lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210820100916.oyjwyteskvbxwyvg@example.org>
Date:   Fri, 20 Aug 2021 12:09:16 +0200
From:   Alexey Gladkov <legion@...nel.org>
To:     syzbot <syzbot+01985d7909f9468f013c@...kaller.appspotmail.com>
Cc:     ebiederm@...ssion.com, hdanton@...a.com,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+01985d7909f9468f013c@...kaller.appspotmail.com
> 
> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> ==================================================================
> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
> 
> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
>  print_address_description+0x66/0x3b0 mm/kasan/report.c:233
>  __kasan_report mm/kasan/report.c:419 [inline]
>  kasan_report+0x163/0x210 mm/kasan/report.c:436
>  check_region_inline mm/kasan/generic.c:135 [inline]
>  kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
>  instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>  atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
>  atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
>  dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
>  release_task+0x2d3/0x1590 kernel/exit.c:191

void release_task(struct task_struct *p)
{
...
	/* don't need to get the RCU readlock here - the process is dead and
	 * can't be modifying its own credentials. But shut RCU-lockdep up */
	rcu_read_lock();
	dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
	rcu_read_unlock();
...
}

It looks like the ucounts have been released before this in the put_cred_rcu().

>  exit_notify kernel/exit.c:699 [inline]
>  do_exit+0x1aa2/0x2510 kernel/exit.c:845
>  do_group_exit+0x168/0x2d0 kernel/exit.c:922
>  get_signal+0x16b0/0x2080 kernel/signal.c:2808
>  arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
>  handle_signal_work kernel/entry/common.c:148 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
>  exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
>  syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
>  do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x445a69
> Code: Unable to access opcode bytes at RIP 0x445a3f.
> RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> 
> Allocated by task 8441:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track mm/kasan/common.c:46 [inline]
>  set_alloc_info mm/kasan/common.c:434 [inline]
>  ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
>  kasan_kmalloc include/linux/kasan.h:264 [inline]
>  kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
>  kmalloc include/linux/slab.h:591 [inline]
>  kzalloc include/linux/slab.h:721 [inline]
>  alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
>  set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
>  __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Freed by task 13:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>  kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
>  ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
>  kasan_slab_free include/linux/kasan.h:230 [inline]
>  slab_free_hook mm/slub.c:1628 [inline]
>  slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
>  slab_free mm/slub.c:3213 [inline]
>  kfree+0xcf/0x2e0 mm/slub.c:4267
>  put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
>  put_cred_rcu+0x221/0x400 kernel/cred.c:124
>  rcu_do_batch kernel/rcu/tree.c:2550 [inline]
>  rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
>  __do_softirq+0x372/0x783 kernel/softirq.c:558
> 
> Last potentially related work creation:
>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>  insert_work+0x54/0x400 kernel/workqueue.c:1332
>  __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>  queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>  queue_work include/linux/workqueue.h:507 [inline]
>  call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>  kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>  device_add+0x1073/0x1790 drivers/base/core.c:3336
>  device_create_groups_vargs drivers/base/core.c:4014 [inline]
>  device_create+0x241/0x2d0 drivers/base/core.c:4056
>  vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
>  con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
>  tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
>  tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
>  tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
>  tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
>  chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
>  do_dentry_open+0x7cb/0x1020 fs/open.c:826
>  do_open fs/namei.c:3374 [inline]
>  path_openat+0x27e7/0x36b0 fs/namei.c:3507
>  do_filp_open+0x253/0x4d0 fs/namei.c:3534
>  do_sys_openat2+0x124/0x460 fs/open.c:1204
>  do_sys_open fs/open.c:1220 [inline]
>  __do_sys_open fs/open.c:1228 [inline]
>  __se_sys_open fs/open.c:1224 [inline]
>  __x64_sys_open+0x221/0x270 fs/open.c:1224
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Second to last potentially related work creation:
>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>  insert_work+0x54/0x400 kernel/workqueue.c:1332
>  __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>  queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>  queue_work include/linux/workqueue.h:507 [inline]
>  call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>  kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>  kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
>  uevent_store+0x20/0x60 drivers/base/core.c:2372
>  kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
>  call_write_iter include/linux/fs.h:2114 [inline]
>  new_sync_write fs/read_write.c:518 [inline]
>  vfs_write+0xa39/0xc90 fs/read_write.c:605
>  ksys_write+0x171/0x2a0 fs/read_write.c:658
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> The buggy address belongs to the object at ffff888025b8ef00
>  which belongs to the cache kmalloc-192 of size 192
> The buggy address is located 128 bytes inside of
>  192-byte region [ffff888025b8ef00, ffff888025b8efc0)
> The buggy address belongs to the page:
> page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
> flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
> raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
>  prep_new_page mm/page_alloc.c:2436 [inline]
>  get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
>  __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
>  alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
>  alloc_slab_page mm/slub.c:1691 [inline]
>  allocate_slab+0xf1/0x540 mm/slub.c:1831
>  new_slab mm/slub.c:1894 [inline]
>  new_slab_objects mm/slub.c:2640 [inline]
>  ___slab_alloc+0x1cf/0x350 mm/slub.c:2803
>  __slab_alloc mm/slub.c:2843 [inline]
>  slab_alloc_node mm/slub.c:2925 [inline]
>  slab_alloc mm/slub.c:2967 [inline]
>  kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
>  kmalloc include/linux/slab.h:591 [inline]
>  kzalloc include/linux/slab.h:721 [inline]
>  call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
>  kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
>  device_add+0x1073/0x1790 drivers/base/core.c:3336
>  __video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
>  video_register_device include/media/v4l2-dev.h:384 [inline]
>  vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
>  vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
>  vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
>  platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
>  call_driver_probe+0x96/0x250 drivers/base/dd.c:517
>  really_probe+0x223/0x9b0 drivers/base/dd.c:595
>  __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
> page_owner free stack trace missing
> 
> Memory state around the buggy address:
>  ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>  ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>                    ^
>  ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
> ==================================================================
> 

-- 
Rgrds, legion

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ