lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue, 14 Jun 2016 18:01:35 -0400
From:	Sasha Levin <sasha.levin@...cle.com>
To:	Michel Lespinasse <walken@...gle.com>,
	LKML <linux-kernel@...r.kernel.org>,
	"linux-mm@...ck.org" <linux-mm@...ck.org>
Subject: mm: BUG: KASAN: use-after-free in unmapped_area_topdown

Hi all,

I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:

[ 1292.662270] BUG: KASAN: use-after-free in unmapped_area_topdown+0x402/0x5a0 at addr ffff8801c58b7038

[ 1292.662285] Read of size 8 by task syz-executor/23061

[ 1292.662312] CPU: 4 PID: 23061 Comm: syz-executor Not tainted 4.7.0-rc3-next-20160614-sasha-00032-g8e3c1a2-dirty #3105

[ 1292.662336]  1ffff10016b04f32 0000000081187c24 ffff8800b5827a18 ffffffffa402fb57

[ 1292.662347]  ffffffff00000004 fffffbfff5e30bac 0000000041b58ab3 ffffffffaeafca90

[ 1292.662357]  ffffffffa402f9e8 ffff8800b58279e0 ffffffffa2697745 0000000081187c24

[ 1292.662360] Call Trace:

[ 1292.662406] dump_stack (lib/dump_stack.c:53)
[ 1292.662463] kasan_report_error (mm/kasan/report.c:139 mm/kasan/report.c:178 mm/kasan/report.c:274)
[ 1292.662489] __asan_report_load8_noabort (mm/kasan/report.c:317)
[ 1292.662515] unmapped_area_topdown (mm/mmap.c:1750)
[ 1292.662542] arch_get_unmapped_area_topdown (include/linux/mm.h:2077 arch/x86/kernel/sys_x86_64.c:203)
[ 1292.662603] get_unmapped_area (mm/mmap.c:1915)
[ 1292.662615] do_mmap (mm/mmap.c:1184)
[ 1292.662626] vm_mmap_pgoff (mm/util.c:304)
[ 1292.662674] SyS_mmap_pgoff (mm/mmap.c:1337 mm/mmap.c:1295)
[ 1292.662752] SyS_mmap (arch/x86/kernel/sys_x86_64.c:86)
[ 1292.662772] do_syscall_64 (arch/x86/entry/common.c:350)
[ 1292.662833] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251)
[ 1292.662841] Object at ffff8801c58b7000, in cache vm_area_struct

[ 1292.662844] Object allocated with size 192 bytes.

[ 1292.662846] Allocation:

[ 1292.662849] PID = 10741

[ 1292.662869] save_stack_trace (arch/x86/kernel/stacktrace.c:68)
[ 1292.662882] save_stack (mm/kasan/kasan.c:478 mm/kasan/kasan.c:499)
[ 1292.662893] kasan_kmalloc (mm/kasan/kasan.c:510 mm/kasan/kasan.c:616)
[ 1292.662905] kasan_slab_alloc (mm/kasan/kasan.c:534)
[ 1292.662917] kmem_cache_alloc (mm/slab.h:419 include/linux/memcontrol.h:781 mm/slab.h:422 mm/slub.c:2696 mm/slub.c:2704 mm/slub.c:2709)
[ 1292.662933] copy_process (kernel/fork.c:463 kernel/fork.c:970 kernel/fork.c:1024 kernel/fork.c:1490)
[ 1292.662945] _do_fork (kernel/fork.c:1775)
[ 1292.662956] SyS_clone (kernel/fork.c:1872)
[ 1292.662967] do_syscall_64 (arch/x86/entry/common.c:350)
[ 1292.662981] return_from_SYSCALL_64 (arch/x86/entry/entry_64.S:251)
[ 1292.662983] Memory state around the buggy address:

[ 1292.663000]  ffff8801c58b6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 1292.663008]  ffff8801c58b6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 1292.663016] >ffff8801c58b7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

[ 1292.663020]                                         ^

[ 1292.663028]  ffff8801c58b7080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc

[ 1292.663035]  ffff8801c58b7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ