[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAM_iQpXcBUynokBuPTYtr3s4q0HLuaKiED_M9_U6jS9HEKrojg@mail.gmail.com>
Date: Sun, 28 Aug 2016 20:04:01 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: David Miller <davem@...emloft.net>,
Tom Herbert <tom@...bertland.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>
Subject: Re: kcm: use-after-free in fput of kcm socket
On Sun, Aug 28, 2016 at 3:10 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> Hello,
>
> The following program triggers use-after-free:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <unistd.h>
> #include <sys/syscall.h>
>
> int main()
> {
> int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
> syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
> return 0;
> }
>
>
> [ 367.240184] ==================================================================
> [ 367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at
> addr ffff880069bc4b30
> [ 367.241034] Read of size 2 by task a.out/4045
> [ 367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34
> [ 367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Bochs 01/01/2011
> [ 367.241034] ffffffff884b8280 ffff880038fb7bc0 ffffffff82d1b1d9
> ffffffff00622e00
> [ 367.241034] fffffbfff1097050 ffff88003e198900 ffff880069bc4b00
> ffff880069bc4ec0
> [ 367.241034] ffff880069bc4b30 ffffffff859e90a0 ffff880038fb7be8
> ffffffff817da1fc
> [ 367.241034] Call Trace:
> [ 367.241034] [<ffffffff82d1b1d9>] dump_stack+0x12e/0x185
> [ 367.241034] [<ffffffff859e90a0>] ? sock_release+0x1d0/0x1d0
> [ 367.241034] [<ffffffff817da1fc>] kasan_object_err+0x1c/0x70
> [ 367.241034] [<ffffffff817da44e>] kasan_report_error+0x1ae/0x490
> [ 367.241034] [<ffffffff859e90a0>] ? sock_release+0x1d0/0x1d0
> [ 367.241034] [<ffffffff817da7ae>] __asan_report_load2_noabort+0x3e/0x40
> [ 367.241034] [<ffffffff81836daa>] ? __fput+0x65a/0x780
> [ 367.241034] [<ffffffff81836daa>] __fput+0x65a/0x780
> [ 367.241034] [<ffffffff81836f55>] ____fput+0x15/0x20
> [ 367.241034] [<ffffffff813e3e83>] task_work_run+0xf3/0x170
> [ 367.241034] [<ffffffff8138e4b8>] do_exit+0x868/0x2c10
> [ 367.241034] [<ffffffff859e81fb>] ? sock_ioctl+0x1db/0x3d0
> [ 367.241034] [<ffffffff859e8020>] ? sock_do_ioctl+0xb0/0xb0
> [ 367.241034] [<ffffffff8186f4a0>] ? do_vfs_ioctl+0x430/0x1080
> [ 367.241034] [<ffffffff8138dc50>] ? mm_update_next_owner+0x640/0x640
> [ 367.241034] [<ffffffff8186f070>] ? ioctl_preallocate+0x210/0x210
> [ 367.241034] [<ffffffff81298549>] ? bad_area+0x69/0x80
> [ 367.241034] [<ffffffff810061de>] ? exit_to_usermode_loop+0x3e/0x210
> [ 367.241034] [<ffffffff86c253e2>] ? entry_SYSCALL_64_fastpath+0x5/0xc1
> [ 367.241034] [<ffffffff813909d8>] do_group_exit+0x108/0x330
> [ 367.241034] [<ffffffff81390c1d>] SyS_exit_group+0x1d/0x20
> [ 367.241034] [<ffffffff86c25400>] entry_SYSCALL_64_fastpath+0x23/0xc1
Hmm, we have a double free here. I have a patch to fix it, will send it out
very soon.
Thanks!
> [ 367.241034] Object at ffff880069bc4b00, in cache sock_inode_cache size: 960
> [ 367.241034] Allocated:
> [ 367.241034] PID = 4045
> [ 367.241034] [<ffffffff8122b7d6>] save_stack_trace+0x26/0x50
> [ 367.241034] [<ffffffff817d95e6>] save_stack+0x46/0xd0
> [ 367.241034] [<ffffffff817d985d>] kasan_kmalloc+0xad/0xe0
> [ 367.241034] [<ffffffff817d9d92>] kasan_slab_alloc+0x12/0x20
> [ 367.241034] [<ffffffff817d4fcb>] kmem_cache_alloc+0x12b/0x710
> [ 367.241034] [<ffffffff859e9ead>] sock_alloc_inode+0x1d/0x250
> [ 367.241034] [<ffffffff81888b51>] alloc_inode+0x61/0x180
> [ 367.241034] [<ffffffff8188e477>] new_inode_pseudo+0x17/0xe0
> [ 367.241034] [<ffffffff859e88c1>] sock_alloc+0x41/0x280
> [ 367.241034] [<ffffffff864e34d3>] kcm_ioctl+0x9b3/0x13e0
> [ 367.241034] [<ffffffff859e7fd5>] sock_do_ioctl+0x65/0xb0
> [ 367.241034] [<ffffffff859e82f2>] sock_ioctl+0x2d2/0x3d0
> [ 367.241034] [<ffffffff8186f1fc>] do_vfs_ioctl+0x18c/0x1080
> [ 367.241034] [<ffffffff8187017f>] SyS_ioctl+0x8f/0xc0
> [ 367.241034] [<ffffffff86c25400>] entry_SYSCALL_64_fastpath+0x23/0xc1
> [ 367.241034] Freed:
> [ 367.241034] PID = 4045
> [ 367.241034] [<ffffffff8122b7d6>] save_stack_trace+0x26/0x50
> [ 367.241034] [<ffffffff817d95e6>] save_stack+0x46/0xd0
> [ 367.241034] [<ffffffff817d9e12>] kasan_slab_free+0x72/0xc0
> [ 367.241034] [<ffffffff817d6f96>] kmem_cache_free+0x76/0x300
> [ 367.241034] [<ffffffff859e9e76>] sock_destroy_inode+0x56/0x70
> [ 367.241034] [<ffffffff8188b2c7>] destroy_inode+0xc7/0x130
> [ 367.241034] [<ffffffff8188b659>] evict+0x329/0x500
> [ 367.241034] [<ffffffff8188bdd5>] iput+0x495/0x930
> [ 367.241034] [<ffffffff859e9034>] sock_release+0x164/0x1d0
> [ 367.241034] [<ffffffff859e90b6>] sock_close+0x16/0x20
> [ 367.241034] [<ffffffff81836986>] __fput+0x236/0x780
> [ 367.241034] [<ffffffff81836f55>] ____fput+0x15/0x20
> [ 367.241034] [<ffffffff813e3e83>] task_work_run+0xf3/0x170
> [ 367.241034] [<ffffffff8138e4b8>] do_exit+0x868/0x2c10
> [ 367.241034] [<ffffffff813909d8>] do_group_exit+0x108/0x330
> [ 367.241034] [<ffffffff81390c1d>] SyS_exit_group+0x1d/0x20
> [ 367.241034] [<ffffffff86c25400>] entry_SYSCALL_64_fastpath+0x23/0xc1
> [ 367.241034] Memory state around the buggy address:
> [ 367.241034] ffff880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 367.241034] ffff880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 367.241034] >ffff880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [ 367.241034] ^
> [ 367.241034] ffff880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [ 367.241034] ffff880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [ 367.241034] ==================================================================
>
>
> It is then followed by a bunch of other bugs, full log is here:
> https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt
>
>
> On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).
Powered by blists - more mailing lists