| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Sep 2022 11:00:38 -0700
From: syzbot <syzbot+95001b1fd6dfcc716c29@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
kvalo@...nel.org, linux-kernel@...r.kernel.org,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
pabeni@...hat.com, pontus.fuchs@...il.com,
syzkaller-bugs@...glegroups.com
Subject: [syzbot] KASAN: use-after-free Read in ar5523_cmd_tx_cb
Hello,
syzbot found the following issue on:
HEAD commit: 80e19f34c288 Merge tag 'hte/for-5.19' of git://git.kernel...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=134ba072080000
kernel config: https://syzkaller.appspot.com/x/.config?x=a01cb298f103d7e3
dashboard link: https://syzkaller.appspot.com/bug?extid=95001b1fd6dfcc716c29
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120c5c74080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1511a9fc080000
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=103b1cfc080000
final oops: https://syzkaller.appspot.com/x/report.txt?x=123b1cfc080000
console output: https://syzkaller.appspot.com/x/log.txt?x=143b1cfc080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+95001b1fd6dfcc716c29@...kaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 drivers/net/wireless/ath/ar5523/ar5523.c:228
Read of size 8 at addr ffff88801f6533f0 by task syz-executor407/3622
CPU: 0 PID: 3622 Comm: syz-executor407 Not tainted 5.19.0-rc7-syzkaller-00002-g80e19f34c288 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
ar5523_cmd_tx_cb+0x220/0x240 drivers/net/wireless/ath/ar5523/ar5523.c:228
__usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1747
dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1988
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x29b/0x9c2 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:do_raw_read_lock+0x2c/0x80 kernel/locking/spinlock_debug.c:160
Code: 00 00 00 00 00 fc ff df 55 48 89 fd 48 83 c7 08 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 04 3c 03 7e 4c 81 7d 08 ed 1e af de <75> 20 be 04 00 00 00 48 89 ef e8 95 55 68 00 b8 00 02 00 00 f0 0f
RSP: 0018:ffffc9000301fdc8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff88807497d880 RCX: ffffffff815e077e
RDX: 1ffffffff1741411 RSI: 0000000000000001 RDI: ffffffff8ba0a088
RBP: ffffffff8ba0a080 R08: 0000000000000000 R09: ffffffff90684917
R10: fffffbfff20d0922 R11: 0000000000000001 R12: 0000000000000004
R13: 0000000008000000 R14: 0000000000000000 R15: ffff88807497ddf0
ptrace_stop.part.0+0x2fd/0xa80 kernel/signal.c:2281
ptrace_stop kernel/signal.c:2232 [inline]
ptrace_do_notify+0x215/0x2b0 kernel/signal.c:2344
ptrace_notify+0xc4/0x140 kernel/signal.c:2356
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:249 [inline]
syscall_exit_to_user_mode_prepare+0xdb/0x230 kernel/entry/common.c:276
__syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcf032a8fe3
Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
RSP: 002b:00007ffd45f11e48 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fcf032a8fe3
RDX: 0000000000000004 RSI: 00007ffd45f11e70 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffd45f11dc0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd45f11e70
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the physical page:
page:ffffea00007d94c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f653
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffea00007d94c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 2989, tgid 2989 (kworker/0:3), ts 45677389093, free_ts 47726640493
prep_new_page mm/page_alloc.c:2456 [inline]
get_page_from_freelist+0x1290/0x3b70 mm/page_alloc.c:4198
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
kmalloc_order+0x34/0xf0 mm/slab_common.c:945
kmalloc_order_trace+0x14/0x120 mm/slab_common.c:961
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
wiphy_new_nm+0x6f0/0x2080 net/wireless/core.c:440
ieee80211_alloc_hw_nm+0x373/0x2270 net/mac80211/main.c:585
ieee80211_alloc_hw include/net/mac80211.h:4412 [inline]
ar5523_probe+0x121/0x1da0 drivers/net/wireless/ath/ar5523/ar5523.c:1595
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:555 [inline]
really_probe+0x23e/0xb90 drivers/base/dd.c:634
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:764
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:794
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:917
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x1e4/0x530 drivers/base/dd.c:989
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
device_release+0x9f/0x240 drivers/base/core.c:2241
kobject_cleanup lib/kobject.c:673 [inline]
kobject_release lib/kobject.c:704 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x540 lib/kobject.c:721
put_device+0x1b/0x30 drivers/base/core.c:3535
ar5523_probe+0x1338/0x1da0 drivers/net/wireless/ath/ar5523/ar5523.c:1719
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:555 [inline]
really_probe+0x23e/0xb90 drivers/base/dd.c:634
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:764
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:794
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:917
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x1e4/0x530 drivers/base/dd.c:989
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xbda/0x1ea0 drivers/base/core.c:3428
usb_set_configuration+0x101e/0x1900 drivers/usb/core/message.c:2170
Memory state around the buggy address:
ffff88801f653280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88801f653300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801f653380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88801f653400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88801f653480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess), 7 bytes skipped:
0: df 55 48 fists 0x48(%rbp)
3: 89 fd mov %edi,%ebp
5: 48 83 c7 08 add $0x8,%rdi
9: 48 89 fa mov %rdi,%rdx
c: 48 c1 ea 03 shr $0x3,%rdx
10: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
14: 84 c0 test %al,%al
16: 74 04 je 0x1c
18: 3c 03 cmp $0x3,%al
1a: 7e 4c jle 0x68
1c: 81 7d 08 ed 1e af de cmpl $0xdeaf1eed,0x8(%rbp)
* 23: 75 20 jne 0x45 <-- trapping instruction
25: be 04 00 00 00 mov $0x4,%esi
2a: 48 89 ef mov %rbp,%rdi
2d: e8 95 55 68 00 callq 0x6855c7
32: b8 00 02 00 00 mov $0x200,%eax
37: f0 lock
38: 0f .byte 0xf
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Powered by blists - more mailing lists