| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Apr 2024 14:12:07 +0800 From: 刘通 <lyutoon@...il.com> To: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org, mchehab@...nel.org Subject: KASAN: use-after-free in snd_usbtv_pcm_close (with PoC and analysis) Hi upstream community, I was fuzzing a LTS version of Linux kernel 5.15.148 with my modified syzkaller and I found a bug named "KASAN: use-after-free in snd_usbtv_pcm_close". I tested the PoC on 5.5.148 ~ 6.8+ with sanitizer on and found sanitizer through a panic as "KASAN: use-after-free in snd_usbtv_pcm_close". The syzkaller log, report, kernel config, PoC can be found here: https://drive.google.com/file/d/12ubxzCGrkUVz8BWRwprHjRHYh3l0oMMd/view?usp=sharing # Analysis: I wrote an analysis to explain the root cause in an markdown file (in Chinese, so you may use translators to read it... Sorry about that) which can be found here: https://drive.google.com/file/d/1-TjLRqLs1_C_MDgvAy-TURxldUabW2Eq/view?usp=sharing # Step to reproduce: 1. download the zip file 2. unzip it 3. compile the kernel (5.15.148) with kernel_config 4. start the kernel with qemu vm 5. scp repro.c to the vm 6. compile the repro.cprog and run it: gcc repro.c -o exp && ./exp 7. you will see the KASAN error # Note: I didn't find any related reports on the internet, which indicates that it may be a 0day. Hope the upstream can help check and fix it. And I'll be happy to provide more information if needed. Best, Tong
Powered by blists - more mailing lists