lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Dec 2017 16:04:04 -0800 From: Eric Biggers <ebiggers3@...il.com> To: syzbot <bot+f2a32269c7d88a3653ef36f3d516f19ece83fdb5@...kaller.appspotmail.com> Cc: dan.carpenter@...cle.com, gregkh@...uxfoundation.org, hdegoede@...hat.com, linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org, mateuszb@...tmail.fm, mingo@...nel.org, mingo@...hat.com, peterz@...radead.org, stern@...land.harvard.edu, syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk, vskrishn@...eaurora.org, yamada.masahiro@...ionext.com Subject: Re: KASAN: use-after-free Read in __lock_acquire (2) On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote: > Allocated by task 3086: > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613 > kmalloc include/linux/slab.h:499 [inline] > kzalloc include/linux/slab.h:688 [inline] > binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4184 > binder_poll+0x8c/0x390 drivers/android/binder.c:4286 > ep_item_poll.isra.10+0xec/0x320 fs/eventpoll.c:884 > ep_insert+0x6a3/0x1b10 fs/eventpoll.c:1455 > SYSC_epoll_ctl fs/eventpoll.c:2106 [inline] > SyS_epoll_ctl+0x12e4/0x1ab0 fs/eventpoll.c:1992 > do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] > do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 > entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 > > Freed by task 3086: > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 > __cache_free mm/slab.c:3491 [inline] > kfree+0xca/0x250 mm/slab.c:3806 > binder_free_thread drivers/android/binder.c:4211 [inline] > binder_thread_dec_tmpref+0x27f/0x310 drivers/android/binder.c:1808 > binder_thread_release+0x27d/0x540 drivers/android/binder.c:4275 > binder_ioctl+0xc05/0x141a drivers/android/binder.c:4492 > C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline] > compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419 > do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] > do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 > entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 > This is a bug in the "binder" driver: binder_poll() tells the poll system to use a waitqueue which can be freed before the file is closed. I'll send this to the binder maintainers and take lockdep maintainers, USB maintainers, etc. off Cc. Eric
Powered by blists - more mailing lists