lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAM_iQpXcBUynokBuPTYtr3s4q0HLuaKiED_M9_U6jS9HEKrojg@mail.gmail.com>
Date:   Sun, 28 Aug 2016 20:04:01 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     David Miller <davem@...emloft.net>,
        Tom Herbert <tom@...bertland.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>,
        Kostya Serebryany <kcc@...gle.com>,
        Alexander Potapenko <glider@...gle.com>
Subject: Re: kcm: use-after-free in fput of kcm socket

On Sun, Aug 28, 2016 at 3:10 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> Hello,
>
> The following program triggers use-after-free:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <unistd.h>
> #include <sys/syscall.h>
>
> int main()
> {
>   int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
>   syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
>   return 0;
> }
>
>
> [  367.240184] ==================================================================
> [  367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at
> addr ffff880069bc4b30
> [  367.241034] Read of size 2 by task a.out/4045
> [  367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34
> [  367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Bochs 01/01/2011
> [  367.241034]  ffffffff884b8280 ffff880038fb7bc0 ffffffff82d1b1d9
> ffffffff00622e00
> [  367.241034]  fffffbfff1097050 ffff88003e198900 ffff880069bc4b00
> ffff880069bc4ec0
> [  367.241034]  ffff880069bc4b30 ffffffff859e90a0 ffff880038fb7be8
> ffffffff817da1fc
> [  367.241034] Call Trace:
> [  367.241034]  [<ffffffff82d1b1d9>] dump_stack+0x12e/0x185
> [  367.241034]  [<ffffffff859e90a0>] ? sock_release+0x1d0/0x1d0
> [  367.241034]  [<ffffffff817da1fc>] kasan_object_err+0x1c/0x70
> [  367.241034]  [<ffffffff817da44e>] kasan_report_error+0x1ae/0x490
> [  367.241034]  [<ffffffff859e90a0>] ? sock_release+0x1d0/0x1d0
> [  367.241034]  [<ffffffff817da7ae>] __asan_report_load2_noabort+0x3e/0x40
> [  367.241034]  [<ffffffff81836daa>] ? __fput+0x65a/0x780
> [  367.241034]  [<ffffffff81836daa>] __fput+0x65a/0x780
> [  367.241034]  [<ffffffff81836f55>] ____fput+0x15/0x20
> [  367.241034]  [<ffffffff813e3e83>] task_work_run+0xf3/0x170
> [  367.241034]  [<ffffffff8138e4b8>] do_exit+0x868/0x2c10
> [  367.241034]  [<ffffffff859e81fb>] ? sock_ioctl+0x1db/0x3d0
> [  367.241034]  [<ffffffff859e8020>] ? sock_do_ioctl+0xb0/0xb0
> [  367.241034]  [<ffffffff8186f4a0>] ? do_vfs_ioctl+0x430/0x1080
> [  367.241034]  [<ffffffff8138dc50>] ? mm_update_next_owner+0x640/0x640
> [  367.241034]  [<ffffffff8186f070>] ? ioctl_preallocate+0x210/0x210
> [  367.241034]  [<ffffffff81298549>] ? bad_area+0x69/0x80
> [  367.241034]  [<ffffffff810061de>] ? exit_to_usermode_loop+0x3e/0x210
> [  367.241034]  [<ffffffff86c253e2>] ? entry_SYSCALL_64_fastpath+0x5/0xc1
> [  367.241034]  [<ffffffff813909d8>] do_group_exit+0x108/0x330
> [  367.241034]  [<ffffffff81390c1d>] SyS_exit_group+0x1d/0x20
> [  367.241034]  [<ffffffff86c25400>] entry_SYSCALL_64_fastpath+0x23/0xc1


Hmm, we have a double free here. I have a patch to fix it, will send it out
very soon.

Thanks!


> [  367.241034] Object at ffff880069bc4b00, in cache sock_inode_cache size: 960
> [  367.241034] Allocated:
> [  367.241034] PID = 4045
> [  367.241034]  [<ffffffff8122b7d6>] save_stack_trace+0x26/0x50
> [  367.241034]  [<ffffffff817d95e6>] save_stack+0x46/0xd0
> [  367.241034]  [<ffffffff817d985d>] kasan_kmalloc+0xad/0xe0
> [  367.241034]  [<ffffffff817d9d92>] kasan_slab_alloc+0x12/0x20
> [  367.241034]  [<ffffffff817d4fcb>] kmem_cache_alloc+0x12b/0x710
> [  367.241034]  [<ffffffff859e9ead>] sock_alloc_inode+0x1d/0x250
> [  367.241034]  [<ffffffff81888b51>] alloc_inode+0x61/0x180
> [  367.241034]  [<ffffffff8188e477>] new_inode_pseudo+0x17/0xe0
> [  367.241034]  [<ffffffff859e88c1>] sock_alloc+0x41/0x280
> [  367.241034]  [<ffffffff864e34d3>] kcm_ioctl+0x9b3/0x13e0
> [  367.241034]  [<ffffffff859e7fd5>] sock_do_ioctl+0x65/0xb0
> [  367.241034]  [<ffffffff859e82f2>] sock_ioctl+0x2d2/0x3d0
> [  367.241034]  [<ffffffff8186f1fc>] do_vfs_ioctl+0x18c/0x1080
> [  367.241034]  [<ffffffff8187017f>] SyS_ioctl+0x8f/0xc0
> [  367.241034]  [<ffffffff86c25400>] entry_SYSCALL_64_fastpath+0x23/0xc1
> [  367.241034] Freed:
> [  367.241034] PID = 4045
> [  367.241034]  [<ffffffff8122b7d6>] save_stack_trace+0x26/0x50
> [  367.241034]  [<ffffffff817d95e6>] save_stack+0x46/0xd0
> [  367.241034]  [<ffffffff817d9e12>] kasan_slab_free+0x72/0xc0
> [  367.241034]  [<ffffffff817d6f96>] kmem_cache_free+0x76/0x300
> [  367.241034]  [<ffffffff859e9e76>] sock_destroy_inode+0x56/0x70
> [  367.241034]  [<ffffffff8188b2c7>] destroy_inode+0xc7/0x130
> [  367.241034]  [<ffffffff8188b659>] evict+0x329/0x500
> [  367.241034]  [<ffffffff8188bdd5>] iput+0x495/0x930
> [  367.241034]  [<ffffffff859e9034>] sock_release+0x164/0x1d0
> [  367.241034]  [<ffffffff859e90b6>] sock_close+0x16/0x20
> [  367.241034]  [<ffffffff81836986>] __fput+0x236/0x780
> [  367.241034]  [<ffffffff81836f55>] ____fput+0x15/0x20
> [  367.241034]  [<ffffffff813e3e83>] task_work_run+0xf3/0x170
> [  367.241034]  [<ffffffff8138e4b8>] do_exit+0x868/0x2c10
> [  367.241034]  [<ffffffff813909d8>] do_group_exit+0x108/0x330
> [  367.241034]  [<ffffffff81390c1d>] SyS_exit_group+0x1d/0x20
> [  367.241034]  [<ffffffff86c25400>] entry_SYSCALL_64_fastpath+0x23/0xc1
> [  367.241034] Memory state around the buggy address:
> [  367.241034]  ffff880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [  367.241034]  ffff880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [  367.241034] >ffff880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034]                                      ^
> [  367.241034]  ffff880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034]  ffff880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034] ==================================================================
>
>
> It is then followed by a bunch of other bugs, full log is here:
> https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt
>
>
> On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ