| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 May 2016 13:51:16 -0400 From: Sasha Levin <sasha.levin@...cle.com> To: Miklos Szeredi <mszeredi@...e.cz> Cc: linux-fsdevel <linux-fsdevel@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: fuse: use afer free reading/writing ping? I still see this in -next. On 04/19/2016 10:08 AM, Sasha Levin wrote: > Hi all, > > I've hit the following while fuzzing with syzkaller inside a KVM tools guest > running the latest -next kernel: > > [ 1065.365235] BUG: KASAN: use-after-free in fuse_dev_do_read.constprop.5+0xfb0/0x1290 at addr ffff8800bad3fbf0 > [ 1065.365256] Read of size 8 by task syz-executor/2448 > [ 1065.365272] ============================================================================= > [ 1065.365289] BUG fuse_request (Not tainted): kasan: bad access detected > [ 1065.365295] ----------------------------------------------------------------------------- > [ 1065.365295] > [ 1065.365304] Disabling lock debugging due to kernel taint > [ 1065.365337] INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446733319112207795 cpu=2751490774 pid=-1 > [ 1065.365359] __fuse_request_alloc+0x2b/0xf0 > [ 1065.365397] ___slab_alloc+0x7af/0x870 > [ 1065.365419] __slab_alloc.isra.22+0xf4/0x130 > [ 1065.365440] kmem_cache_alloc+0x188/0x2b0 > [ 1065.365467] __fuse_request_alloc+0x2b/0xf0 > [ 1065.365496] __fuse_get_req+0x3f4/0x5b0 > [ 1065.365520] fuse_get_req_for_background+0x22/0x30 > [ 1065.365546] cuse_channel_open+0x210/0x830 > [ 1065.365590] misc_open+0x42f/0x460 > [ 1065.365616] chrdev_open+0x412/0x500 > [ 1065.365641] do_dentry_open+0x6cc/0xba0 > [ 1065.365667] vfs_open+0x1da/0x1f0 > [ 1065.365694] path_openat+0x3291/0x3d10 > [ 1065.365716] do_filp_open+0x1df/0x280 > [ 1065.365732] do_sys_open+0x25c/0x440 > [ 1065.365745] SyS_open+0x2d/0x40 > [ 1065.365759] INFO: Freed in 0x1000bad60 age=18446733319112207795 cpu=0 pid=0 > [ 1065.365772] fuse_request_free+0xa8/0xb0 > [ 1065.365784] __slab_free+0x6a/0x2f0 > [ 1065.365796] kmem_cache_free+0x257/0x2c0 > [ 1065.365809] fuse_request_free+0xa8/0xb0 > [ 1065.365823] fuse_put_request+0x2a3/0x310 > [ 1065.365836] request_end+0x66a/0x6b0 > [ 1065.365849] fuse_dev_do_write+0xa9d/0xc00 > [ 1065.365862] fuse_dev_write+0x195/0x1f0 > [ 1065.365875] __vfs_write+0x44b/0x520 > [ 1065.365888] vfs_write+0x225/0x4a0 > [ 1065.365901] SyS_write+0xe5/0x1b0 > [ 1065.365935] do_syscall_64+0x2a6/0x4a0 > [ 1065.365991] return_from_SYSCALL_64+0x0/0x6a > [ 1065.366010] INFO: Slab 0xffffea0002eb4f00 objects=22 used=1 fp=0xffff8800bad3fbc0 flags=0x1fffff80004080 > [ 1065.366019] INFO: Object 0xffff8800bad3fbb8 @offset=15288 fp=0xbbbbbbbbbbbbbbbb > [ 1065.366019] > [ 1065.366019] Redzone ffff8800bad3fbb0: f0 8e 01 00 00 00 00 00 ........ > [ 1065.366019] Object ffff8800bad3fbb8: bb bb bb bb bb bb bb bb e8 f8 d3 ba 00 88 ff ff ................ > [ 1065.366019] Object ffff8800bad3fbc8: c0 fb d3 ba 00 88 ff ff d0 fb d3 ba 00 88 ff ff ................ > [ 1065.366019] Object ffff8800bad3fbd8: d0 fb d3 ba 00 88 ff ff 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fbe8: 00 00 00 00 00 00 00 00 01 03 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fbf8: 38 00 00 00 00 10 00 00 01 00 00 00 00 00 00 00 8............... > [ 1065.366019] Object ffff8800bad3fc08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fc18: c9 09 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fc28: 10 00 00 00 00 00 00 00 a8 fc d3 ba 00 88 ff ff ................ > [ 1065.366019] Object ffff8800bad3fc38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fc48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fc58: 18 00 00 00 fb ff ff ff 01 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fc68: 03 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 ........H....... > [ 1065.366019] Object ffff8800bad3fc78: 98 90 2f b3 01 88 ff ff 00 10 00 00 00 00 00 00 ../............. > [ 1065.366019] Object ffff8800bad3fc88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fc98: 98 fc d3 ba 00 88 ff ff 98 fc d3 ba 00 88 ff ff ................ > [ 1065.366019] Object ffff8800bad3fca8: 07 00 00 00 18 00 00 00 00 00 00 00 01 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fcb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fcc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fcd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fce8: 00 fd d3 ba 00 88 ff ff 08 fd d3 ba 00 88 ff ff ................ > [ 1065.366019] Object ffff8800bad3fcf8: 01 00 00 00 00 00 00 00 80 d4 ec 02 00 ea ff ff ................ > [ 1065.366019] Object ffff8800bad3fd08: 00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fd18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fd28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > [ 1065.366019] Object ffff8800bad3fd38: 00 00 00 00 00 00 00 00 a0 e7 21 a5 ff ff ff ff ..........!..... > [ 1065.366019] Redzone ffff8800bad3fd48: 00 00 00 00 00 00 00 00 ........ > [ 1065.366019] Padding ffff8800bad3fe80: b2 ad 0b 00 01 00 00 00 ........ > [ 1065.366019] CPU: 1 PID: 2448 Comm: syz-executor Tainted: G B 4.6.0-rc3-next-20160412-sasha-00024-geaec67e-dirty #3002 > [ 1065.366019] 0000000000000000 0000000014efd39a ffff8801add078b0 ffffffffa5fcce01 > [ 1065.366019] ffffffff00000001 fffffbfff61ad290 0000000041b58ab3 ffffffffb0660568 > [ 1065.366019] ffffffffa5fccc88 0000000014efd39a ffff8801b2bf4000 ffffffffb067e58e > [ 1065.366019] Call Trace: > [ 1065.366019] dump_stack (lib/dump_stack.c:53) > [ 1065.366019] print_trailer (mm/slub.c:668) > [ 1065.366019] object_err (mm/slub.c:675) > [ 1065.366019] kasan_report_error (mm/kasan/report.c:180 mm/kasan/report.c:276) > [ 1065.366019] __asan_report_load8_noabort (mm/kasan/report.c:319) > [ 1065.366019] fuse_dev_do_read.constprop.5 (./arch/x86/include/asm/bitops.h:311 fs/fuse/dev.c:1320) > [ 1065.366019] fuse_dev_read (fs/fuse/dev.c:1362) > [ 1065.366019] __vfs_read (fs/read_write.c:467 fs/read_write.c:478) > [ 1065.366019] vfs_read (fs/read_write.c:499) > [ 1065.366019] SyS_pread64 (fs/read_write.c:651 fs/read_write.c:638) > [ 1065.366019] do_syscall_64 (arch/x86/entry/common.c:350) > [ 1065.366019] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251) > [ 1065.366019] Memory state around the buggy address: > [ 1065.366019] ffff8800bad3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > [ 1065.366019] ffff8800bad3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > [ 1065.366019] >ffff8800bad3fb80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb > [ 1065.366019] ^ > [ 1065.366019] ffff8800bad3fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 1065.366019] ffff8800bad3fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >
Powered by blists - more mailing lists