lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 24 Apr 2024 14:12:07 +0800
From: 刘通 <lyutoon@...il.com>
To: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org, 
	mchehab@...nel.org
Subject: KASAN: use-after-free in snd_usbtv_pcm_close (with PoC and analysis)

Hi upstream community,

I was fuzzing a LTS version of Linux kernel 5.15.148 with my modified
syzkaller and I found a bug named "KASAN: use-after-free in
snd_usbtv_pcm_close".

I tested the PoC on 5.5.148 ~ 6.8+ with sanitizer on and found
sanitizer through a panic as "KASAN: use-after-free in
snd_usbtv_pcm_close".

The syzkaller log, report, kernel config, PoC can be found here:
https://drive.google.com/file/d/12ubxzCGrkUVz8BWRwprHjRHYh3l0oMMd/view?usp=sharing

# Analysis:
I wrote an analysis to explain the root cause in an markdown file (in
Chinese, so you may use translators to read it... Sorry about that)
which can be found here:
https://drive.google.com/file/d/1-TjLRqLs1_C_MDgvAy-TURxldUabW2Eq/view?usp=sharing

# Step to reproduce:
1. download the zip file
2. unzip it
3. compile the kernel (5.15.148) with kernel_config
4. start the kernel with qemu vm
5. scp repro.c to the vm
6. compile the repro.cprog and run it: gcc repro.c -o exp && ./exp
7. you will see the KASAN error

# Note:
I didn't find any related reports on the internet, which indicates
that it may be a 0day. Hope the upstream can help check and fix it.
And I'll be happy to provide more information if needed.

Best,
Tong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ