lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000002884070614230beb@google.com>
Date: Wed, 20 Mar 2024 20:10:03 -0700
From: syzbot <syzbot+93cbd5fbb85814306ba1@...kaller.appspotmail.com>
To: eadavis@...com, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in hif_usb_regout_cb

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:136 [inline]
BUG: KASAN: slab-use-after-free in skb_unref include/linux/skbuff.h:1227 [inline]
BUG: KASAN: slab-use-after-free in __kfree_skb_reason net/core/skbuff.c:1116 [inline]
BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210 net/core/skbuff.c:1143
Read of size 4 at addr ffff888121db8c1c by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0-rc6-syzkaller-00190-ga788e53c05ae-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:488
 kasan_report+0xda/0x110 mm/kasan/report.c:601
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x190 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 refcount_read include/linux/refcount.h:136 [inline]
 skb_unref include/linux/skbuff.h:1227 [inline]
 __kfree_skb_reason net/core/skbuff.c:1116 [inline]
 kfree_skb_reason+0x36/0x210 net/core/skbuff.c:1143
 kfree_skb include/linux/skbuff.h:1244 [inline]
 hif_usb_regout_cb+0x15f/0x1d0 drivers/net/wireless/ath/ath9k/hif_usb.c:95
 __usb_hcd_giveback_urb+0x359/0x5c0 drivers/usb/core/hcd.c:1648
 usb_hcd_giveback_urb+0x389/0x430 drivers/usb/core/hcd.c:1731
 dummy_timer+0x1415/0x3600 drivers/usb/gadget/udc/dummy_hcd.c:1987
 call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x759/0xaa0 kernel/time/timer.c:2038
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2051
 __do_softirq+0x20a/0x8c1 kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xa7/0x110 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x1b/0x20 drivers/acpi/processor_idle.c:113
Code: ed c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 65 48 8b 04 25 c0 b0 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d e7 5b 58 00 fb f4 <fa> c3 0f 1f 00 0f b6 47 08 3c 01 74 0b 3c 02 74 05 8b 7f 04 eb 9f
RSP: 0018:ffffffff87c07d68 EFLAGS: 00000246
RAX: 0000000000004000 RBX: 0000000000000001 RCX: ffffffff86574aa7
RDX: 0000000000000001 RSI: ffff88810369d800 RDI: ffff88810369d864
RBP: ffff88810369d864 R08: 0000000000000001 R09: ffffed103ecc6da5
R10: ffff8881f6636d2b R11: 0000000000000000 R12: ffff88810fec8000
R13: ffffffff88308580 R14: 0000000000000000 R15: 0000000000000000
 acpi_idle_enter+0xc5/0x160 drivers/acpi/processor_idle.c:707
 cpuidle_enter_state+0x83/0x500 drivers/cpuidle/cpuidle.c:267
 cpuidle_enter+0x4e/0xa0 drivers/cpuidle/cpuidle.c:388
 cpuidle_idle_call kernel/sched/idle.c:215 [inline]
 do_idle+0x319/0x400 kernel/sched/idle.c:312
 cpu_startup_entry+0x50/0x60 kernel/sched/idle.c:410
 rest_init+0x16f/0x2b0 init/main.c:730
 arch_call_rest_init+0x13/0x30 init/main.c:827
 start_kernel+0x39a/0x480 init/main.c:1072
 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
 x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
 secondary_startup_64_no_verify+0x15e/0x16b
 </TASK>

Allocated by task 2166:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:314 [inline]
 __kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_node+0x156/0x310 mm/slub.c:3903
 __alloc_skb+0x287/0x330 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1296 [inline]
 htc_connect_service+0x2d7/0x9f0 drivers/net/wireless/ath/ath9k/htc_hst.c:265
 ath9k_wmi_connect+0xf1/0x1c0 drivers/net/wireless/ath/ath9k/wmi.c:275
 ath9k_init_htc_services.constprop.0+0xb3/0x820 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
 ath9k_htc_probe_device+0x23f/0x25f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
 ath9k_htc_hw_init+0x33/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:533
 ath9k_hif_usb_firmware_cb+0x272/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:1273
 request_firmware_work_func+0x13a/0x240 drivers/base/firmware_loader/main.c:1163
 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
 kthread+0x2c6/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243

Freed by task 2166:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:643
 poison_slab_object mm/kasan/common.c:241 [inline]
 __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4299 [inline]
 kmem_cache_free+0x10a/0x330 mm/slub.c:4363
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1051
 __kfree_skb net/core/skbuff.c:1109 [inline]
 kfree_skb_reason+0x13a/0x210 net/core/skbuff.c:1144
 kfree_skb include/linux/skbuff.h:1244 [inline]
 htc_connect_service+0x641/0x9f0 drivers/net/wireless/ath/ath9k/htc_hst.c:304
 ath9k_wmi_connect+0xf1/0x1c0 drivers/net/wireless/ath/ath9k/wmi.c:275
 ath9k_init_htc_services.constprop.0+0xb3/0x820 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
 ath9k_htc_probe_device+0x23f/0x25f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
 ath9k_htc_hw_init+0x33/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:533
 ath9k_hif_usb_firmware_cb+0x272/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:1273
 request_firmware_work_func+0x13a/0x240 drivers/base/firmware_loader/main.c:1163
 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
 kthread+0x2c6/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243

The buggy address belongs to the object at ffff888121db8b40
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 220 bytes inside of
 freed 232-byte region [ffff888121db8b40, ffff888121db8c28)

The buggy address belongs to the physical page:
page:ffffea0004876e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121db8
anon flags: 0x200000000000800(slab|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000000800 ffff8881026d7000 ffffea000440c480 dead000000000005
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 2477, tgid 2477 (sshd), ts 29846224506, free_ts 29763017245
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
 prep_new_page mm/page_alloc.c:1540 [inline]
 get_page_from_freelist+0x139c/0x3470 mm/page_alloc.c:3311
 __alloc_pages+0x228/0x2250 mm/page_alloc.c:4567
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2190 [inline]
 allocate_slab mm/slub.c:2354 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2407
 ___slab_alloc+0x4b0/0x1860 mm/slub.c:3540
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
 __slab_alloc_node mm/slub.c:3678 [inline]
 slab_alloc_node mm/slub.c:3850 [inline]
 kmem_cache_alloc_node+0x286/0x310 mm/slub.c:3903
 __alloc_skb+0x287/0x330 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1296 [inline]
 __tcp_send_ack.part.0+0x64/0x720 net/ipv4/tcp_output.c:4206
 __tcp_send_ack net/ipv4/tcp_output.c:4238 [inline]
 tcp_send_ack+0x82/0xa0 net/ipv4/tcp_output.c:4238
 __tcp_cleanup_rbuf+0x278/0x4b0 net/ipv4/tcp.c:1491
 tcp_recvmsg_locked+0x113a/0x2450 net/ipv4/tcp.c:2547
 tcp_recvmsg+0x12e/0x670 net/ipv4/tcp.c:2577
 inet_recvmsg+0x114/0x630 net/ipv4/af_inet.c:882
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0xe2/0x170 net/socket.c:1068
 sock_read_iter+0x2c3/0x3c0 net/socket.c:1138
page last free pid 2479 tgid 2479 stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1140 [inline]
 free_unref_page_prepare+0x504/0xae0 mm/page_alloc.c:2346
 free_unref_page+0x33/0x2d0 mm/page_alloc.c:2486
 __folio_put_small mm/swap.c:106 [inline]
 __folio_put+0x83/0xb0 mm/swap.c:129
 folio_put include/linux/mm.h:1494 [inline]
 put_page include/linux/mm.h:1563 [inline]
 anon_pipe_buf_release+0x36c/0x430 fs/pipe.c:138
 pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
 pipe_update_tail fs/pipe.c:234 [inline]
 pipe_read+0x6fc/0x1020 fs/pipe.c:354
 call_read_iter include/linux/fs.h:2081 [inline]
 new_sync_read fs/read_write.c:395 [inline]
 vfs_read+0x9f3/0xb70 fs/read_write.c:476
 ksys_read+0x1f0/0x250 fs/read_write.c:619
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
 ffff888121db8b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
 ffff888121db8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888121db8c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff888121db8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888121db8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	ed                   	in     (%dx),%eax
   1:	c3                   	ret
   2:	66 66 2e 0f 1f 84 00 	data16 cs nopw 0x0(%rax,%rax,1)
   9:	00 00 00 00
   d:	66 90                	xchg   %ax,%ax
   f:	65 48 8b 04 25 c0 b0 	mov    %gs:0x3b0c0,%rax
  16:	03 00
  18:	48 8b 00             	mov    (%rax),%rax
  1b:	a8 08                	test   $0x8,%al
  1d:	75 0c                	jne    0x2b
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d e7 5b 58 00 	verw   0x585be7(%rip)        # 0x585c0f
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	fa                   	cli <-- trapping instruction
  2b:	c3                   	ret
  2c:	0f 1f 00             	nopl   (%rax)
  2f:	0f b6 47 08          	movzbl 0x8(%rdi),%eax
  33:	3c 01                	cmp    $0x1,%al
  35:	74 0b                	je     0x42
  37:	3c 02                	cmp    $0x2,%al
  39:	74 05                	je     0x40
  3b:	8b 7f 04             	mov    0x4(%rdi),%edi
  3e:	eb 9f                	jmp    0xffffffdf


Tested on:

commit:         a788e53c usb: usb-acpi: Fix oops due to freeing uninit..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=162fafc1180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dd8c589043bc2b49
dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=120566be180000


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ