BUG: KASAN: slab-use-after-free Read in gsm_dlci_config

BUG: KASAN: slab-use-after-free Read in gsm_dlci_config

[Juefei Pu]

Hello,
We found the following issue using syzkaller on Linux v6.11.
In function `gsm_dlci_config`, a use-after-free on object `dlci` has
been detected.
Since the reproducer takes around 10 seconds to trigger the bug, it
might be a race condition one.
The C reproducer is available
at:https://gist.github.com/TomAPU/2ef61db5e741daa2b4b040fd874b9e92#file-gsmvuln-c

==================================================================
BUG: KASAN: slab-use-after-free in gsm_dlci_config+0x7b7/0x1020
drivers/tty/n_gsm.c:2588
Read of size 4 at addr ffff88803dab000c by task syz.0.361/12086

CPU: 0 PID: 12086 Comm: syz.0.361 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x23d/0x360 lib/dump_stack.c:114
 print_address_description+0x77/0x360 mm/kasan/report.c:377
 print_report+0xfd/0x210 mm/kasan/report.c:488
 kasan_report+0x13f/0x170 mm/kasan/report.c:601
 gsm_dlci_config+0x7b7/0x1020 drivers/tty/n_gsm.c:2588
 gsmld_ioctl+0xbbc/0x2540 drivers/tty/n_gsm.c:3880
 tty_ioctl+0x98f/0xdb0 drivers/tty/tty_io.c:2812
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f86c25809b9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86c3429038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f86c2745f80 RCX: 00007f86c25809b9
RDX: 0000000020000200 RSI: 0000000040384708 RDI: 0000000000000003
RBP: 00007f86c25f4f70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f86c2745f80 R15: 00007ffd81f1d488
 </TASK>

Allocated by task 12086:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3b/0x70 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x94/0xa0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 kmalloc_trace_noprof+0x19e/0x2b0 mm/slub.c:4154
 kmalloc_noprof include/linux/slab.h:660 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 gsm_dlci_alloc+0x53/0x6c0 drivers/tty/n_gsm.c:2643
 gsmld_ioctl+0xb99/0x2540 drivers/tty/n_gsm.c:3876
 tty_ioctl+0x98f/0xdb0 drivers/tty/tty_io.c:2812
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x67/0x6f

Freed by task 12087:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3b/0x70 mm/kasan/common.c:68
 kasan_save_free_info+0x3c/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x140 mm/kasan/common.c:240
 __kasan_slab_free+0x33/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kfree+0x118/0x2a0 mm/slub.c:4559
 dlci_put drivers/tty/n_gsm.c:2706 [inline]
 gsm_dlci_release drivers/tty/n_gsm.c:2739 [inline]
 gsm_cleanup_mux+0x5a2/0x930 drivers/tty/n_gsm.c:3156
 gsm_config drivers/tty/n_gsm.c:3408 [inline]
 gsmld_ioctl+0x13c4/0x2540 drivers/tty/n_gsm.c:3839
 tty_ioctl+0x98f/0xdb0 drivers/tty/tty_io.c:2812
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x67/0x6f

The buggy address belongs to the object at ffff88803dab0000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 12 bytes inside of
 freed 2048-byte region [ffff88803dab0000, ffff88803dab0800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3dab0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888013042000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888013042000 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0000f6ac01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask
0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
pid 8050, tgid 8050 (syz-executor), ts 139463488880, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1db/0x220 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x7e5/0x860 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x25a/0x580 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x67/0x130 mm/slub.c:2265
 allocate_slab+0x5c/0x240 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xc6b/0x10c0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 kmalloc_node_track_caller_noprof+0x268/0x410 mm/slub.c:4143
 kmalloc_reserve+0x10e/0x2a0 net/core/skbuff.c:597
 __alloc_skb+0x1e8/0x430 net/core/skbuff.c:666
 alloc_skb include/linux/skbuff.h:1308 [inline]
 nlmsg_new include/net/netlink.h:1015 [inline]
 inet6_ifinfo_notify+0x6e/0x110 net/ipv6/addrconf.c:6161
 addrconf_notify+0xca7/0x1000 net/ipv6/addrconf.c:3762
 notifier_call_chain kernel/notifier.c:93 [inline]
 raw_notifier_call_chain+0xe0/0x180 kernel/notifier.c:461
 __dev_notify_flags+0x201/0x400
 dev_change_flags+0xe8/0x190 net/core/dev.c:8858
 do_setlink+0xcc7/0x41e0 net/core/rtnetlink.c:2900
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88803daaff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88803daaff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803dab0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88803dab0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88803dab0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Re: BUG: KASAN: slab-use-after-free Read in gsm_dlci_config

[Greg KH]

On Mon, Nov 18, 2024 at 09:22:54PM -0800, Juefei Pu wrote:
> Hello,
> We found the following issue using syzkaller on Linux v6.11.
> In function `gsm_dlci_config`, a use-after-free on object `dlci` has
> been detected.
> Since the reproducer takes around 10 seconds to trigger the bug, it
> might be a race condition one.

There are so many race conditions and other known-broken things in this
driver, please see the mailing list archives for the details.  It's well
documented that no one should be using this code unless you have the
hardware and know how to lock down your system for it.

That being said, patches are gladly accepted to resolve these issues,
please send them as you have a working reproducer!

thanks,

greg k-h