| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Dec 2015 12:10:33 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Andreas Koensgen <ajk@...nets.uni-bremen.de>,
linux-hams@...r.kernel.org, netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>
Cc: syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>,
Eric Dumazet <edumazet@...gle.com>
Subject: use-after-free in sixpack_close
Hello,
The following program triggers use-after-free in sixpack_close:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
int main()
{
int fd = open("/dev/ptmx", O_RDWR);
int opt = 0x7;
ioctl(fd, TIOCSETD, &opt);
return 0;
}
==================================================================
BUG: KASAN: use-after-free in del_timer+0x116/0x130 at addr ffff88005b15f788
Write of size 8 by task a.out/6775
=============================================================================
BUG kmalloc-4096 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in seq_buf_alloc+0x61/0x80 age=0 cpu=3 pid=6779
[< none >] ___slab_alloc+0x489/0x4e0 mm/slub.c:2468
[< none >] __slab_alloc+0x4c/0x90 mm/slub.c:2497
[< inline >] slab_alloc_node mm/slub.c:2560
[< inline >] slab_alloc mm/slub.c:2602
[< none >] __kmalloc+0x299/0x330 mm/slub.c:3562
[< inline >] kmalloc include/linux/slab.h:463
[< none >] seq_buf_alloc+0x61/0x80 fs/seq_file.c:39
[< none >] seq_read+0x9b1/0x11d0 fs/seq_file.c:210
[< none >] __vfs_read+0x113/0x460 fs/read_write.c:432
[< none >] vfs_read+0x106/0x310 fs/read_write.c:454
[< inline >] SYSC_read fs/read_write.c:569
[< none >] SyS_read+0x111/0x220 fs/read_write.c:562
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in kvfree+0x36/0x60 age=0 cpu=3 pid=6779
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2678
[< inline >] slab_free mm/slub.c:2833
[< none >] kfree+0x26a/0x290 mm/slub.c:3662
[< none >] kvfree+0x36/0x60 mm/util.c:324
[< inline >] seq_release fs/seq_file.c:368
[< none >] single_release+0x78/0xb0 fs/seq_file.c:605
[< none >] __fput+0x233/0x780 fs/file_table.c:208
[< none >] ____fput+0x15/0x20 fs/file_table.c:244
[< none >] task_work_run+0x16b/0x200 kernel/task_work.c:115
[< inline >] tracehook_notify_resume include/linux/tracehook.h:191
[< none >] exit_to_usermode_loop+0x180/0x1a0
arch/x86/entry/common.c:251
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[< none >] syscall_return_slowpath+0x19f/0x210
arch/x86/entry/common.c:344
[< none >] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
INFO: Slab 0xffffea00016c5600 objects=7 used=5 fp=0xffff88005b15b588
flags=0x5fffc0000004080
INFO: Object 0xffff88005b15eb10 @offset=27408 fp=0xffff88005b15d938
CPU: 1 PID: 6775 Comm: a.out Tainted: G B 4.4.0-rc5+ #165
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005de679d8 ffffffff82899fbd ffff88003e806a00
ffff88005b15eb10 ffff88005b158000 ffff88005de67a08 ffffffff816c56f4
ffff88003e806a00 ffffea00016c5600 ffff88005b15eb10 ffff88005de67b58
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82899fbd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff816c56f4>] print_trailer+0xf4/0x150 mm/slub.c:659
[<ffffffff816cbeaf>] object_err+0x2f/0x40 mm/slub.c:689
[< inline >] print_address_description mm/kasan/report.c:138
[<ffffffff816ce86d>] kasan_report_error+0x25d/0x560 mm/kasan/report.c:251
[< inline >] kasan_report mm/kasan/report.c:274
[<ffffffff816cedae>] __asan_report_store8_noabort+0x3e/0x40
mm/kasan/report.c:300
[< inline >] timer_stats_timer_clear_start_info
include/linux/timer.h:208
[<ffffffff8144f126>] del_timer+0x116/0x130 kernel/time/timer.c:1028
[<ffffffff839f0d9f>] sixpack_close+0xbf/0x140 drivers/net/hamradio/6pack.c:688
[<ffffffff82be4239>] tty_ldisc_close.isra.1+0x99/0xe0
drivers/tty/tty_ldisc.c:471
[<ffffffff82be44d2>] tty_ldisc_kill+0x42/0x190 drivers/tty/tty_ldisc.c:753
[<ffffffff82be5a77>] tty_ldisc_release+0x117/0x260 drivers/tty/tty_ldisc.c:781
[<ffffffff82bd03da>] tty_release+0xa7a/0xff0 drivers/tty/tty_io.c:1905
[<ffffffff81716103>] __fput+0x233/0x780 fs/file_table.c:208
[<ffffffff817166d5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8134679b>] task_work_run+0x16b/0x200 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff812f4d3b>] do_exit+0x8bb/0x2b20 kernel/exit.c:750
[<ffffffff812f7118>] do_group_exit+0x108/0x320 kernel/exit.c:880
[< inline >] SYSC_exit_group kernel/exit.c:891
[<ffffffff812f734d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:889
[<ffffffff85ccc3f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================
This report is then followed by a dozen of other use-after-free reports.
On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).
Thank you
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists