lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALm_T+0f2Z4yjoB6J-HO-Ttk6z-RXQB54zKi+rLkkhhpp=huRQ@mail.gmail.com>
Date: Thu, 6 Mar 2025 11:06:21 +0800
From: Luka <luka.2016.cs@...il.com>
To: Robert Moore <robert.moore@...el.com>, 
	"Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: Len Brown <lenb@...nel.org>, linux-acpi@...r.kernel.org, 
	acpica-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Potential Linux Crash: KASAN: slab-use-after-free Read in
 acpi_ut_update_object_reference in Linux kernel v6.13-rc5

Dear Linux Kernel Experts,

Hello!

I am a security researcher focused on testing Linux kernel
vulnerabilities. Recently, while testing the v6.13-rc5 Linux kernel,
we encountered a crash related to the drivers/acpi/acpica kernel
module. We have successfully captured the call trace information for
this crash.

Unfortunately, we have not been able to reproduce the issue in our
local environment, so we are unable to provide a PoC (Proof of
Concept) at this time.

We fully understand the complexity and importance of Linux kernel
maintenance, and we would like to share this finding with you for
further analysis and confirmation of the root cause. Below is a
summary of the relevant information:

Kernel Version: v6.13-rc5

Kernel Module: drivers/acpi/acpica/utdelete.c

————————————————CallTrace————————————————

BUG: KASAN: slab-use-after-free in
acpi_ut_update_object_reference+0x601/0x6a0
drivers/acpi/acpica/utdelete.c:497
Read of size 1 at addr ffff888104ecbdd8 by task sh/4165

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x7b/0xa0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x660 mm/kasan/report.c:489
kasan_report+0xc6/0x100 mm/kasan/report.c:602
acpi_ut_update_object_reference+0x601/0x6a0 drivers/acpi/acpica/utdelete.c:497
acpi_ut_remove_reference drivers/acpi/acpica/utdelete.c:740 [inline]
acpi_ut_remove_reference+0x65/0x80 drivers/acpi/acpica/utdelete.c:710
acpi_ds_clear_implicit_return drivers/acpi/acpica/dsutils.c:55 [inline]
acpi_ds_clear_implicit_return+0x7c/0xd0 drivers/acpi/acpica/dsutils.c:34
acpi_ds_method_error+0x1c8/0x2f0 drivers/acpi/acpica/dsmethod.c:219
acpi_ds_exec_end_op+0x6f6/0x1350 drivers/acpi/acpica/dswexec.c:753
acpi_ps_parse_loop+0x3e4/0x1b00 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x372/0xbe0 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_method+0x52e/0xb20 drivers/acpi/acpica/psxface.c:190
acpi_ns_evaluate+0x717/0xc30 drivers/acpi/acpica/nseval.c:205
acpi_ut_evaluate_object+0xcf/0x420 drivers/acpi/acpica/uteval.c:60
acpi_rs_get_prt_method_data+0x84/0xf0 drivers/acpi/acpica/rsutils.c:446
acpi_get_irq_routing_table+0x9b/0xd0 drivers/acpi/acpica/rsxface.c:137
acpi_pci_irq_find_prt_entry+0x171/0xc00 drivers/acpi/pci_irq.c:214
acpi_pci_irq_lookup+0x8a/0x5a0 drivers/acpi/pci_irq.c:298
acpi_pci_irq_enable+0x1aa/0x570 drivers/acpi/pci_irq.c:413
pcibios_enable_device+0x97/0xc0 arch/x86/pci/common.c:699
do_pci_enable_device+0x11f/0x260 drivers/pci/pci.c:2077
pci_enable_device_flags+0x1cf/0x250 drivers/pci/pci.c:2162
enable_store+0x1b2/0x220 drivers/pci/pci-sysfs.c:314
dev_attr_store+0x58/0x80 drivers/base/core.c:2439
sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139
kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x51e/0xc80 fs/read_write.c:679
ksys_write+0x110/0x200 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f615e492513
Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f
1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
RSP: 002b:00007ffe949c1848 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000056557c2586b0 RCX: 00007f615e492513
RDX: 0000000000000002 RSI: 000056557c2586b0 RDI: 0000000000000001
RBP: 0000000000000002 R08: 000056557c2586b0 R09: 00007f615e575be0
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000
</TASK>

Allocated by task 4165:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4119 [inline]
slab_alloc_node mm/slub.c:4168 [inline]
kmem_cache_alloc_noprof+0xf5/0x360 mm/slub.c:4175
acpi_ut_allocate_object_desc_dbg drivers/acpi/acpica/utobject.c:359 [inline]
acpi_ut_create_internal_object_dbg+0x6d/0x3c0 drivers/acpi/acpica/utobject.c:69
acpi_ut_copy_iobject_to_iobject+0x65/0x390 drivers/acpi/acpica/utcopy.c:947
acpi_ds_store_object_to_local+0x260/0x440 drivers/acpi/acpica/dsmthdat.c:542
acpi_ex_store+0x1ee/0x970 drivers/acpi/acpica/exstore.c:147
acpi_ex_opcode_1A_1T_1R+0x51d/0x10b0 drivers/acpi/acpica/exoparg1.c:443
acpi_ds_exec_end_op+0x618/0x1350 drivers/acpi/acpica/dswexec.c:415
acpi_ps_parse_loop+0x3e4/0x1b00 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x372/0xbe0 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_method+0x52e/0xb20 drivers/acpi/acpica/psxface.c:190
acpi_ns_evaluate+0x717/0xc30 drivers/acpi/acpica/nseval.c:205
acpi_ut_evaluate_object+0xcf/0x420 drivers/acpi/acpica/uteval.c:60
acpi_rs_get_prt_method_data+0x84/0xf0 drivers/acpi/acpica/rsutils.c:446
acpi_get_irq_routing_table+0x9b/0xd0 drivers/acpi/acpica/rsxface.c:137
acpi_pci_irq_find_prt_entry+0x171/0xc00 drivers/acpi/pci_irq.c:214
acpi_pci_irq_lookup+0x8a/0x5a0 drivers/acpi/pci_irq.c:298
acpi_pci_irq_enable+0x1aa/0x570 drivers/acpi/pci_irq.c:413
pcibios_enable_device+0x97/0xc0 arch/x86/pci/common.c:699
do_pci_enable_device+0x11f/0x260 drivers/pci/pci.c:2077
pci_enable_device_flags+0x1cf/0x250 drivers/pci/pci.c:2162
enable_store+0x1b2/0x220 drivers/pci/pci-sysfs.c:314
dev_attr_store+0x58/0x80 drivers/base/core.c:2439
sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139
kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x51e/0xc80 fs/read_write.c:679
ksys_write+0x110/0x200 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888104ecbdd0
which belongs to the cache Acpi-Operand of size 72
The buggy address is located 8 bytes inside of
freed 72-byte region [ffff888104ecbdd0, ffff888104ecbe18)



————————————————CallTrace————————————————

If you need more details or additional test results, please feel free
to let us know. Thank you so much for your attention! Please don't
hesitate to reach out if you have any suggestions or need further
communication.

Best regards,
Luka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ