lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000000000000441a4205995eca11@google.com>
Date:   Tue, 10 Dec 2019 11:48:02 -0800
From:   syzbot <syzbot+c7b0ec009a216143df30@...kaller.appspotmail.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     andreyknvl@...gle.com, hverkuil@...all.nl, jrdr.linux@...il.com,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        linux-usb@...r.kernel.org, mchehab@...nel.org, rfontana@...hat.com,
        stern@...land.harvard.edu, syzkaller-bugs@...glegroups.com,
        tglx@...utronix.de
Subject: Re: Re: KASAN: use-after-free Read in usbvision_v4l2_open

> On Mon, 9 Dec 2019, syzbot wrote:

>> Hello,

>> syzbot found the following crash on:

>> HEAD commit:    1f22d15c usb: gadget: add raw-gadget interface
>> git tree:       https://github.com/google/kasan.git usb-fuzzer
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1296f42ae00000
>> kernel config:   
>> https://syzkaller.appspot.com/x/.config?x=8ccee2968018adcb
>> dashboard link:  
>> https://syzkaller.appspot.com/bug?extid=c7b0ec009a216143df30
>> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

>> Unfortunately, I don't have any reproducer for this crash yet.

>> IMPORTANT: if you fix the bug, please add the following tag to the  
>> commit:
>> Reported-by: syzbot+c7b0ec009a216143df30@...kaller.appspotmail.com

>> ==================================================================
>> BUG: KASAN: use-after-free in __mutex_lock_common
>> kernel/locking/mutex.c:1043 [inline]
>> BUG: KASAN: use-after-free in __mutex_lock+0x124d/0x1360
>> kernel/locking/mutex.c:1106
>> Read of size 8 at addr ffff8881cad4d8b8 by task v4l_id/4526

>> CPU: 0 PID: 4526 Comm: v4l_id Not tainted 5.4.0-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>    __dump_stack lib/dump_stack.c:77 [inline]
>>    dump_stack+0xef/0x16e lib/dump_stack.c:118
>>    print_address_description.constprop.0+0x36/0x50 mm/kasan/report.c:374
>>    __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:506
>>    kasan_report+0xe/0x20 mm/kasan/common.c:638
>>    __mutex_lock_common kernel/locking/mutex.c:1043 [inline]
>>    __mutex_lock+0x124d/0x1360 kernel/locking/mutex.c:1106
>>    usbvision_v4l2_open+0x77/0x340
>> drivers/media/usb/usbvision/usbvision-video.c:314
>>    v4l2_open+0x20f/0x3d0 drivers/media/v4l2-core/v4l2-dev.c:423
>>    chrdev_open+0x219/0x5c0 fs/char_dev.c:414
>>    do_dentry_open+0x494/0x1120 fs/open.c:797
>>    do_last fs/namei.c:3412 [inline]
>>    path_openat+0x142b/0x4030 fs/namei.c:3529
>>    do_filp_open+0x1a1/0x280 fs/namei.c:3559
>>    do_sys_open+0x3c0/0x580 fs/open.c:1097
>>    do_syscall_64+0xb7/0x5b0 arch/x86/entry/common.c:294
>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe

> This looks like a race in v4l2_open(): The function drops the
> videodev_lock mutex before calling the video driver's open routine, and
> the device can be unregistered during the short time between.

> This patch tries to make the race much more likely to happen, for
> testing and verification.

> Andrey, will syzbot run the same test with this patch, even though it
> says it doesn't have a reproducer?

> Alan Stern

> #syz test: https://github.com/google/kasan.git 1f22d15c

This crash does not have a reproducer. I cannot test it.


> Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
> ===================================================================
> --- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
> +++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
> @@ -1585,6 +1585,7 @@ static void usbvision_disconnect(struct
>   		wake_up_interruptible(&usbvision->wait_frame);
>   		wake_up_interruptible(&usbvision->wait_stream);
>   	} else {
> +		msleep(100);
>   		usbvision_release(usbvision);
>   	}

> Index: usb-devel/drivers/media/v4l2-core/v4l2-dev.c
> ===================================================================
> --- usb-devel.orig/drivers/media/v4l2-core/v4l2-dev.c
> +++ usb-devel/drivers/media/v4l2-core/v4l2-dev.c
> @@ -419,9 +419,10 @@ static int v4l2_open(struct inode *inode
>   	video_get(vdev);
>   	mutex_unlock(&videodev_lock);
>   	if (vdev->fops->open) {
> -		if (video_is_registered(vdev))
> +		if (video_is_registered(vdev)) {
> +			msleep(200);
>   			ret = vdev->fops->open(filp);
> -		else
> +		} else
>   			ret = -ENODEV;
>   	}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ