[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d28e4f02-965d-96de-ee56-f7a001b67fe7@huaweicloud.com>
Date: Thu, 16 May 2024 11:14:34 +0800
From: Hou Tao <houtao@...weicloud.com>
To: syzbot <syzbot+061f58eec3bde7ee8ffa@...kaller.appspotmail.com>,
bpf@...r.kernel.org, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Cc: andrii@...nel.org, ast@...nel.org, daniel@...earbox.net,
eddyz87@...il.com, haoluo@...gle.com, john.fastabend@...il.com,
jolsa@...nel.org, kpsingh@...nel.org, linux-kernel@...r.kernel.org,
martin.lau@...ux.dev, sdf@...gle.com, song@...nel.org,
yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] KASAN: slab-use-after-free Read in htab_map_alloc
(2)
Hi,
On 5/4/2024 6:21 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2506f6229bd0 Merge branch 'net-dsa-adjust_link-removal'
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11ac64ef180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=15dda165e1d20cf1
> dashboard link: https://syzkaller.appspot.com/bug?extid=061f58eec3bde7ee8ffa
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/fc61e6a6e169/disk-2506f622.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3ed6cc1ccbe5/vmlinux-2506f622.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/c6ea42464245/bzImage-2506f622.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+061f58eec3bde7ee8ffa@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in lockdep_register_key+0x253/0x3f0 kernel/locking/lockdep.c:1225
> Read of size 8 at addr ffff88805fe2c298 by task syz-executor.1/5906
>
> CPU: 1 PID: 5906 Comm: syz-executor.1 Not tainted 6.9.0-rc5-syzkaller-01473-g2506f6229bd0 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> lockdep_register_key+0x253/0x3f0 kernel/locking/lockdep.c:1225
> htab_map_alloc+0x9b/0xe60 kernel/bpf/hashtab.c:506
> map_create+0x90c/0x1200 kernel/bpf/syscall.c:1333
> __sys_bpf+0x6d1/0x810 kernel/bpf/syscall.c:5659
> __do_sys_bpf kernel/bpf/syscall.c:5784 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:5782 [inline]
> __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5782
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f7781e7dea9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f7782c720c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 00007f7781fabf80 RCX: 00007f7781e7dea9
> RDX: 0000000000000048 RSI: 0000000020000140 RDI: 0100000000000000
> RBP: 00007f7781eca4a4 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 000000000000000b R14: 00007f7781fabf80 R15: 00007ffe14057dd8
> </TASK>
>
> Allocated by task 5593:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
> poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
> kasan_kmalloc include/linux/kasan.h:211 [inline]
> __do_kmalloc_node mm/slub.c:3966 [inline]
> __kmalloc_node_track_caller+0x24e/0x4e0 mm/slub.c:3986
> kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:597
> __alloc_skb+0x1f3/0x440 net/core/skbuff.c:666
> alloc_skb include/linux/skbuff.h:1308 [inline]
SNIP
>
> The buggy address belongs to the object at ffff88805fe2c000
> which belongs to the cache kmalloc-2k of size 2048
> The buggy address is located 664 bytes inside of
> freed 2048-byte region [ffff88805fe2c000, ffff88805fe2c800)
After checking all possible callers of lockdep_register_key(), it seems
that the culprit is Qdisc instead of bpf hash-table, because only the
offset of lock_class_key in Qdisc is 664. And I think the use-after-free
problem happens as follow:
(1) call qdisc_alloc()
After calling lockdep_register_key(), qdisc_alloc() goes to errout1 due
to netdev_alloc_pcpu_stats() fails. However it doesn't call
lockdep_register_key() to unregister root_lock_key, but it frees the
allocated memory
(2) call htab_map_alloc
During the calling of lockdep_register_key(), it finds the lockdep_key
registered by free-ed Qdisc and triggers the use-after-free.
Will post a simple patch to fix it.
Powered by blists - more mailing lists