lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1553106560.2080.5.camel@gmail.com>
Date:   Wed, 20 Mar 2019 13:29:20 -0500
From:   Tom Zanussi <tzanussi@...il.com>
To:     Pali Rohár <pali.rohar@...il.com>,
        Mario Limonciello <mario.limonciello@...l.com>
Cc:     linux-kernel@...r.kernel.org, Steven Rostedt <rostedt@...dmis.org>
Subject: dell_smbios KASAN bug

Hi,

While looking into an unrelated problem, I hit this KASAN use-after-
free warning, so thought I'd let you know.

I have no idea how to fix it, but let me know if you need more info.

Thanks

Tom

[   23.330893] ==================================================================
[   23.330987] BUG: KASAN: use-after-free in dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   23.330999] Read of size 2 at addr ffff88840c2bc1a8 by task systemd-udevd/479

[   23.331020] CPU: 0 PID: 479 Comm: systemd-udevd Not tainted 5.1.0-rc1+ #9
[   23.331025] Hardware name: Dell Inc. XPS 13 9360/02PG84, BIOS 2.3.1 10/03/2017
[   23.331030] Call Trace:
[   23.331043]  dump_stack+0x7c/0xbb
[   23.331059]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   23.331068]  print_address_description+0xc7/0x280
[   23.331080]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   23.331090]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   23.331101]  kasan_report+0x14e/0x192
[   23.331121]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   23.331139]  dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   23.331161]  kbd_led_init+0x2e7/0x473 [dell_laptop]
[   23.331178]  ? dmi_matched+0x2a/0x2a [dell_laptop]
[   23.331188]  ? get_device_parent.isra.28+0x2a0/0x2a0
[   23.331202]  ? lockdep_init_map+0x98/0x2c0
[   23.331229]  ? platform_device_add+0x1b5/0x3a0
[   23.331256]  dell_init+0x4ad/0xb63 [dell_laptop]
[   23.331271]  ? kbd_led_init+0x473/0x473 [dell_laptop]
[   23.331290]  ? ___slab_alloc+0x61f/0x700
[   23.331298]  ? ___slab_alloc+0x61f/0x700
[   23.331318]  ? preempt_count_sub+0x15/0x100
[   23.331339]  ? kbd_led_init+0x473/0x473 [dell_laptop]
[   23.331348]  do_one_initcall+0xbd/0x3fd
[   23.331359]  ? perf_trace_initcall_level+0x280/0x280
[   23.331369]  ? kasan_unpoison_shadow+0x30/0x40
[   23.331380]  ? __kasan_kmalloc.constprop.8+0xa0/0xd0
[   23.331397]  ? kmem_cache_alloc_trace+0x163/0x390
[   23.331405]  ? kasan_unpoison_shadow+0x30/0x40
[   23.331428]  do_init_module+0xe3/0x341
[   23.331447]  load_module+0x2fc5/0x3ad0
[   23.331528]  ? layout_and_allocate+0x1170/0x1170
[   23.331541]  ? vfs_read+0xd4/0x1b0
[   23.331558]  ? kernel_read+0x74/0xa0
[   23.331577]  ? kernel_read_file+0x148/0x320
[   23.331614]  ? seccomp_notify_release+0x110/0x110
[   23.331652]  ? __do_sys_finit_module+0x192/0x1c0
[   23.331660]  __do_sys_finit_module+0x192/0x1c0
[   23.331670]  ? __ia32_sys_init_module+0x40/0x40
[   23.331697]  ? syscall_trace_enter+0x184/0x5e0
[   23.331739]  ? mark_held_locks+0x1a/0x90
[   23.331760]  do_syscall_64+0x72/0x220
[   23.331773]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   23.331781] RIP: 0033:0x7fcb4f5f5a49
[   23.331789] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0f b4 2c 00 f7 d8 64 89 01 48
[   23.331794] RSP: 002b:00007ffc73e340b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   23.331802] RAX: ffffffffffffffda RBX: 00005599992bb850 RCX: 00007fcb4f5f5a49
[   23.331808] RDX: 0000000000000000 RSI: 00007fcb4f2e11c5 RDI: 0000000000000010
[   23.331813] RBP: 00007fcb4f2e11c5 R08: 0000000000000000 R09: 00005599992bb850
[   23.331819] R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000000
[   23.331824] R13: 0000559999298f40 R14: 0000000000020000 R15: 00005599992bb850

[   23.331873] Allocated by task 479:
[   23.331886]  __kasan_kmalloc.constprop.8+0xa0/0xd0
[   23.331893]  krealloc+0xa0/0xc0
[   23.331900]  0xffffffffc0cc0075
[   23.331909]  dmi_decode_table+0xf6/0x140
[   23.331915]  dmi_walk+0x46/0x70
[   23.331922]  0xffffffffc0cc0109
[   23.331928]  do_one_initcall+0xbd/0x3fd
[   23.331935]  do_init_module+0xe3/0x341
[   23.331941]  load_module+0x2fc5/0x3ad0
[   23.331948]  __do_sys_finit_module+0x192/0x1c0
[   23.331954]  do_syscall_64+0x72/0x220
[   23.331961]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[   23.331975] Freed by task 479:
[   23.331985]  __kasan_slab_free+0x111/0x150
[   23.331990]  kfree+0xf5/0x350
[   23.331996]  0xffffffffc0cc01d4
[   23.332002]  do_one_initcall+0xbd/0x3fd
[   23.332009]  do_init_module+0xe3/0x341
[   23.332015]  load_module+0x2fc5/0x3ad0
[   23.332022]  __do_sys_finit_module+0x192/0x1c0
[   23.332028]  do_syscall_64+0x72/0x220
[   23.332035]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[   23.332050] The buggy address belongs to the object at ffff88840c2bc1a8
                which belongs to the cache kmalloc-2k of size 2048
[   23.332061] The buggy address is located 0 bytes inside of
                2048-byte region [ffff88840c2bc1a8, ffff88840c2bc9a8)
[   23.332070] The buggy address belongs to the page:
[   23.332081] page:ffffea001030ae00 count:1 mapcount:0 mapping:ffff8884204113c0 index:0x0 compound_mapcount: 0
[   23.332091] flags: 0x17ffffc0010200(slab|head)
[   23.332100] raw: 0017ffffc0010200 ffffea0010367608 ffffea000ea31808 ffff8884204113c0
[   23.332106] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
[   23.332111] page dumped because: kasan: bad access detected

[   23.332124] Memory state around the buggy address:
[   23.332134]  ffff88840c2bc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.332145]  ffff88840c2bc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.332155] >ffff88840c2bc180: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
[   23.332164]                                   ^
[   23.332175]  ffff88840c2bc200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.332185]  ffff88840c2bc280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.332194] ==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ