[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BN6PR07MB3185D3400510E9D395288D71AB0C9@BN6PR07MB3185.namprd07.prod.outlook.com>
Date: Wed, 23 Nov 2022 18:38:01 +0000
From: Sanan Hasanov <sanan.hasanov@...ghts.ucf.edu>
To: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"jirislaby@...nel.org" <jirislaby@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
Paul Gazzillo <Paul.Gazzillo@....edu>
Subject: Syzkaller found a bug: KASAN: use-after-free Read in do_update_region
Good day, dear maintainers,
We found a bug using a modified kernel configuration file used by syzbot.
We enhanced the coverage of the configuration file using our tool, klocalizer.
Kernel branch: linux-next 5.11.0-rc1+ (HEAD detached at 6a4b1f2dff55)
configuration file: https://drive.google.com/file/d/18W-8umgZVSm-KwvIzcBQpxRn74Q1S_Fa/view?usp=sharing
Unfortunately, we have no reproducer for this bug yet.
Thank you!
==================================================================
BUG: KASAN: use-after-free in do_update_region+0x571/0x5f0 drivers/tty/vt/vt.c:664
Read of size 2 at addr ffff888000100000 by task (agetty)/17350
CPU: 6 PID: 17350 Comm: (agetty) Not tainted 5.11.0-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x9c/0xcf lib/dump_stack.c:120
print_address_description.constprop.0+0x1a/0x140 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x7f/0x10e mm/kasan/report.c:413
do_update_region+0x571/0x5f0 drivers/tty/vt/vt.c:664
csi_J+0x294/0xa10 drivers/tty/vt/vt.c:1568
do_con_trol+0x1c23/0x53e0 drivers/tty/vt/vt.c:2420
do_con_write+0xd92/0x1a40 drivers/tty/vt/vt.c:2911
con_write+0x21/0x40 drivers/tty/vt/vt.c:3255
process_output_block drivers/tty/n_tty.c:596 [inline]
n_tty_write+0x3d6/0xe20 drivers/tty/n_tty.c:2335
do_tty_write drivers/tty/tty_io.c:961 [inline]
tty_write+0x438/0x790 drivers/tty/tty_io.c:1045
vfs_write+0x1bf/0x760 fs/read_write.c:603
ksys_write+0x100/0x210 fs/read_write.c:658
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fe7d10101b0
Code: 2e 0f 1f 84 00 00 00 00 00 90 48 8b 05 19 7e 20 00 c3 0f 1f 84 00 00 00 00 00 83 3d 19 c2 20 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24
RSP: 002b:00007ffd1dee4fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000a RCX: 00007fe7d10101b0
RDX: 000000000000000a RSI: 00007fe7d247bcbe RDI: 0000000000000003
RBP: 00007fe7d247bcbe R08: 00007ffd1dee4fa0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: ffffffffffffffff R15: 00007ffd1dee52a0
The buggy address belongs to the page:
page:000000005dd3986c refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x100
flags: 0x0()
raw: 0000000000000000 ffff8881401fa300 ffff8881401fa300 0000000000000000
raw: 0000000000000000 0000000000000008 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Best regards,
Sanan Hasanov.
Powered by blists - more mailing lists