lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <67117249.050a0220.10f4f4.0002.GAE@google.com>
Date: Thu, 17 Oct 2024 13:23:37 -0700
From: syzbot <syzbot+e8ffa1bcc1cc3240f4de@...kaller.appspotmail.com>
To: apparmor@...ts.ubuntu.com, jmorris@...ei.org, john.johansen@...onical.com, 
	john@...armor.net, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org, paul@...l-moore.com, serge@...lyn.com, 
	syzkaller-bugs@...glegroups.com
Subject: [syzbot] [apparmor?] KASAN: slab-use-after-free Read in apparmor_sk_free_security

Hello,

syzbot found the following issue on:

HEAD commit:    36c254515dc6 Merge tag 'powerpc-6.12-4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1330ffd0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=667b897270c8ae6
dashboard link: https://syzkaller.appspot.com/bug?extid=e8ffa1bcc1cc3240f4de
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-36c25451.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0a357f9d2448/vmlinux-36c25451.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fba8311d450b/bzImage-36c25451.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8ffa1bcc1cc3240f4de@...kaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in apparmor_sk_free_security+0x19a/0x1a0 security/apparmor/lsm.c:1065
Read of size 8 at addr ffff888000847780 by task ksoftirqd/3/34

CPU: 3 UID: 0 PID: 34 Comm: ksoftirqd/3 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 apparmor_sk_free_security+0x19a/0x1a0 security/apparmor/lsm.c:1065
 security_sk_free+0xd7/0x1a0 security/security.c:4842
 sk_prot_free net/core/sock.c:2196 [inline]
 __sk_destruct+0x44b/0x720 net/core/sock.c:2292
 sk_destruct+0xc2/0xf0 net/core/sock.c:2307
 __sk_free+0xf4/0x3e0 net/core/sock.c:2318
 sk_free+0x6a/0x90 net/core/sock.c:2329
 deferred_put_nlk_sk+0x13f/0x2d0 net/netlink/af_netlink.c:740
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 4839:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_noprof+0x1e8/0x410 mm/slub.c:4276
 kmalloc_noprof include/linux/slab.h:882 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 lsm_blob_alloc+0x68/0x90 security/security.c:685
 lsm_sock_alloc security/security.c:4808 [inline]
 security_sk_alloc+0x30/0x270 security/security.c:4824
 sk_prot_alloc+0x1c7/0x2a0 net/core/sock.c:2167
 sk_alloc+0x36/0xb90 net/core/sock.c:2217
 __netlink_create+0x5e/0x2c0 net/netlink/af_netlink.c:646
 netlink_create+0x3a4/0x630 net/netlink/af_netlink.c:704
 __sock_create+0x32e/0x840 net/socket.c:1576
 sock_create net/socket.c:1632 [inline]
 __sys_socket_create net/socket.c:1669 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1716
 __do_sys_socket net/socket.c:1730 [inline]
 __se_sys_socket net/socket.c:1728 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1728
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888000847780
 which belongs to the cache kmalloc-16 of size 16
The buggy address is located 0 bytes inside of
 freed 16-byte region [ffff888000847780, ffff888000847790)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880008479e0 pfn:0x847
flags: 0x7ff00000000200(workingset|node=0|zone=0|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 007ff00000000200 ffff88801ac42640 ffffea0000856f10 ffffea0000870d90
raw: ffff8880008479e0 000000000080007e 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5351, tgid 5351 (syz-executor), ts 41291513004, free_ts 41219292639
 create_dummy_stack mm/page_owner.c:94 [inline]
 register_dummy_stack+0x8a/0xd0 mm/page_owner.c:100
 init_page_owner+0x48/0xe40 mm/page_owner.c:118
 invoke_init_callbacks mm/page_ext.c:148 [inline]
 page_ext_init+0x6b8/0xab0 mm/page_ext.c:497
 mm_core_init+0x12d/0x220 mm/mm_init.c:2667
page last free pid 5341 tgid 5341 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
 skb_free_frag include/linux/skbuff.h:3399 [inline]
 skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096
 skb_release_data+0x560/0x730 net/core/skbuff.c:1125
 skb_release_all net/core/skbuff.c:1190 [inline]
 __kfree_skb net/core/skbuff.c:1204 [inline]
 sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242
 kfree_skb_reason include/linux/skbuff.h:1262 [inline]
 kfree_skb include/linux/skbuff.h:1271 [inline]
 napi_free_frags include/linux/netdevice.h:3893 [inline]
 napi_get_frags_check+0x58/0xb0 net/core/skbuff.c:306
 netif_napi_add_weight+0x538/0xab0 net/core/dev.c:6672
 netif_napi_add include/linux/netdevice.h:2638 [inline]
 nsim_init_napi drivers/net/netdevsim/netdev.c:392 [inline]
 nsim_open+0x149/0x7b0 drivers/net/netdevsim/netdev.c:435
 __dev_open+0x2d4/0x4e0 net/core/dev.c:1476
 __dev_change_flags+0x561/0x720 net/core/dev.c:8841
 dev_change_flags+0x8f/0x160 net/core/dev.c:8913
 do_setlink+0x19dd/0x3ee0 net/core/rtnetlink.c:2929
 __rtnl_newlink+0xc3a/0x1920 net/core/rtnetlink.c:3725
 rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3772
 rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6675
 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357

Memory state around the buggy address:
 ffff888000847680: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
 ffff888000847700: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
>ffff888000847780: fa fb fc fc 00 00 fc fc 00 07 fc fc 00 06 fc fc
                   ^
 ffff888000847800: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
 ffff888000847880: 00 00 fc fc 00 04 fc fc 00 01 fc fc 00 00 fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ