lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 12 Dec 2017 16:04:04 -0800
From:   Eric Biggers <ebiggers3@...il.com>
To:     syzbot 
        <bot+f2a32269c7d88a3653ef36f3d516f19ece83fdb5@...kaller.appspotmail.com>
Cc:     dan.carpenter@...cle.com, gregkh@...uxfoundation.org,
        hdegoede@...hat.com, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, mateuszb@...tmail.fm, mingo@...nel.org,
        mingo@...hat.com, peterz@...radead.org, stern@...land.harvard.edu,
        syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk,
        vskrishn@...eaurora.org, yamada.masahiro@...ionext.com
Subject: Re: KASAN: use-after-free Read in __lock_acquire (2)

On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote:
> Allocated by task 3086:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>  set_track mm/kasan/kasan.c:459 [inline]
>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>  kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613
>  kmalloc include/linux/slab.h:499 [inline]
>  kzalloc include/linux/slab.h:688 [inline]
>  binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4184
>  binder_poll+0x8c/0x390 drivers/android/binder.c:4286
>  ep_item_poll.isra.10+0xec/0x320 fs/eventpoll.c:884
>  ep_insert+0x6a3/0x1b10 fs/eventpoll.c:1455
>  SYSC_epoll_ctl fs/eventpoll.c:2106 [inline]
>  SyS_epoll_ctl+0x12e4/0x1ab0 fs/eventpoll.c:1992
>  do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
>  do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
>  entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
> 
> Freed by task 3086:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>  set_track mm/kasan/kasan.c:459 [inline]
>  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>  __cache_free mm/slab.c:3491 [inline]
>  kfree+0xca/0x250 mm/slab.c:3806
>  binder_free_thread drivers/android/binder.c:4211 [inline]
>  binder_thread_dec_tmpref+0x27f/0x310 drivers/android/binder.c:1808
>  binder_thread_release+0x27d/0x540 drivers/android/binder.c:4275
>  binder_ioctl+0xc05/0x141a drivers/android/binder.c:4492
>  C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
>  compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
>  do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
>  do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
>  entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
> 

This is a bug in the "binder" driver: binder_poll() tells the poll system to use
a waitqueue which can be freed before the file is closed.  I'll send this to the
binder maintainers and take lockdep maintainers, USB maintainers, etc. off Cc.

Eric

Powered by blists - more mailing lists