lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 27 Dec 2023 17:02:41 +0800
From: Zhang Zhiyu <zhiyuzhang999@...il.com>
To: linux-kernel@...r.kernel.org, iommu@...ts.linux.dev, jgg@...pe.ca, 
	kevin.tian@...el.com, joro@...tes.org, will@...nel.org, robin.murphy@....com
Subject: A bug was found in Linux Kernel 6.6+: KASAN: slab-use-after-free in
 iommufd_test (with POC)

Hi upstream community,

I am fuzzing a LTS version of Linux kernel 6.6 with my modified
syzkaller and I find a bug named "KASAN: slab-use-after-free in
iommufd_test". By analyzing the call trace in bug report, I address
the root cause of this bug at drivers/iommu/iommufd. An iommufd_object
is allocated in one task through
iommufd_fops_ioctl->iommufd_ioas_alloc_ioctl->iommufd_ioas_alloc and
freed in another task through iommufd_fops_ioctl->iommufd_destroy.
Then when the kernel invokes the calls
iommufd_fops_ioctl->iommufd_test->iommufd_test_add_reserved->iommufd_put_object,
an use-after-free read will occur. Detailed report, log, repro, config
can be found in this google drive link:
https://drive.usercontent.google.com/download?id=1nDJWUstYJNcC1zJ6q1rhB5zB0uV2yGvg&export=download&authuser=0&confirm=t

The steps to reproduce the bug:
1. compile the kernel 6.6 with provided Linux-6.6.config
2. boot a qemu vm that runs the compiled kernel
3. scp the repro.c (repro.prog is not recommended) to the vm and
compile it with gcc -pthread repro.c -o repro
4. execute ./repro and you will see the output stucks for a while and
then KASAN is triggered and kernel panic.
5. you can speed up the crash by setting up another ssh shell to
execute ./repro again.

I have reproduced it on 6.6 and 6.6.1 (but haven't verified on the
latest ver 6.6.8 yet). I didn't find any related reports on the
internet, which indicates that it may be a 0day. Hope the upstream can
help check and fix it. And I'll be happy to assist if needed.

Best,
Zhiyu Zhang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ