lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 22 Dec 2022 17:40:08 +0000
From:   Sanan Hasanov <sanan.hasanov@...ghts.ucf.edu>
To:     "peterz@...radead.org" <peterz@...radead.org>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "will@...nel.org" <will@...nel.org>,
        "longman@...hat.com" <longman@...hat.com>,
        "boqun.feng@...il.com" <boqun.feng@...il.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     "contact@...zz.com" <contact@...zz.com>,
        Paul Gazzillo <Paul.Gazzillo@....edu>,
        "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>
Subject: Syzkaller found a bug: KASAN: use-after-free Write in put_pmu_ctx

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel branch: 6.1.0-rc7-next-20221201

Config file: https://drive.google.com/file/d/1JutR21cgcf28flJVyLqDniNyrExMsSn_/view?usp=sharing

Reproducer file: https://drive.google.com/file/d/1X31x8w4ULrtP_YnkD7_RCyW7FlwGewMR/view?usp=sharing

Thank you!

==================================================================
BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x7d/0xf0
Write of size 4 at addr ffff88810327d800 by task syz-executor.0/24706

CPU: 2 PID: 24706 Comm: syz-executor.0 Not tainted 6.1.0-rc7-next-20221201 #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x51/0x6a
 print_report+0x16f/0x4a6
 kasan_report+0xb7/0x130
 kasan_check_range+0x143/0x1d0
 _raw_spin_lock_irqsave+0x7d/0xf0
 put_pmu_ctx+0x9d/0x360
 _free_event+0x2b5/0xfb0
 free_event+0x42/0xa0
 __do_sys_perf_event_open+0x4c3/0x1c90
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fd03b442dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd03abb2bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007fd03b56ff80 RCX: 00007fd03b442dcd
RDX: 0000000000000000 RSI: 000000000000082a RDI: 0000000020000140
RBP: 00007fd03b4b059c R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcf64779df R14: 00007ffcf6477b80 R15: 00007fd03abb2d80
 </TASK>

Allocated by task 24706:
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 __kasan_kmalloc+0x82/0x90
 alloc_perf_context+0x43/0x350
 find_get_context+0xaf/0x5d0
 __do_sys_perf_event_open+0x6ce/0x1c90
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Freed by task 4352:
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10e/0x1a0
 __kmem_cache_free+0x7a/0x1a0
 rcu_core+0x59e/0x17f0
 __do_softirq+0x195/0x57b

Last potentially related work creation:
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 __call_rcu_common.constprop.0+0x6a/0x820
 put_ctx+0xe9/0x190
 perf_event_exit_task+0x3ce/0x540
 do_exit+0x8a5/0x2680
 do_group_exit+0xb7/0x260
 get_signal+0x1a0a/0x1b00
 arch_do_signal_or_restart+0x79/0x6b0
 exit_to_user_mode_prepare+0xd8/0x120
 syscall_exit_to_user_mode+0x21/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Second to last potentially related work creation:
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 kvfree_call_rcu+0x2f/0x780
 drop_sysctl_table+0x27e/0x340
 unregister_sysctl_table+0xa7/0x180
 neigh_sysctl_unregister+0x5f/0x80
 inetdev_event+0x47f/0x1280
 raw_notifier_call_chain+0xa6/0xf0
 call_netdevice_notifiers_info+0x97/0x100
 unregister_netdevice_many_notify+0x884/0x13b0
 default_device_exit_batch+0x3f4/0x530
 ops_exit_list.isra.0+0x102/0x150
 cleanup_net+0x443/0x840
 process_one_work+0x861/0x11c0
 worker_thread+0x54d/0x1140
 kthread+0x28e/0x340
 ret_from_fork+0x2c/0x50

The buggy address belongs to the object at ffff88810327d800
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
 256-byte region [ffff88810327d800, ffff88810327d900)

The buggy address belongs to the physical page:
page:00000000427018d3 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810327ca00 pfn:0x10327c
head:00000000427018d3 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
anon flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 ffff888100042b40 ffffea00042bda00 dead000000000003
raw: ffff88810327ca00 000000008020001a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88810327d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88810327d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810327d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88810327d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810327d900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Best regards,
Sanan Hasanov.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ