From: Sasha Levin <sasha.levin@oracle.com>
To: Miklos Szeredi <mszeredi@suse.cz>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: fuse: use afer free reading/writing
Date: Tue, 19 Apr 2016 07:08:10 -0700 (PDT) [thread overview]
Message-ID: <57163BCA.6080406@oracle.com> (raw)
Hi all,
I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:
[ 1065.365235] BUG: KASAN: use-after-free in fuse_dev_do_read.constprop.5+0xfb0/0x1290 at addr ffff8800bad3fbf0
[ 1065.365256] Read of size 8 by task syz-executor/2448
[ 1065.365272] =============================================================================
[ 1065.365289] BUG fuse_request (Not tainted): kasan: bad access detected
[ 1065.365295] -----------------------------------------------------------------------------
[ 1065.365295]
[ 1065.365304] Disabling lock debugging due to kernel taint
[ 1065.365337] INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446733319112207795 cpu=2751490774 pid=-1
[ 1065.365359] __fuse_request_alloc+0x2b/0xf0
[ 1065.365397] ___slab_alloc+0x7af/0x870
[ 1065.365419] __slab_alloc.isra.22+0xf4/0x130
[ 1065.365440] kmem_cache_alloc+0x188/0x2b0
[ 1065.365467] __fuse_request_alloc+0x2b/0xf0
[ 1065.365496] __fuse_get_req+0x3f4/0x5b0
[ 1065.365520] fuse_get_req_for_background+0x22/0x30
[ 1065.365546] cuse_channel_open+0x210/0x830
[ 1065.365590] misc_open+0x42f/0x460
[ 1065.365616] chrdev_open+0x412/0x500
[ 1065.365641] do_dentry_open+0x6cc/0xba0
[ 1065.365667] vfs_open+0x1da/0x1f0
[ 1065.365694] path_openat+0x3291/0x3d10
[ 1065.365716] do_filp_open+0x1df/0x280
[ 1065.365732] do_sys_open+0x25c/0x440
[ 1065.365745] SyS_open+0x2d/0x40
[ 1065.365759] INFO: Freed in 0x1000bad60 age=18446733319112207795 cpu=0 pid=0
[ 1065.365772] fuse_request_free+0xa8/0xb0
[ 1065.365784] __slab_free+0x6a/0x2f0
[ 1065.365796] kmem_cache_free+0x257/0x2c0
[ 1065.365809] fuse_request_free+0xa8/0xb0
[ 1065.365823] fuse_put_request+0x2a3/0x310
[ 1065.365836] request_end+0x66a/0x6b0
[ 1065.365849] fuse_dev_do_write+0xa9d/0xc00
[ 1065.365862] fuse_dev_write+0x195/0x1f0
[ 1065.365875] __vfs_write+0x44b/0x520
[ 1065.365888] vfs_write+0x225/0x4a0
[ 1065.365901] SyS_write+0xe5/0x1b0
[ 1065.365935] do_syscall_64+0x2a6/0x4a0
[ 1065.365991] return_from_SYSCALL_64+0x0/0x6a
[ 1065.366010] INFO: Slab 0xffffea0002eb4f00 objects=22 used=1 fp=0xffff8800bad3fbc0 flags=0x1fffff80004080
[ 1065.366019] INFO: Object 0xffff8800bad3fbb8 @offset=15288 fp=0xbbbbbbbbbbbbbbbb
[ 1065.366019]
[ 1065.366019] Redzone ffff8800bad3fbb0: f0 8e 01 00 00 00 00 00 ........
[ 1065.366019] Object ffff8800bad3fbb8: bb bb bb bb bb bb bb bb e8 f8 d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fbc8: c0 fb d3 ba 00 88 ff ff d0 fb d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fbd8: d0 fb d3 ba 00 88 ff ff 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fbe8: 00 00 00 00 00 00 00 00 01 03 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fbf8: 38 00 00 00 00 10 00 00 01 00 00 00 00 00 00 00 8...............
[ 1065.366019] Object ffff8800bad3fc08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc18: c9 09 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc28: 10 00 00 00 00 00 00 00 a8 fc d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fc38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc58: 18 00 00 00 fb ff ff ff 01 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc68: 03 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 ........H.......
[ 1065.366019] Object ffff8800bad3fc78: 98 90 2f b3 01 88 ff ff 00 10 00 00 00 00 00 00 ../.............
[ 1065.366019] Object ffff8800bad3fc88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc98: 98 fc d3 ba 00 88 ff ff 98 fc d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fca8: 07 00 00 00 18 00 00 00 00 00 00 00 01 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fcb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fcc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fcd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fce8: 00 fd d3 ba 00 88 ff ff 08 fd d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fcf8: 01 00 00 00 00 00 00 00 80 d4 ec 02 00 ea ff ff ................
[ 1065.366019] Object ffff8800bad3fd08: 00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fd18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fd28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fd38: 00 00 00 00 00 00 00 00 a0 e7 21 a5 ff ff ff ff ..........!.....
[ 1065.366019] Redzone ffff8800bad3fd48: 00 00 00 00 00 00 00 00 ........
[ 1065.366019] Padding ffff8800bad3fe80: b2 ad 0b 00 01 00 00 00 ........
[ 1065.366019] CPU: 1 PID: 2448 Comm: syz-executor Tainted: G B 4.6.0-rc3-next-20160412-sasha-00024-geaec67e-dirty #3002
[ 1065.366019] 0000000000000000 0000000014efd39a ffff8801add078b0 ffffffffa5fcce01
[ 1065.366019] ffffffff00000001 fffffbfff61ad290 0000000041b58ab3 ffffffffb0660568
[ 1065.366019] ffffffffa5fccc88 0000000014efd39a ffff8801b2bf4000 ffffffffb067e58e
[ 1065.366019] Call Trace:
[ 1065.366019] dump_stack (lib/dump_stack.c:53)
[ 1065.366019] print_trailer (mm/slub.c:668)
[ 1065.366019] object_err (mm/slub.c:675)
[ 1065.366019] kasan_report_error (mm/kasan/report.c:180 mm/kasan/report.c:276)
[ 1065.366019] __asan_report_load8_noabort (mm/kasan/report.c:319)
[ 1065.366019] fuse_dev_do_read.constprop.5 (./arch/x86/include/asm/bitops.h:311 fs/fuse/dev.c:1320)
[ 1065.366019] fuse_dev_read (fs/fuse/dev.c:1362)
[ 1065.366019] __vfs_read (fs/read_write.c:467 fs/read_write.c:478)
[ 1065.366019] vfs_read (fs/read_write.c:499)
[ 1065.366019] SyS_pread64 (fs/read_write.c:651 fs/read_write.c:638)
[ 1065.366019] do_syscall_64 (arch/x86/entry/common.c:350)
[ 1065.366019] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251)
[ 1065.366019] Memory state around the buggy address:
[ 1065.366019] ffff8800bad3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1065.366019] ffff8800bad3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1065.366019] >ffff8800bad3fb80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1065.366019] ^
[ 1065.366019] ffff8800bad3fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1065.366019] ffff8800bad3fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
next reply other threads:[~2016-04-19 14:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-19 14:08 Sasha Levin [this message]
2016-05-14 17:51 ` fuse: use afer free reading/writing Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57163BCA.6080406@oracle.com \
--to=sasha.levin@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mszeredi@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.