lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 24 Feb 2020 17:50:19 +0800
From:   Yuehaibing <yuehaibing@...wei.com>
To:     linux-kernel <linux-kernel@...r.kernel.org>,
        <netdev@...r.kernel.org>, <steffen.klassert@...unet.com>
Subject: [stable-Linux 4.4.214] BUG: KASAN: use-after-free in
 rcu_accelerate_cbs+0x2f3/0x3c0 at addr ffff88007e419db0

We get this bug report, the config and reproducing procedure is attached.

Any comment is appreciated.

[   69.865090] ==================================================================
[   69.866570] BUG: KASAN: use-after-free in rcu_accelerate_cbs+0x2f3/0x3c0 at addr ffff88007e419db0
[   69.868330] Read of size 8 by task syz-executor.15/2590
[   69.869361] =============================================================================
[   69.870969] BUG kmalloc-1024 (Not tainted): kasan: bad access detected
[   69.872263] -----------------------------------------------------------------------------
[   69.872263]
[   69.874137] Disabling lock debugging due to kernel taint
[   69.875208] INFO: Allocated in xfrm_policy_alloc+0x52/0x430 age=2914 cpu=1 pid=5773
[   69.876728]  ___slab_alloc+0x547/0x5b0
[   69.877499]  __slab_alloc+0x51/0x90
[   69.878201]  kmem_cache_alloc_trace+0x29c/0x370
[   69.879109]  xfrm_policy_alloc+0x52/0x430
[   69.879923]  xfrm_policy_construct+0x29/0x7a0
[   69.880797]  xfrm_add_policy+0x35e/0x7c0
[   69.881596]  xfrm_user_rcv_msg+0x2f0/0x5d0
[   69.882420]  netlink_rcv_skb+0x24a/0x350
[   69.883204]  xfrm_netlink_rcv+0x6e/0x90
[   69.883980]  netlink_unicast+0x413/0x5a0
[   69.884772]  netlink_sendmsg+0x987/0xbb0
[   69.885566]  sock_sendmsg+0xbc/0xf0
[   69.886264]  ___sys_sendmsg+0x663/0x7b0
[   69.887034]  __sys_sendmsg+0xd2/0x170
[   69.887775]  SyS_sendmsg+0x12/0x20
[   69.888473]  entry_SYSCALL_64_fastpath+0x1e/0x9a
[   69.889408] INFO: Freed in xfrm_policy_destroy_rcu+0x49/0x60 age=16 cpu=3 pid=5874
[   69.890904]  __slab_free+0x1bc/0x280
[   69.891632]  kfree+0x168/0x2e0
[   69.892250]  xfrm_policy_destroy_rcu+0x49/0x60
[   69.893149]  rcu_process_callbacks+0xc5c/0x13a0
[   69.894061]  __do_softirq+0x250/0x9a0
[   69.894807]  irq_exit+0x213/0x260
[   69.895487]  smp_apic_timer_interrupt+0x86/0xb0
[   69.896400]  apic_timer_interrupt+0xad/0xc0
[   69.897236]  finish_task_switch+0x157/0x680
[   69.898081]  __schedule+0x90a/0x1b70
[   69.898806]  schedule+0x9c/0x1b0
[   69.899467]  futex_wait_queue_me+0x2dd/0x590
[   69.900326]  futex_wait+0x1fb/0x5a0
[   69.901025]  do_futex+0x1dd/0x920
[   69.901698]  SyS_futex+0x1a4/0x280
[   69.902367]  entry_SYSCALL_64_fastpath+0x1e/0x9a
[   69.903254] INFO: Slab 0xffffea0001f90600 objects=24 used=12 fp=0xffff88007e418f90 flags=0x1fffff80004080
[   69.905140] INFO: Object 0xffff88007e4199f0 @offset=6640 fp=0xffff88007e41a980
[   69.905140]
[   69.906804] Bytes b4 ffff88007e4199e0: 03 00 00 00 ad 16 00 00 7a 68 fc ff 00 00 00 00  ........zh......
[   69.908675] Object ffff88007e4199f0: 80 a9 41 7e 00 88 ff ff 00 01 00 00 00 00 ad de  ..A~............
[   69.910474] Object ffff88007e419a00: 00 02 00 00 00 00 ad de 00 01 00 00 00 00 ad de  ................
[   69.912255] Object ffff88007e419a10: 00 02 00 00 00 00 ad de 00 00 00 00 00 00 00 00  ................
[   69.914083] Object ffff88007e419a20: ed 1e af de ff ff ff ff ff ff ff ff ff ff ff ff  ................
[   69.915920] Object ffff88007e419a30: 60 e3 6f 84 ff ff ff ff 40 a3 f7 83 ff ff ff ff  `.o.....@.......
[   69.917752] Object ffff88007e419a40: 00 00 00 00 00 00 00 00 00 d3 b6 82 ff ff ff ff  ................
[   69.919539] Object ffff88007e419a50: 00 00 00 00 00 00 00 00 00 02 00 00 00 00 ad de  ................
[   69.921346] Object ffff88007e419a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 80  ................
[   69.923165] Object ffff88007e419a70: c0 5c 49 82 ff ff ff ff f0 99 41 7e 00 88 ff ff  .\I.......A~....
[   69.924967] Object ffff88007e419a80: 01 00 00 00 ff ff ff ff 20 e3 6f 84 ff ff ff ff  ........ .o.....
[   69.926800] Object ffff88007e419a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.928581] Object ffff88007e419aa0: 80 d3 b6 82 ff ff ff ff 00 db b6 82 ff ff ff ff  ................
[   69.930414] Object ffff88007e419ab0: 01 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00  ........x.......
[   69.932240] Object ffff88007e419ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.934072] Object ffff88007e419ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.935944] Object ffff88007e419ae0: 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00  ................
[   69.937797] Object ffff88007e419af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.939633] Object ffff88007e419b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.941467] Object ffff88007e419b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.943314] Object ffff88007e419b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 46 76 64  .............Fvd
[   69.945111] Object ffff88007e419b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.946927] Object ffff88007e419b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.948751] Object ffff88007e419b50: fd 84 53 5e 00 00 00 00 00 00 00 00 00 00 00 00  ..S^............
[   69.950562] Object ffff88007e419b60: 60 9b 41 7e 00 88 ff ff 60 9b 41 7e 00 88 ff ff  `.A~....`.A~....
[   69.952398] Object ffff88007e419b70: 01 00 00 00 00 00 00 00 78 9b 41 7e 00 88 ff ff  ........x.A~....
[   69.954221] Object ffff88007e419b80: 78 9b 41 7e 00 88 ff ff 00 00 00 00 00 00 00 00  x.A~............
[   69.956059] Object ffff88007e419b90: 02 00 02 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
[   69.957890] Object ffff88007e419ba0: ff ff ff ff ff ff ff ff a0 e2 6f 84 ff ff ff ff  ..........o.....
[   69.959725] Object ffff88007e419bb0: 20 99 f7 83 ff ff ff ff 00 00 00 00 00 00 00 00   ...............
[   69.961552] Object ffff88007e419bc0: 40 d3 b6 82 ff ff ff ff 00 00 00 00 00 00 00 00  @...............
[   69.963381] Object ffff88007e419bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.965211] Object ffff88007e419be0: 70 0c 4a 82 ff ff ff ff f0 99 41 7e 00 88 ff ff  p.J.......A~....
[   69.967046] Object ffff88007e419bf0: 01 00 00 00 ff ff ff ff e0 e2 6f 84 ff ff ff ff  ..........o.....
[   69.968870] Object ffff88007e419c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.970612] Object ffff88007e419c10: c0 d3 b6 82 ff ff ff ff 00 00 00 00 00 00 00 00  ................
[   69.972440] Object ffff88007e419c20: 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.974259] Object ffff88007e419c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.976097] Object ffff88007e419c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.977931] Object ffff88007e419c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.979763] Object ffff88007e419c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.981565] Object ffff88007e419c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.983397] Object ffff88007e419c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.985224] Object ffff88007e419c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.987057] Object ffff88007e419ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.988889] Object ffff88007e419cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.990728] Object ffff88007e419cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.992545] Object ffff88007e419cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.994315] Object ffff88007e419ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.996135] Object ffff88007e419cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.997968] Object ffff88007e419d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   69.999801] Object ffff88007e419d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.001636] Object ffff88007e419d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.003467] Object ffff88007e419d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.005305] Object ffff88007e419d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.007156] Object ffff88007e419d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.008692] Object ffff88007e419d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.010140] Object ffff88007e419d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.011587] Object ffff88007e419d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.013020] Object ffff88007e419d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.014472] Object ffff88007e419da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.015911] Object ffff88007e419db0: 00 00 00 00 00 00 00 00 90 d1 48 82 ff ff ff ff  ..........H.....
[   70.017367] Object ffff88007e419dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.018805] Object ffff88007e419dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.020245] Object ffff88007e419de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   70.021690] CPU: 1 PID: 2590 Comm: syz-executor.15 Tainted: G    B           4.4.214-514.55.6.9.x86_64 #1
[   70.023167] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   70.024635]  0000000000000000 1ca8148cac7f79fe ffff8803aee87c00 ffffffff819acbbb
[   70.025872]  ffff880187c07180 ffff88007e4199f0 ffff8803aee87c30 ffffffff815c0359
[   70.027107]  ffff880187c07180 ffffea0001f90600 ffff88007e4199f0 0000000000000000
[   70.028347] Call Trace:
[   70.028740]  <IRQ>  [<ffffffff819acbbb>] dump_stack+0x8f/0xd4
[   70.029673]  [<ffffffff815c0359>] print_trailer+0xf9/0x150
[   70.030532]  [<ffffffff815c7cb4>] object_err+0x34/0x40
[   70.031340]  [<ffffffff815ca652>] kasan_report.part.2+0x232/0x530
[   70.032297]  [<ffffffff81259f17>] ? trigger_load_balance+0x147/0xca0
[   70.033285]  [<ffffffff812da023>] ? rcu_accelerate_cbs+0x2f3/0x3c0
[   70.034253]  [<ffffffff8128536b>] ? perf_trace_lock+0xbb/0x4b0
[   70.035171]  [<ffffffff815caa0e>] __asan_report_load8_noabort+0x2e/0x30
[   70.036201]  [<ffffffff812da023>] rcu_accelerate_cbs+0x2f3/0x3c0
[   70.037147]  [<ffffffff812da24d>] rcu_advance_cbs+0x15d/0x4a0
[   70.038046]  [<ffffffff812e3336>] ? note_gp_changes+0xa6/0x1e0
[   70.038962]  [<ffffffff812da607>] __note_gp_changes+0x77/0x4c0
[   70.039872]  [<ffffffff812e340d>] note_gp_changes+0x17d/0x1e0
[   70.040777]  [<ffffffff812e52ac>] rcu_process_callbacks+0x11c/0x13a0
[   70.041766]  [<ffffffff812f3920>] ? msleep_interruptible+0x1b0/0x1b0
[   70.042762]  [<ffffffff8128c9e8>] ? mark_held_locks+0xc8/0x120
[   70.043675]  [<ffffffff81196510>] __do_softirq+0x250/0x9a0
[   70.044540]  [<ffffffff81197003>] irq_exit+0x213/0x260
[   70.045347]  [<ffffffff82659cb6>] smp_apic_timer_interrupt+0x86/0xb0
[   70.046342]  [<ffffffff8265776d>] apic_timer_interrupt+0xad/0xc0
[   70.047272]  <EOI>  [<ffffffff812938f8>] ? lock_release+0x6f8/0xc90
[   70.048276]  [<ffffffff81828f65>] ? task_has_perm+0x5/0x2e0
[   70.049147]  [<ffffffff818290fe>] ? task_has_perm+0x19e/0x2e0
[   70.050053]  [<ffffffff8182911d>] task_has_perm+0x1bd/0x2e0
[   70.050927]  [<ffffffff81828f65>] ? task_has_perm+0x5/0x2e0
[   70.051802]  [<ffffffff8182925c>] selinux_task_wait+0x1c/0x20
[   70.052702]  [<ffffffff8180d295>] security_task_wait+0x65/0x90
[   70.053616]  [<ffffffff8118ac01>] wait_consider_task+0x241/0x3760
[   70.054570]  [<ffffffff812d5087>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   70.055604]  [<ffffffff8118a9c0>] ? release_task+0x1310/0x1310
[   70.056520]  [<ffffffff8118e3ad>] ? do_wait+0x28d/0x920
[   70.057341]  [<ffffffff8128ce3e>] ? trace_hardirqs_on_caller+0x3fe/0x580
[   70.058384]  [<ffffffff8118e437>] do_wait+0x317/0x920
[   70.059172]  [<ffffffff8118e120>] ? wait_consider_task+0x3760/0x3760
[   70.060168]  [<ffffffff8154a43b>] ? __might_fault+0xcb/0x1b0
[   70.061051]  [<ffffffff8154a466>] ? __might_fault+0xf6/0x1b0
[   70.061937]  [<ffffffff81192882>] SyS_wait4+0xf2/0x1b0
[   70.062742]  [<ffffffff81192790>] ? SyS_waitid+0x270/0x270
[   70.063601]  [<ffffffff81189000>] ? task_stopped_code+0x100/0x100
[   70.064551]  [<ffffffff81005044>] ? lockdep_sys_exit_thunk+0x12/0x14
[   70.065542]  [<ffffffff826567e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[   70.066544] Memory state around the buggy address:
[   70.067302]  ffff88007e419c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.068425]  ffff88007e419d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.069550] >ffff88007e419d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   70.070674]                                      ^
[   70.071438]  ffff88007e419e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   70.072564]  ffff88007e419e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   70.073683] ==================================================================

View attachment "xfrm.log" of type "text/plain" (1916 bytes)

View attachment "config" of type "text/plain" (152671 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ