| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 Mar 2019 10:25:05 -0800
From: syzbot <syzbot+dc85a3260b30f5c9a531@...kaller.appspotmail.com>
To: davem@...emloft.net, dsahern@...il.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
pablo@...filter.org, syzkaller-bugs@...glegroups.com
Subject: KASAN: use-after-free Read in dst_dev_put
Hello,
syzbot found the following crash on:
HEAD commit: 7d762d69145a afs: Fix manually set volume location server ..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ebb8ecc00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b76ec970784287c
dashboard link: https://syzkaller.appspot.com/bug?extid=dc85a3260b30f5c9a531
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dc85a3260b30f5c9a531@...kaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in dst_dev_put+0x219/0x290 net/core/dst.c:168
Read of size 8 at addr ffff88808d1f42c0 by task ksoftirqd/1/16
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc8+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
dst_dev_put+0x219/0x290 net/core/dst.c:168
rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline]
free_fib_info_rcu+0x2f4/0x4a0 net/ipv4/fib_semantics.c:217
__rcu_reclaim kernel/rcu/rcu.h:240 [inline]
rcu_do_batch kernel/rcu/tree.c:2452 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline]
rcu_process_callbacks+0x928/0x1390 kernel/rcu/tree.c:2754
__do_softirq+0x266/0x95a kernel/softirq.c:292
run_ksoftirqd kernel/softirq.c:654 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Allocated by task 19257:
save_stack+0x45/0xd0 mm/kasan/common.c:73
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc mm/kasan/common.c:495 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:503
slab_post_alloc_hook mm/slab.h:440 [inline]
slab_alloc mm/slab.c:3388 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3548
anon_vma_chain_alloc mm/rmap.c:129 [inline]
anon_vma_clone+0xde/0x480 mm/rmap.c:269
anon_vma_fork+0x8f/0x4a0 mm/rmap.c:332
dup_mmap kernel/fork.c:541 [inline]
dup_mm kernel/fork.c:1320 [inline]
copy_mm kernel/fork.c:1375 [inline]
copy_process.part.0+0x350f/0x79a0 kernel/fork.c:1917
copy_process kernel/fork.c:1710 [inline]
_do_fork+0x257/0xfe0 kernel/fork.c:2227
__do_sys_clone kernel/fork.c:2334 [inline]
__se_sys_clone kernel/fork.c:2328 [inline]
__x64_sys_clone+0xbf/0x150 kernel/fork.c:2328
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 29904:
save_stack+0x45/0xd0 mm/kasan/common.c:73
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:457
kasan_slab_free+0xe/0x10 mm/kasan/common.c:465
__cache_free mm/slab.c:3494 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3754
anon_vma_chain_free mm/rmap.c:134 [inline]
unlink_anon_vmas+0x2ba/0x870 mm/rmap.c:401
free_pgtables+0x1af/0x2f0 mm/memory.c:393
exit_mmap+0x2d1/0x530 mm/mmap.c:3141
__mmput kernel/fork.c:1047 [inline]
mmput+0x15f/0x4c0 kernel/fork.c:1068
exec_mmap fs/exec.c:1046 [inline]
flush_old_exec+0x8d9/0x1c20 fs/exec.c:1279
load_elf_binary+0x9bc/0x53f0 fs/binfmt_elf.c:869
search_binary_handler fs/exec.c:1656 [inline]
search_binary_handler+0x17f/0x570 fs/exec.c:1634
exec_binprm fs/exec.c:1698 [inline]
__do_execve_file.isra.0+0x1394/0x23f0 fs/exec.c:1818
do_execveat_common fs/exec.c:1865 [inline]
do_execve fs/exec.c:1882 [inline]
__do_sys_execve fs/exec.c:1963 [inline]
__se_sys_execve fs/exec.c:1958 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1958
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808d1f42a0
which belongs to the cache anon_vma_chain of size 80
The buggy address is located 32 bytes inside of
80-byte region [ffff88808d1f42a0, ffff88808d1f42f0)
The buggy address belongs to the page:
page:ffffea0002347d00 count:1 mapcount:0 mapping:ffff88821bc40640 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00026112c8 ffffea0002439488 ffff88821bc40640
raw: 0000000000000000 ffff88808d1f4000 0000000100000024 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808d1f4180: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
ffff88808d1f4200: fb fb fc fc fc fc fb fb fb fb fb fb fb fb fb fb
> ffff88808d1f4280: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fc fc
^
ffff88808d1f4300: fc fc fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88808d1f4380: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Powered by blists - more mailing lists