lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+YxAC3uV8UFKFn3mDiCGdo=z9xwSKS_SK+rRA+8=4RpuQ@mail.gmail.com>
Date:   Wed, 14 Apr 2021 07:56:13 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+0806291048161061627c@...kaller.appspotmail.com>
Cc:     Dmitry Safonov <0x7f454c46@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Albert Ou <aou@...s.berkeley.edu>, chenhuang5@...wei.com,
        LKML <linux-kernel@...r.kernel.org>,
        linux-riscv <linux-riscv@...ts.infradead.org>,
        Palmer Dabbelt <palmer@...belt.com>,
        Paul Walmsley <paul.walmsley@...ive.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Kefeng Wang <wangkefeng.wang@...wei.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in get_wchan

On Wed, Apr 14, 2021 at 7:52 AM syzbot
<syzbot+0806291048161061627c@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    b2b3d18f riscv: Make NUMA depend on MMU
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e
> dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+0806291048161061627c@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
> BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
> Read of size 8 at addr ffffffe0058e3d90 by task syz-executor.0/4667
>
> CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0
> Hardware name: riscv-virtio,qemu (DT)
> Call Trace:
> [<ffffffe000009706>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
> [<ffffffe002a5f182>] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113
> [<ffffffe002a5f1b2>] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118
> [<ffffffe002a68a3e>] __dump_stack lib/dump_stack.c:79 [inline]
> [<ffffffe002a68a3e>] dump_stack+0x148/0x1d8 lib/dump_stack.c:120
> [<ffffffe0003bc802>] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232
> [<ffffffe0003bcd24>] __kasan_report mm/kasan/report.c:399 [inline]
> [<ffffffe0003bcd24>] kasan_report+0x16e/0x18c mm/kasan/report.c:416
> [<ffffffe0003bd588>] check_region_inline mm/kasan/generic.c:180 [inline]
> [<ffffffe0003bd588>] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253
> [<ffffffe000009a98>] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]

If it's walking the stack of another task, then it needs to use
READ_ONCE_NOCHECK. See x86/arm64/s390 for examples:
https://elixir.bootlin.com/linux/v5.12-rc7/A/ident/READ_ONCE_NOCHECK

> [<ffffffe000009a98>] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
> [<ffffffe000553364>] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390
> [<ffffffe000554458>] proc_single_show+0x9c/0x13c fs/proc/base.c:774
> [<ffffffe00045000c>] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227
> [<ffffffe00045081e>] seq_read+0x200/0x298 fs/seq_file.c:159
> [<ffffffe0003f9210>] vfs_read+0x108/0x2ac fs/read_write.c:494
> [<ffffffe0003f9724>] ksys_read+0xb4/0x1b8 fs/read_write.c:634
> [<ffffffe0003f9850>] __do_sys_read fs/read_write.c:644 [inline]
> [<ffffffe0003f9850>] sys_read+0x28/0x36 fs/read_write.c:642
> [<ffffffe000005572>] ret_from_syscall+0x0/0x2
>
> The buggy address belongs to the page:
> page:ffffffcf0216b8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85ae3
> flags: 0xffe000000000000()
> raw: 0ffe000000000000 ffffffcf0216b8c8 ffffffcf0216b8c8 0000000000000000
> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffffffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  ffffffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >ffffffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>                          ^
>  ffffffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  ffffffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009862e005bfe859c8%40google.com.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ