lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 9 Jan 2018 19:53:28 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     David Miller <davem@...emloft.net>, vfedorenko@...dex-team.ru,
        gfree.wind@....163.com, David Ahern <dsahern@...il.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Willem de Bruijn <willemb@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: net/8021q: memory leak in register_vlan_dev

Hello,

syzkaller has hit the following memory leak on 4.15-rc7:

unreferenced object 0xffff88007b704140 (size 256):
  comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.848s)
  hex dump (first 32 bytes):
    00 40 b7 2c 00 88 ff ff 00 00 00 00 00 00 00 00  .@.,............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
    [<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
    [<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<000000004d4e9ef7>] kmalloc include/linux/slab.h:499 [inline]
    [<000000004d4e9ef7>] kzalloc include/linux/slab.h:688 [inline]
    [<000000004d4e9ef7>] vlan_info_alloc net/8021q/vlan_core.c:152 [inline]
    [<000000004d4e9ef7>] vlan_vid_add+0x710/0xb20 net/8021q/vlan_core.c:244
    [<000000000e87916f>] register_vlan_dev+0xbf/0x600 net/8021q/vlan.c:150
    [<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
    [<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
    [<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
    [<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
    [<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
    [<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
    [<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692

unreferenced object 0xffff88007c49aea0 (size 32):
  comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.862s)
  hex dump (first 32 bytes):
    e0 41 70 7b 00 88 ff ff e0 41 70 7b 00 88 ff ff  .Ap{.....Ap{....
    81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
    [<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
    [<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<000000003d983c2c>] kmalloc include/linux/slab.h:499 [inline]
    [<000000003d983c2c>] kzalloc include/linux/slab.h:688 [inline]
    [<000000003d983c2c>] vlan_vid_info_alloc net/8021q/vlan_core.c:196 [inline]
    [<000000003d983c2c>] __vlan_vid_add net/8021q/vlan_core.c:213 [inline]
    [<000000003d983c2c>] vlan_vid_add+0x45a/0xb20 net/8021q/vlan_core.c:251
    [<000000000e87916f>] register_vlan_dev+0xbf/0x600 net/8021q/vlan.c:150
    [<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
    [<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
    [<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
    [<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
    [<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
    [<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
    [<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692

unreferenced object 0xffff88007d87a200 (size 4096):
  comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.863s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
    [<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
    [<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<00000000b52b3185>] kmalloc include/linux/slab.h:499 [inline]
    [<00000000b52b3185>] kzalloc include/linux/slab.h:688 [inline]
    [<00000000b52b3185>] vlan_group_prealloc_vid net/8021q/vlan.c:70 [inline]
    [<00000000b52b3185>] register_vlan_dev+0x4ac/0x600 net/8021q/vlan.c:168
    [<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
    [<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
    [<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
    [<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
    [<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
    [<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
    [<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692


Reproducer:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

int main()
{
  long r[2];
  syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
  r[0] = syscall(__NR_open, "/dev/net/tun", 0);
  *(uint8_t*)0x20927fd8 = 0x73;
  *(uint8_t*)0x20927fd9 = 0x79;
  *(uint8_t*)0x20927fda = 0x7a;
  *(uint8_t*)0x20927fdb = 0x30;
  *(uint8_t*)0x20927fdc = 0;
  *(uint32_t*)0x20927fe8 = 5;
  *(uint32_t*)0x20927fec = 0;
  *(uint64_t*)0x20927ff0 = 0x20c15000;
  *(uint32_t*)0x20c15000 = 0;
  *(uint32_t*)0x20c15004 = 0;
  *(uint16_t*)0x20c15008 = 0;
  syscall(__NR_ioctl, r[0], 0x400454ca, 0x20927fd8);
  r[1] = syscall(__NR_socket, 2, 2, 0);
  memcpy((void*)0x20006000,
    "\x1b\x52\x03\x10\xb5\x64\xc4\x23\x54\xe2\xd0\xb8\xa1\x4e\x1a\xd7", 16);
  *(uint32_t*)0x20006010 = 0;
  *(uint32_t*)0x20006014 = 0;
  *(uint64_t*)0x20006018 = 0x20006000;
  *(uint32_t*)0x20006000 = 0;
  *(uint8_t*)0x20006004 = 0x73;
  *(uint8_t*)0x20006005 = 0x79;
  *(uint8_t*)0x20006006 = 0x7a;
  *(uint8_t*)0x20006007 = 0x30;
  *(uint8_t*)0x20006008 = 0;
  syscall(__NR_ioctl, r[1], 0x8983, 0x20006000);
  return 0;
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ