| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <2C7D0D31-01C4-42ED-94A9-5D668600C063@m.fudan.edu.cn>
Date: Mon, 24 Feb 2025 15:01:16 +0800
From: Kun Hu <huk23@...udan.edu.cn>
To: crquan@...il.com
Cc: hillf.zj@...baba-inc.com,
linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
"jjtan24@...udan.edu.cn" <jjtan24@...udan.edu.cn>,
syzkaller@...glegroups.com,
baishuoran@...eu.edu.cn,
akpm@...ux-foundation.org
Subject: KASAN: slab-use-after-free Read in chrdev_open
Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (67s)
was triggered.
HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/config.txt
C reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/67-KASAN_%20slab-use-after-free%20Read%20in%20cd_forget/c_repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/67-KASAN_%20slab-use-after-free%20Read%20in%20cd_forget/syscall_repro.syz.txt
Similar Bug: https://lore.kernel.org/all/tencent_706EA97643BAE446F774577CA6D6536A0305@qq.com/T/#me2c1e1442c2d22dd3963aeecd4b6dcb507064af0
Our reproducer uses mounts a constructed filesystem image. This UAF seems to occur at line 396 in the chrdev_open function. The root cause is speculated to be that another thread may have released the inode after the function released the spinlock (cdev_lock). when kobj_lookup returned, the inode may have been released despite reacquiring the lock, causing subsequent list_add operations to access the released inode->i_devices.
We have also listed a similar bug which was successfully fixed by Hillf Danton last year. I'm not sure the two are necessarily related, but this one did go on too long ago, so it's been reported under consideration. If this issue doesn't have an impact, please ignore it ☺.
If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>
==================================================================
BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x16a/0x1a0
Read of size 8 at addr ffff8880456dfc20 by task syz-executor278/9510
CPU: 3 UID: 0 PID: 9510 Comm: syz-executor278 Not tainted 6.14.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1b0
print_report+0xc0/0x5e0
kasan_report+0x93/0xc0
__list_add_valid_or_report+0x16a/0x1a0
chrdev_open+0x3a9/0x590
do_dentry_open+0x786/0x1ca0
vfs_open+0x82/0x3f0
path_openat+0x1f04/0x28f0
do_filp_open+0x1fa/0x2f0
do_sys_openat2+0x677/0x720
do_sys_open+0xc7/0x150
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0e70c0e76d
Code: c3 e8 17 2d 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe3b539ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f0e70c0e76d
RDX: 0000000000000000 RSI: 0000000020002140 RDI: ffffffffffffff9c
RBP: 0000000000000003 R08: 00007ffe3b53a209 R09: 00007ffe3b53a209
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b539d0c
R13: 00007ffe3b539d30 R14: 00007ffe3b539d10 R15: 0000000000000001
</TASK>
Allocated by task 9504:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x87/0x90
kmem_cache_alloc_lru_noprof+0x16c/0x4c0
ntfs_alloc_inode+0x27/0x80
alloc_inode+0x63/0x1f0
new_inode+0x16/0x40
ntfs_new_inode+0x44/0x110
ntfs_create_inode+0x3f3/0x3de0
ntfs_mknod+0x3c/0x50
vfs_mknod+0x5eb/0x8f0
do_mknodat+0x370/0x540
__x64_sys_mknodat+0xb0/0xe0
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 24:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x54/0x70
kmem_cache_free+0x153/0x560
i_callback+0x46/0x70
rcu_core+0x7c5/0x16b0
handle_softirqs+0x1bd/0x880
run_ksoftirqd+0x3a/0x60
smpboot_thread_fn+0x63b/0xa00
kthread+0x42a/0x880
ret_from_fork+0x48/0x80
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x24/0x50
kasan_record_aux_stack+0xb0/0xc0
__call_rcu_common.constprop.0+0x99/0x860
destroy_inode+0x12b/0x1b0
evict+0x4f2/0x860
iput+0x51c/0x830
dentry_unlink_inode+0x2cd/0x4c0
__dentry_kill+0x186/0x5b0
shrink_dentry_list+0x13d/0x650
shrink_dcache_parent+0x1c5/0x5a0
do_one_tree+0x11/0x50
shrink_dcache_for_umount+0x95/0x1c0
generic_shutdown_super+0x6c/0x390
kill_block_super+0x3b/0x90
ntfs3_kill_sb+0x40/0xf0
deactivate_locked_super+0xbb/0x130
deactivate_super+0xb1/0xd0
cleanup_mnt+0x378/0x510
task_work_run+0x173/0x280
syscall_exit_to_user_mode+0x29e/0x2a0
do_syscall_64+0xdc/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880456df580
which belongs to the cache ntfs_inode_cache of size 1752
The buggy address is located 1696 bytes inside of
freed 1752-byte region [ffff8880456df580, ffff8880456dfc58)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x456d8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888050577001
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888040af68c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000110011 00000000f5000000 ffff888050577001
head: 04fff00000000040 ffff888040af68c0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000110011 00000000f5000000 ffff888050577001
head: 04fff00000000003 ffffea000115b601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 9504, tgid 9504 (syz-executor278), ts 888593482435, free_ts 887115858472
prep_new_page+0x1b0/0x1e0
get_page_from_freelist+0x19a2/0x3250
__alloc_frozen_pages_noprof+0x324/0x6b0
alloc_pages_mpol+0x20a/0x550
new_slab+0x251/0x350
___slab_alloc+0xe40/0x1740
__slab_alloc.isra.0+0x56/0xb0
kmem_cache_alloc_lru_noprof+0x27d/0x4c0
ntfs_alloc_inode+0x27/0x80
alloc_inode+0x63/0x1f0
iget5_locked+0x5f/0xa0
ntfs_iget5+0xda/0x39f0
ntfs_fill_super+0x1aa9/0x3ed0
get_tree_bdev_flags+0x38c/0x620
vfs_get_tree+0x93/0x340
path_mount+0x1290/0x1bc0
page last free pid 9490 tgid 9490 stack trace:
free_frozen_pages+0x7aa/0x1290
qlist_free_all+0x50/0x130
kasan_quarantine_reduce+0x168/0x1c0
__kasan_slab_alloc+0x67/0x90
kmem_cache_alloc_noprof+0x167/0x4b0
vm_area_dup+0x22/0x300
__split_vma+0x171/0x1160
vms_gather_munmap_vmas+0x1c5/0x15a0
__mmap_region+0x31a/0x2980
mmap_region+0x17b/0x3c0
do_mmap+0xd6b/0x11a0
vm_mmap_pgoff+0x207/0x3b0
ksys_mmap_pgoff+0x46d/0x600
__x64_sys_mmap+0x125/0x190
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880456dfb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880456dfb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880456dfc00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
^
ffff8880456dfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880456dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
2025/02/21 22:30:40 reproducing crash 'KASAN: slab-use-after-free Read in cd_forget': final repro crashed as (corrupted=false):
loop0: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x16a/0x1a0
Read of size 8 at addr ffff8880456dfc20 by task syz-executor278/9510
CPU: 3 UID: 0 PID: 9510 Comm: syz-executor278 Not tainted 6.14.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1b0
print_report+0xc0/0x5e0
kasan_report+0x93/0xc0
__list_add_valid_or_report+0x16a/0x1a0
chrdev_open+0x3a9/0x590
do_dentry_open+0x786/0x1ca0
vfs_open+0x82/0x3f0
path_openat+0x1f04/0x28f0
do_filp_open+0x1fa/0x2f0
do_sys_openat2+0x677/0x720
do_sys_open+0xc7/0x150
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0e70c0e76d
Code: c3 e8 17 2d 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe3b539ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f0e70c0e76d
RDX: 0000000000000000 RSI: 0000000020002140 RDI: ffffffffffffff9c
RBP: 0000000000000003 R08: 00007ffe3b53a209 R09: 00007ffe3b53a209
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b539d0c
R13: 00007ffe3b539d30 R14: 00007ffe3b539d10 R15: 0000000000000001
</TASK>
Allocated by task 9504:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x87/0x90
kmem_cache_alloc_lru_noprof+0x16c/0x4c0
ntfs_alloc_inode+0x27/0x80
alloc_inode+0x63/0x1f0
new_inode+0x16/0x40
ntfs_new_inode+0x44/0x110
ntfs_create_inode+0x3f3/0x3de0
ntfs_mknod+0x3c/0x50
vfs_mknod+0x5eb/0x8f0
do_mknodat+0x370/0x540
__x64_sys_mknodat+0xb0/0xe0
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 24:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x54/0x70
kmem_cache_free+0x153/0x560
i_callback+0x46/0x70
rcu_core+0x7c5/0x16b0
handle_softirqs+0x1bd/0x880
run_ksoftirqd+0x3a/0x60
smpboot_thread_fn+0x63b/0xa00
kthread+0x42a/0x880
ret_from_fork+0x48/0x80
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x24/0x50
kasan_record_aux_stack+0xb0/0xc0
__call_rcu_common.constprop.0+0x99/0x860
destroy_inode+0x12b/0x1b0
evict+0x4f2/0x860
iput+0x51c/0x830
dentry_unlink_inode+0x2cd/0x4c0
__dentry_kill+0x186/0x5b0
shrink_dentry_list+0x13d/0x650
shrink_dcache_parent+0x1c5/0x5a0
do_one_tree+0x11/0x50
shrink_dcache_for_umount+0x95/0x1c0
generic_shutdown_super+0x6c/0x390
kill_block_super+0x3b/0x90
ntfs3_kill_sb+0x40/0xf0
deactivate_locked_super+0xbb/0x130
deactivate_super+0xb1/0xd0
cleanup_mnt+0x378/0x510
task_work_run+0x173/0x280
syscall_exit_to_user_mode+0x29e/0x2a0
do_syscall_64+0xdc/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880456df580
which belongs to the cache ntfs_inode_cache of size 1752
The buggy address is located 1696 bytes inside of
freed 1752-byte region [ffff8880456df580, ffff8880456dfc58)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x456d8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888050577001
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888040af68c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000110011 00000000f5000000 ffff888050577001
head: 04fff00000000040 ffff888040af68c0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000110011 00000000f5000000 ffff888050577001
head: 04fff00000000003 ffffea000115b601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 9504, tgid 9504 (syz-executor278), ts 888593482435, free_ts 887115858472
prep_new_page+0x1b0/0x1e0
get_page_from_freelist+0x19a2/0x3250
__alloc_frozen_pages_noprof+0x324/0x6b0
alloc_pages_mpol+0x20a/0x550
new_slab+0x251/0x350
___slab_alloc+0xe40/0x1740
__slab_alloc.isra.0+0x56/0xb0
kmem_cache_alloc_lru_noprof+0x27d/0x4c0
ntfs_alloc_inode+0x27/0x80
alloc_inode+0x63/0x1f0
iget5_locked+0x5f/0xa0
ntfs_iget5+0xda/0x39f0
ntfs_fill_super+0x1aa9/0x3ed0
get_tree_bdev_flags+0x38c/0x620
vfs_get_tree+0x93/0x340
path_mount+0x1290/0x1bc0
page last free pid 9490 tgid 9490 stack trace:
free_frozen_pages+0x7aa/0x1290
qlist_free_all+0x50/0x130
kasan_quarantine_reduce+0x168/0x1c0
__kasan_slab_alloc+0x67/0x90
kmem_cache_alloc_noprof+0x167/0x4b0
vm_area_dup+0x22/0x300
__split_vma+0x171/0x1160
vms_gather_munmap_vmas+0x1c5/0x15a0
__mmap_region+0x31a/0x2980
mmap_region+0x17b/0x3c0
do_mmap+0xd6b/0x11a0
vm_mmap_pgoff+0x207/0x3b0
ksys_mmap_pgoff+0x46d/0x600
__x64_sys_mmap+0x125/0x190
do_syscall_64+0xcf/0x250
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880456dfb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880456dfb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880456dfc00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
^
ffff8880456dfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880456dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---------------
thanks,
Kun Hu
Powered by blists - more mailing lists