] kmem_cache_alloc_trace+0x1cf/0x220 mm/slub.c:2589
> [< none >] tty_ldisc_get.part.3+0x66/0x140 drivers/tty/tty_ldisc.c:172
> [< none >] tty_set_ldisc+0x83d/0xa70 drivers/tty/tty_ldisc.c:574
> [< none >] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2865
> [< inline >] spin_unlock include/linux/spinlock.h:347
> [< inline >] ioctl_fionbio fs/ioctl.c:492
> [< none >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
> [< none >] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> INFO: Freed in tty_set_ldisc+0x4c2/0xa70 age=12 cpu=3 pid=6230
> [< none >] kfree+0x199/0x1b0 mm/slub.c:3632
> [< inline >] tty_ldisc_restore drivers/tty/tty_ldisc.c:493
> [< none >] tty_set_ldisc+0x4c2/0xa70 drivers/tty/tty_ldisc.c:571
> [< none >] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2865
> [< inline >] spin_unlock include/linux/spinlock.h:347
> [< inline >] ioctl_fionbio fs/ioctl.c:492
> [< none >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
> [< none >] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
> INFO: Slab 0xffffea000186a800 objects=23 used=19 fp=0xffff880061aa12d0
> flags=0x5fffc0000004080
> INFO: Object 0xffff880061aa0968 @offset=2408 fp=0xffff880061aa0810
> CPU: 2 PID: 6241 Comm: a.out Tainted: G B 4.4.0-rc1+ #117
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> 00000000ffffffff ffff88006db0fab8 ffffffff827450f6 ffff88003e807980
> ffff880061aa0968 ffff880061aa0000 ffff88006db0fae8 ffffffff81629404
> ffff88003e807980 ffffea000186a800 ffff880061aa0968 000000000000001b
>
> Call Trace:
> [<ffffffff81631fde>] __asan_report_load8_noabort+0x3e/0x40
> mm/kasan/report.c:280
> [< inline >] tty_check_change drivers/tty/tty_io.c:399
> [<ffffffff82a7b0a6>] tty_ioctl+0x1f06/0x2140 drivers/tty/tty_io.c:2831
> [< inline >] spin_unlock include/linux/spinlock.h:347
> [< inline >] ioctl_fionbio fs/ioctl.c:492
> [<ffffffff816aea91>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
> [<ffffffff816af2df>] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
> [<ffffffff85415cf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> ==================================================================
>
>
> On commit 6ffeba9607343f15303a399bc402a538800d89d9 (Nov 24).
next prev parent reply other threads:[~2015-11-26 13:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-26 10:31 use-after-free in tty_check_change Dmitry Vyukov
2015-11-26 13:00 ` Peter Hurley [this message]
2015-11-26 13:09 ` Dmitry Vyukov
2015-11-26 13:29 ` Peter Hurley
2015-11-26 14:00 ` Dmitry Vyukov
2015-11-26 14:18 ` Peter Hurley
2015-12-31 10:01 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56570280.5030505@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.