lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+YQBU5X2KVKmjR8F3YW2mY1aX6Y_yDzUamQgd2rAP2_AQ@mail.gmail.com>
Date:	Fri, 22 Jan 2016 23:33:09 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Alexander Viro <viro@...iv.linux.org.uk>,
	"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Hugh Dickins <hughd@...gle.com>,
	"linux-mm@...ck.org" <linux-mm@...ck.org>
Cc:	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>,
	Eric Dumazet <edumazet@...gle.com>
Subject: fs: use-after-free in link_path_walk

Hello,

The following program triggers a use-after-free in link_path_walk:
https://gist.githubusercontent.com/dvyukov/fc0da4b914d607ba8129/raw/b761243c44106d74f2173745132c82d179cbdc58/gistfile1.txt

==================================================================
BUG: KASAN: use-after-free in link_path_walk+0xe13/0x1030 at addr
ffff88005f29d6e2
Read of size 1 by task syz-executor/29494
=============================================================================
BUG kmalloc-16 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in shmem_symlink+0x18c/0x600 age=2 cpu=2 pid=29504
[<      none      >] __kmalloc_track_caller+0x28e/0x320 mm/slub.c:4068
[<      none      >] kmemdup+0x24/0x50 mm/util.c:113
[<      none      >] shmem_symlink+0x18c/0x600 mm/shmem.c:2548
[<      none      >] vfs_symlink+0x218/0x3a0 fs/namei.c:3997
[<     inline     >] SYSC_symlinkat fs/namei.c:4024
[<      none      >] SyS_symlinkat+0x1ab/0x230 fs/namei.c:4004
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Freed in shmem_evict_inode+0xa6/0x420 age=12 cpu=2 pid=29504
[<      none      >] kfree+0x2b7/0x2e0 mm/slub.c:3664
[<      none      >] shmem_evict_inode+0xa6/0x420 mm/shmem.c:705
[<      none      >] evict+0x22c/0x500 fs/inode.c:542
[<     inline     >] iput_final fs/inode.c:1477
[<      none      >] iput+0x45f/0x860 fs/inode.c:1504
[<      none      >] do_unlinkat+0x3c0/0x830 fs/namei.c:3939
[<     inline     >] SYSC_unlink fs/namei.c:3980
[<      none      >] SyS_unlink+0x1a/0x20 fs/namei.c:3978
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Slab 0xffffea00017ca700 objects=16 used=12 fp=0xffff88005f29d6e0
flags=0x5fffc0000004080
INFO: Object 0xffff88005f29d6e0 @offset=5856 fp=0xffff88005f29d310
CPU: 3 PID: 29494 Comm: syz-executor Tainted: G    B           4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff88000056fa08 ffffffff82999e2d ffff88003e807900
 ffff88005f29d6e0 ffff88005f29c000 ffff88000056fa38 ffffffff81757354
 ffff88003e807900 ffffea00017ca700 ffff88005f29d6e0 ffff88005f29d6e2

Call Trace:
 [<ffffffff8176092e>] __asan_report_load1_noabort+0x3e/0x40
mm/kasan/report.c:292
 [<ffffffff817deb33>] link_path_walk+0xe13/0x1030 fs/namei.c:1913
 [<ffffffff817df049>] path_lookupat+0x1a9/0x450 fs/namei.c:2120
 [<ffffffff817e6aad>] filename_lookup+0x18d/0x370 fs/namei.c:2155
 [<ffffffff817e6dd0>] user_path_at_empty+0x40/0x50 fs/namei.c:2393
 [<     inline     >] user_path_at include/linux/namei.h:52
 [<ffffffff8185ab29>] do_utimes+0x209/0x280 fs/utimes.c:169
 [<     inline     >] SYSC_utimensat fs/utimes.c:200
 [<ffffffff8185ada3>] SyS_utimensat+0xd3/0x130 fs/utimes.c:185
 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================

On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ