| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 May 2024 00:41:05 -0400 From: Shuangpeng Bai <shuangpengbai@...il.com> To: brauner@...nel.org, jack@...e.cz, jlayton@...nel.org, viro@...iv.linux.org.uk Cc: reiserfs-devel@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com Subject: KASAN: use-after-free in search_by_entry_key in kernel v6.9 Hi Kernel Maintainers, Our tool found a kernel bug KASAN: use-after-free in search_by_entry_key. Please see the details below. Kenrel commit: v6.9 (Commits on May 12, 2024) Kernel config: attachment C/Syz reproducer: attachment We find this bug was reported and marked as fixed recently. Seems Syzbot could not trigger this bug in recent kernels. (https://syzkaller.appspot.com/bug?extid=ffe24b1afbc4cb5ae8fb) Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly. Please let me know for anything I can help. Best, Shuangpeng Download attachment ".config" of type "application/octet-stream" (247338 bytes) Download attachment "repro.c" of type "application/octet-stream" (309676 bytes) [ 74.947073][ T8082] ================================================================== [ 74.947711][ T8082] BUG: KASAN: use-after-free in search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 74.948339][ T8082] Read of size 4 at addr ffff8881585e6fc4 by task a.out/8082 [ 74.948921][ T8082] [ 74.949117][ T8082] CPU: 1 PID: 8082 Comm: a.out Not tainted 6.9.0 #7 [ 74.949650][ T8082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 74.950389][ T8082] Call Trace: [ 74.950670][ T8082] <TASK> [ 74.950921][ T8082] dump_stack_lvl (lib/dump_stack.c:117) [ 74.951327][ T8082] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) [ 74.951711][ T8082] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) [ 74.952104][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 74.952548][ T8082] kasan_report (mm/kasan/report.c:603) [ 74.952920][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 74.953374][ T8082] search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 74.953805][ T8082] reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:324) [ 74.954269][ T8082] ? __pfx_reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:305) [ 74.954771][ T8082] ? __d_alloc (fs/dcache.c:1626) [ 74.955124][ T8082] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) [ 74.955524][ T8082] ? d_set_d_op (fs/dcache.c:1784 (discriminator 3)) [ 74.955901][ T8082] reiserfs_lookup (fs/reiserfs/namei.c:370) [ 74.956307][ T8082] ? __pfx_reiserfs_lookup (fs/reiserfs/namei.c:355) [ 74.956763][ T8082] ? d_alloc (fs/dcache.c:1717) [ 74.957138][ T8082] ? d_alloc_parallel (fs/dcache.c:2458) [ 74.957584][ T8082] ? avc_has_perm_noaudit (security/selinux/avc.c:1168) [ 74.958047][ T8082] ? reiserfs_check_lock_depth (fs/reiserfs/lock.c:91) [ 74.958524][ T8082] ? generic_permission (fs/namei.c:442) [ 74.958961][ T8082] __lookup_slow (./include/linux/dcache.h:371 /include/linux/dcache.h:376 fs/namei.c:1693) [ 74.959368][ T8082] ? __pfx___lookup_slow (fs/namei.c:1668) [ 74.959808][ T8082] ? __d_lookup (fs/dcache.c:2331) [ 74.960197][ T8082] ? d_lookup (fs/dcache.c:2259) [ 74.960551][ T8082] lookup_one_len (fs/namei.c:2756 (discriminator 1)) [ 74.960946][ T8082] ? __pfx_lookup_one_len (fs/namei.c:2744) [ 74.961386][ T8082] ? __pfx_down_write (kernel/locking/rwsem.c:1577) [ 74.961795][ T8082] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545) [ 74.962179][ T8082] ? __pfx_mutex_unlock (kernel/locking/mutex.c:543) [ 74.962599][ T8082] reiserfs_lookup_privroot (fs/reiserfs/xattr.c:979) [ 74.963064][ T8082] reiserfs_fill_super (fs/reiserfs/super.c:2173) [ 74.963533][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) [ 74.964025][ T8082] ? snprintf (lib/vsprintf.c:2954) [ 74.964400][ T8082] ? __pfx_snprintf (lib/vsprintf.c:2954) [ 74.964814][ T8082] ? errseq_sample (lib/errseq.c:131) [ 74.965228][ T8082] ? setup_bdev_super (fs/super.c:1574) [ 74.965676][ T8082] mount_bdev (fs/super.c:1659) [ 74.966062][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) [ 74.966551][ T8082] ? __pfx_mount_bdev (fs/super.c:1636) [ 74.966984][ T8082] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2648) [ 74.967475][ T8082] ? cap_capable (security/commoncap.c:103) [ 74.967884][ T8082] ? __pfx_get_super_block (fs/reiserfs/super.c:2599) [ 74.968348][ T8082] legacy_get_tree (fs/fs_context.c:664) [ 74.968750][ T8082] vfs_get_tree (fs/super.c:1780) [ 74.969129][ T8082] ? mount_capable (fs/super.c:695) [ 74.969526][ T8082] path_mount (fs/namespace.c:3353 fs/namespace.c:3679) [ 74.969912][ T8082] ? putname (fs/namei.c:274) [ 74.970276][ T8082] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350) [ 74.970688][ T8082] ? __pfx_path_mount (fs/namespace.c:3606) [ 74.971102][ T8082] ? putname (fs/namei.c:274) [ 74.971463][ T8082] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875) [ 74.971869][ T8082] ? __pfx___x64_sys_mount (fs/namespace.c:3875) [ 74.972328][ T8082] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822) [ 74.972861][ T8082] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 74.973271][ T8082] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 74.973788][ T8082] RIP: 0033:0x7fda67001c7e [ 74.974181][ T8082] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d8 All code ======== 0: 48 8b 0d 15 c2 0c 00 mov 0xcc215(%rip),%rcx # 0xcc21c 7: f7 d8 neg %eax 9: 64 89 01 mov %eax,%fs:(%rcx) c: 48 83 c8 ff or $0xffffffffffffffff,%rax 10: c3 ret 11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 18: 00 00 00 1b: 90 nop 1c: f3 0f 1e fa endbr64 20: 49 89 ca mov %rcx,%r10 23: b8 a5 00 00 00 mov $0xa5,%eax 28: 0f 05 syscall 2a:* 48 rex.W <-- trapping instruction 2b: d8 .byte 0xd8 Code starting with the faulting instruction =========================================== 0: 48 rex.W 1: d8 .byte 0xd8 [ 74.975799][ T8082] RSP: 002b:00007ffd1c71f278 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 74.976515][ T8082] RAX: ffffffffffffffda RBX: 000055ce1c1c6c80 RCX: 00007fda67001c7e [ 74.977192][ T8082] RDX: 0000000020010000 RSI: 0000000020000b00 RDI: 00007ffd1c71f300 [ 74.977871][ T8082] RBP: 00007ffd1c71f450 R08: 00007ffd1c71f340 R09: 0000000000000000 [ 74.978542][ T8082] R10: 0000000000000000 R11: 0000000000000286 R12: 000055ce1c1c5320 [ 74.979214][ T8082] R13: 00007ffd1c71f560 R14: 0000000000000000 R15: 0000000000000000 [ 74.979888][ T8082] </TASK> [ 74.980159][ T8082] [ 74.980368][ T8082] The buggy address belongs to the physical page: [ 74.980910][ T8082] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1585e6 [ 74.981664][ T8082] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) [ 74.982277][ T8082] page_type: 0xffffffff() [ 74.982654][ T8082] raw: 057ff00000000000 ffffea00056179c8 ffffea0005617948 0000000000000000 [ 74.983385][ T8082] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 74.984111][ T8082] page dumped because: kasan: bad access detected [ 74.984651][ T8082] page_owner info is not present (never set?) [ 74.985166][ T8082] [ 74.985380][ T8082] Memory state around the buggy address: [ 74.985859][ T8082] ffff8881585e6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.986536][ T8082] ffff8881585e6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.987218][ T8082] >ffff8881585e6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.987898][ T8082] ^ [ 74.988424][ T8082] ffff8881585e7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.989108][ T8082] ffff8881585e7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.989858][ T8082] ================================================================== [ 74.992095][ T8082] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 74.993811][ T8082] CPU: 0 PID: 8082 Comm: a.out Not tainted 6.9.0 #7 [ 74.995323][ T8082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 74.997411][ T8082] Call Trace: [ 74.998206][ T8082] <TASK> [ 74.998905][ T8082] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) [ 74.999917][ T8082] panic (kernel/panic.c:348) [ 75.000351][ T8082] ? __pfx_panic (kernel/panic.c:282) [ 75.000844][ T8082] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:12) [ 75.001430][ T8082] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927) [ 75.002018][ T8082] ? check_panic_on_warn (kernel/panic.c:240) [ 75.002571][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 75.003144][ T8082] check_panic_on_warn (kernel/panic.c:241) [ 75.003684][ T8082] end_report (mm/kasan/report.c:226) [ 75.004147][ T8082] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) [ 75.004636][ T8082] ? search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 75.005365][ T8082] search_by_entry_key (fs/reiserfs/namei.c:40 fs/reiserfs/namei.c:165) [ 75.005926][ T8082] reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:324) [ 75.006540][ T8082] ? __pfx_reiserfs_find_entry.part.0 (fs/reiserfs/namei.c:305) [ 75.007088][ T8082] ? __d_alloc (fs/dcache.c:1626) [ 75.007475][ T8082] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) [ 75.007897][ T8082] ? d_set_d_op (fs/dcache.c:1784 (discriminator 3)) [ 75.008297][ T8082] reiserfs_lookup (fs/reiserfs/namei.c:370) [ 75.008721][ T8082] ? __pfx_reiserfs_lookup (fs/reiserfs/namei.c:355) [ 75.009182][ T8082] ? d_alloc (fs/dcache.c:1717) [ 75.009564][ T8082] ? d_alloc_parallel (fs/dcache.c:2458) [ 75.010006][ T8082] ? avc_has_perm_noaudit (security/selinux/avc.c:1168) [ 75.010472][ T8082] ? reiserfs_check_lock_depth (fs/reiserfs/lock.c:91) [ 75.010960][ T8082] ? generic_permission (fs/namei.c:442) [ 75.011415][ T8082] __lookup_slow (./include/linux/dcache.h:371 /include/linux/dcache.h:376 fs/namei.c:1693) [ 75.011823][ T8082] ? __pfx___lookup_slow (fs/namei.c:1668) [ 75.012272][ T8082] ? __d_lookup (fs/dcache.c:2331) [ 75.012671][ T8082] ? d_lookup (fs/dcache.c:2259) [ 75.013039][ T8082] lookup_one_len (fs/namei.c:2756 (discriminator 1)) [ 75.013470][ T8082] ? __pfx_lookup_one_len (fs/namei.c:2744) [ 75.013926][ T8082] ? __pfx_down_write (kernel/locking/rwsem.c:1577) [ 75.014358][ T8082] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545) [ 75.014759][ T8082] ? __pfx_mutex_unlock (kernel/locking/mutex.c:543) [ 75.015200][ T8082] reiserfs_lookup_privroot (fs/reiserfs/xattr.c:979) [ 75.015678][ T8082] reiserfs_fill_super (fs/reiserfs/super.c:2173) [ 75.016159][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) [ 75.016669][ T8082] ? snprintf (lib/vsprintf.c:2954) [ 75.017058][ T8082] ? __pfx_snprintf (lib/vsprintf.c:2954) [ 75.017495][ T8082] ? errseq_sample (lib/errseq.c:131) [ 75.017925][ T8082] ? setup_bdev_super (fs/super.c:1574) [ 75.018389][ T8082] mount_bdev (fs/super.c:1659) [ 75.018793][ T8082] ? __pfx_reiserfs_fill_super (fs/reiserfs/super.c:1888) [ 75.019300][ T8082] ? __pfx_mount_bdev (fs/super.c:1636) [ 75.019749][ T8082] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2648) [ 75.020259][ T8082] ? cap_capable (security/commoncap.c:103) [ 75.020679][ T8082] ? __pfx_get_super_block (fs/reiserfs/super.c:2599) [ 75.021157][ T8082] legacy_get_tree (fs/fs_context.c:664) [ 75.021597][ T8082] vfs_get_tree (fs/super.c:1780) [ 75.022004][ T8082] ? mount_capable (fs/super.c:695) [ 75.022433][ T8082] path_mount (fs/namespace.c:3353 fs/namespace.c:3679) [ 75.022847][ T8082] ? putname (fs/namei.c:274) [ 75.023234][ T8082] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350) [ 75.023682][ T8082] ? __pfx_path_mount (fs/namespace.c:3606) [ 75.024119][ T8082] ? putname (fs/namei.c:274) [ 75.024494][ T8082] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875) [ 75.024923][ T8082] ? __pfx___x64_sys_mount (fs/namespace.c:3875) [ 75.025419][ T8082] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822) [ 75.025972][ T8082] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 75.026389][ T8082] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 75.026903][ T8082] RIP: 0033:0x7fda67001c7e [ 75.027298][ T8082] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d8 All code ======== 0: 48 8b 0d 15 c2 0c 00 mov 0xcc215(%rip),%rcx # 0xcc21c 7: f7 d8 neg %eax 9: 64 89 01 mov %eax,%fs:(%rcx) c: 48 83 c8 ff or $0xffffffffffffffff,%rax 10: c3 ret 11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 18: 00 00 00 1b: 90 nop 1c: f3 0f 1e fa endbr64 20: 49 89 ca mov %rcx,%r10 23: b8 a5 00 00 00 mov $0xa5,%eax 28: 0f 05 syscall 2a:* 48 rex.W <-- trapping instruction 2b: d8 .byte 0xd8 Code starting with the faulting instruction =========================================== 0: 48 rex.W 1: d8 .byte 0xd8 [ 75.028940][ T8082] RSP: 002b:00007ffd1c71f278 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 75.029678][ T8082] RAX: ffffffffffffffda RBX: 000055ce1c1c6c80 RCX: 00007fda67001c7e [ 75.030351][ T8082] RDX: 0000000020010000 RSI: 0000000020000b00 RDI: 00007ffd1c71f300 [ 75.031024][ T8082] RBP: 00007ffd1c71f450 R08: 00007ffd1c71f340 R09: 0000000000000000 [ 75.031695][ T8082] R10: 0000000000000000 R11: 0000000000000286 R12: 000055ce1c1c5320 [ 75.032379][ T8082] R13: 00007ffd1c71f560 R14: 0000000000000000 R15: 0000000000000000 [ 75.033079][ T8082] </TASK> [ 75.033640][ T8082] Kernel Offset: disabled
Powered by blists - more mailing lists