| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Nov 2016 10:22:37 +0100
From: Andrey Konovalov <andreyknvl@...gle.com>
To: Oliver Hartkopp <socketcan@...tkopp.net>,
Marc Kleine-Budde <mkl@...gutronix.de>,
"David S. Miller" <davem@...emloft.net>, linux-can@...r.kernel.org,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Cc: Dmitry Vyukov <dvyukov@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: net/can: use-after-free in bcm_rx_thr_flush
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
A reproducer is attached.
You may need to run it a few times.
On commit 9c763584b7c8911106bb77af7e648bef09af9d80 (4.9-rc6, Nov 20).
==================================================================
BUG: KASAN: use-after-free in bcm_rx_thr_flush+0x284/0x2b0
Read of size 1 at addr ffff88006c1faae5 by task a.out/3874
page:ffffea0001b07e80 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000080(slab)
page dumped because: kasan: bad access detected
CPU: 1 PID: 3874 Comm: a.out Not tainted 4.9.0-rc6+ #427
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006ab07900 ffffffff81b472e4 ffff88006ab07990 ffff88006c1faae5
00000000000000fa 00000000000000fb ffff88006ab07980 ffffffff8150ad42
ffff88006323ce58 0000000000000246 ffff880068ca8000 0000000000000282
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81b472e4>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
[< inline >] describe_address mm/kasan/report.c:259
[<ffffffff8150ad42>] kasan_report_error+0x122/0x560 mm/kasan/report.c:365
[< inline >] kasan_report mm/kasan/report.c:387
[<ffffffff8150b1be>] __asan_report_load1_noabort+0x3e/0x40
mm/kasan/report.c:405
[< inline >] bcm_rx_do_flush net/can/bcm.c:589
[<ffffffff83577e04>] bcm_rx_thr_flush+0x284/0x2b0 net/can/bcm.c:612
[< inline >] bcm_rx_setup net/can/bcm.c:1199
[<ffffffff83578b36>] bcm_sendmsg+0xbb6/0x30e0 net/can/bcm.c:1351
[< inline >] sock_sendmsg_nosec net/socket.c:621
[<ffffffff82b7176c>] sock_sendmsg+0xcc/0x110 net/socket.c:631
[<ffffffff82b73651>] ___sys_sendmsg+0x771/0x8b0 net/socket.c:1954
[<ffffffff82b7563e>] __sys_sendmsg+0xce/0x170 net/socket.c:1988
[< inline >] SYSC_sendmsg net/socket.c:1999
[<ffffffff82b7570d>] SyS_sendmsg+0x2d/0x50 net/socket.c:1995
[<ffffffff83fc4301>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
The buggy address belongs to the object at ffff88006c1faae0
which belongs to the cache kmalloc-32 of size 32
The buggy address ffff88006c1faae5 is located 5 bytes inside
of 32-byte region [ffff88006c1faae0, ffff88006c1fab00)
Freed by task 2013:
[<ffffffff8107e236>] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
[<ffffffff81509e56>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
[< inline >] set_track mm/kasan/kasan.c:507
[<ffffffff8150a6b3>] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
[< inline >] slab_free_hook mm/slub.c:1352
[< inline >] slab_free_freelist_hook mm/slub.c:1374
[< inline >] slab_free mm/slub.c:2951
[<ffffffff81506b98>] kfree+0xe8/0x2b0 mm/slub.c:3871
[<ffffffff819dd8c1>] selinux_cred_free+0x51/0x80 security/selinux/hooks.c:3725
[<ffffffff819ce358>] security_cred_free+0x48/0x80 security/security.c:907
[<ffffffff8117e27d>] put_cred_rcu+0xed/0x390 kernel/cred.c:116
[< inline >] __rcu_reclaim kernel/rcu/rcu.h:118
[< inline >] rcu_do_batch kernel/rcu/tree.c:2776
[< inline >] invoke_rcu_callbacks kernel/rcu/tree.c:3040
[< inline >] __rcu_process_callbacks kernel/rcu/tree.c:3007
[<ffffffff8125dfe0>] rcu_process_callbacks+0xa40/0x1190 kernel/rcu/tree.c:3024
[<ffffffff83fc70af>] __do_softirq+0x23f/0x8e5 kernel/softirq.c:284
Allocated by task 1826:
[<ffffffff8107e236>] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
[<ffffffff81509e56>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
[< inline >] set_track mm/kasan/kasan.c:507
[<ffffffff8150a0cb>] kasan_kmalloc+0xab/0xe0 mm/kasan/kasan.c:598
[<ffffffff8150a632>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
[< inline >] slab_post_alloc_hook mm/slab.h:417
[< inline >] slab_alloc_node mm/slub.c:2708
[< inline >] slab_alloc mm/slub.c:2716
[<ffffffff815090ef>] __kmalloc_track_caller+0xcf/0x2a0 mm/slub.c:4240
[<ffffffff8146bf84>] kmemdup+0x24/0x50 mm/util.c:113
[<ffffffff819dcbe9>] selinux_cred_prepare+0x49/0xb0
security/selinux/hooks.c:3739
[<ffffffff819ce40d>] security_prepare_creds+0x7d/0xb0 security/security.c:912
[<ffffffff8117fab3>] prepare_creds+0x243/0x340 kernel/cred.c:277
[<ffffffff81181bab>] copy_creds+0x7b/0x5c0 kernel/cred.c:343
[<ffffffff81109c6e>] copy_process.part.45+0x86e/0x5b50 kernel/fork.c:1529
[< inline >] copy_process kernel/fork.c:1479
[<ffffffff8110f2fa>] _do_fork+0x1ba/0xcc0 kernel/fork.c:1933
[< inline >] SYSC_clone kernel/fork.c:2043
[<ffffffff8110fed7>] SyS_clone+0x37/0x50 kernel/fork.c:2037
[<ffffffff81006465>] do_syscall_64+0x195/0x490 arch/x86/entry/common.c:280
[<ffffffff83fc43c9>] return_from_SYSCALL_64+0x0/0x7a
arch/x86/entry/entry_64.S:251
Memory state around the buggy address:
ffff88006c1fa980: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
ffff88006c1faa00: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
>ffff88006c1faa80: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
^
ffff88006c1fab00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc 00 00
ffff88006c1fab80: 00 00 fc fc fb fb fb fb fc fc fb fb fb fb fc fc
==================================================================
Thanks!
View attachment "bcm-rx-uaf-poc.c" of type "text/x-csrc" (7860 bytes)
Powered by blists - more mailing lists