Re: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: Zubin Mithra <zsm@chromium.org>
Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org,
	groeck@chromium.org, daniel@iogearbox.net, ast@kernel.org,
	kafai@fb.com, songliubraving@fb.com, yhs@fb.com
Subject: Re: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
Date: Wed, 17 Apr 2019 12:00:20 -0400	[thread overview]
Message-ID: <20190417160020.GB435@sasha-vm> (raw)
In-Reply-To: <20190416202958.GA3821@google.com>

On Tue, Apr 16, 2019 at 01:29:59PM -0700, Zubin Mithra wrote:
>Hello,
>
>Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace.
>
>Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xc8/0x129 lib/dump_stack.c:113
> print_address_description+0x67/0x230 mm/kasan/report.c:256
> kasan_report_error mm/kasan/report.c:354 [inline]
> kasan_report+0x24e/0x28c mm/kasan/report.c:412
> get_link fs/namei.c:1152 [inline]
> trailing_symlink+0x593/0x677 fs/namei.c:2326
> path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382
> filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411
> filename_lookup fs/namei.c:2405 [inline]
> user_path_at_empty+0x59/0x6c fs/namei.c:2677
> user_path include/linux/namei.h:62 [inline]
> do_mount+0x15c/0x17a4 fs/namespace.c:2773
> ksys_mount+0x98/0xcc fs/namespace.c:3052
> __do_sys_mount fs/namespace.c:3066 [inline]
> __se_sys_mount fs/namespace.c:3063 [inline]
> __x64_sys_mount+0xd0/0xdb fs/namespace.c:3063
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>Allocated by task 8112:
> set_track mm/kasan/kasan.c:460 [inline]
> kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553
> slab_post_alloc_hook+0x31/0x55 mm/slab.h:444
> slab_alloc_node mm/slub.c:2706 [inline]
> slab_alloc mm/slub.c:2714 [inline]
> __kmalloc_track_caller+0x100/0x148 mm/slub.c:4290
> kstrdup+0x39/0x63 mm/util.c:56
> bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356
> vfs_symlink2+0xfc/0x12b fs/namei.c:4238
> do_symlinkat+0x14a/0x1d5 fs/namei.c:4271
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>Freed by task 8116:
> set_track mm/kasan/kasan.c:460 [inline]
> __kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521
> slab_free_hook mm/slub.c:1371 [inline]
> slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398
> slab_free mm/slub.c:2953 [inline]
> kfree+0x177/0x212 mm/slub.c:3906
> bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565
> evict+0x30b/0x4ce fs/inode.c:558
> iput_final fs/inode.c:1550 [inline]
> iput+0x541/0x551 fs/inode.c:1576
> do_unlinkat+0x2fc/0x403 fs/namei.c:4180
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>Could the following patch be applied to 4.19.y?
>1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
>
>Tests run:
>* Chrome OS tryjobs
>* Syzkaller reproducer

I've queued it up, thanks again for all these tests!

--
Thanks,
Sasha

next prev parent reply	other threads:[~2019-04-17 16:00 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-16 20:29 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Zubin Mithra
2019-04-17 16:00 ` Sasha Levin [this message]
2019-04-17 18:03   ` Daniel Borkmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190417160020.GB435@sasha-vm \
    --to=sashal@kernel.org \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=kafai@fb.com \
    --cc=songliubraving@fb.com \
    --cc=stable@vger.kernel.org \
    --cc=yhs@fb.com \
    --cc=zsm@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox