| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANp29Y4Oxcp=2YmrjQpXdYxrW6eKzjXfj65C=NE4bzfCJPVPoQ@mail.gmail.com> Date: Sun, 16 Mar 2025 23:38:55 -0400 From: Aleksandr Nogikh <nogikh@...gle.com> To: syzbot <syzbot+35a5dd7a84685f5f9844@...kaller.appspotmail.com> Cc: arve@...roid.com, brauner@...nel.org, cmllamas@...gle.com, gregkh@...uxfoundation.org, joel@...lfernandes.org, linux-kernel@...r.kernel.org, maco@...roid.com, surenb@...gle.com, syzkaller-bugs@...glegroups.com, tkjos@...roid.com Subject: Re: [syzbot] [kernel?] upstream test error: KASAN: slab-use-after-free Write in binder_add_device (2) #syz invalid On Sun, Mar 16, 2025 at 3:00 PM syzbot <syzbot+35a5dd7a84685f5f9844@...kaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 29281a76709c Merge tag 'kvmarm-fixes-6.14-2' into kvmarm-m.. > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git fuzzme > console output: https://syzkaller.appspot.com/x/log.txt?x=1155cfa8580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ab4d8c35f4d2e97 > dashboard link: https://syzkaller.appspot.com/bug?extid=35a5dd7a84685f5f9844 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: arm64 > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-29281a76.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/c1ca228f9e75/vmlinux-29281a76.xz > kernel image: https://storage.googleapis.com/syzbot-assets/22c8671002d3/Image-29281a76.gz.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+35a5dd7a84685f5f9844@...kaller.appspotmail.com > > ================================================================== > BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] > BUG: KASAN: slab-use-after-free in binder_add_device+0x54/0x8c drivers/android/binder.c:6932 > Write of size 8 at addr 81f00000124ffa08 by task syz-executor/3323 > Pointer tag: [81], memory tag: [84] > > CPU: 0 UID: 0 PID: 3323 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 > Hardware name: linux,dummy-virt (DT) > Call trace: > show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0x1b4/0x500 mm/kasan/report.c:489 > kasan_report+0xd8/0x138 mm/kasan/report.c:602 > kasan_tag_mismatch+0x28/0x3c mm/kasan/sw_tags.c:175 > __hwasan_tag_mismatch+0x30/0x60 arch/arm64/lib/kasan_sw_tags.S:55 > hlist_add_head include/linux/list.h:1026 [inline] > binder_add_device+0x54/0x8c drivers/android/binder.c:6932 > binderfs_binder_device_create+0x64c/0x6a0 drivers/android/binderfs.c:210 > binderfs_fill_super+0x5d4/0x814 drivers/android/binderfs.c:729 > vfs_get_super fs/super.c:1280 [inline] > get_tree_nodev+0x98/0x110 fs/super.c:1299 > binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 > vfs_get_tree+0x68/0x1e4 fs/super.c:1814 > do_new_mount+0x218/0x5d8 fs/namespace.c:3560 > path_mount+0x428/0xa64 fs/namespace.c:3887 > do_mount fs/namespace.c:3900 [inline] > __do_sys_mount fs/namespace.c:4111 [inline] > __se_sys_mount fs/namespace.c:4088 [inline] > __arm64_sys_mount+0x3dc/0x48c fs/namespace.c:4088 > __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] > invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 > el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 > do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 > el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:744 > el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 > el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 > > Allocated by task 3311: > kasan_save_stack+0x40/0x6c mm/kasan/common.c:47 > save_stack_info+0x34/0x144 mm/kasan/tags.c:106 > kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:142 > poison_kmalloc_redzone mm/kasan/common.c:377 [inline] > __kasan_kmalloc+0x98/0x9c mm/kasan/common.c:394 > kasan_kmalloc include/linux/kasan.h:260 [inline] > __kmalloc_cache_noprof+0x2cc/0x434 mm/slub.c:4325 > kmalloc_noprof include/linux/slab.h:901 [inline] > kzalloc_noprof include/linux/slab.h:1037 [inline] > binderfs_binder_device_create+0x124/0x6a0 drivers/android/binderfs.c:147 > binderfs_fill_super+0x5d4/0x814 drivers/android/binderfs.c:729 > vfs_get_super fs/super.c:1280 [inline] > get_tree_nodev+0x98/0x110 fs/super.c:1299 > binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 > vfs_get_tree+0x68/0x1e4 fs/super.c:1814 > do_new_mount+0x218/0x5d8 fs/namespace.c:3560 > path_mount+0x428/0xa64 fs/namespace.c:3887 > do_mount fs/namespace.c:3900 [inline] > __do_sys_mount fs/namespace.c:4111 [inline] > __se_sys_mount fs/namespace.c:4088 [inline] > __arm64_sys_mount+0x3dc/0x48c fs/namespace.c:4088 > __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] > invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 > el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 > do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 > el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:744 > el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 > el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 > > Freed by task 3311: > kasan_save_stack+0x40/0x6c mm/kasan/common.c:47 > save_stack_info+0x34/0x144 mm/kasan/tags.c:106 > kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:147 > poison_slab_object mm/kasan/common.c:247 [inline] > __kasan_slab_free+0x64/0x68 mm/kasan/common.c:264 > kasan_slab_free include/linux/kasan.h:233 [inline] > slab_free_hook mm/slub.c:2353 [inline] > slab_free mm/slub.c:4609 [inline] > kfree+0x14c/0x450 mm/slub.c:4757 > binderfs_evict_inode+0x124/0x194 drivers/android/binderfs.c:278 > evict+0x2e4/0x610 fs/inode.c:796 > iput_final fs/inode.c:1946 [inline] > iput+0x564/0x5d8 fs/inode.c:1972 > dentry_unlink_inode+0x2e0/0x310 fs/dcache.c:440 > __dentry_kill+0x130/0x3e8 fs/dcache.c:643 > shrink_kill+0xf8/0x324 fs/dcache.c:1088 > shrink_dentry_list+0x280/0x4ec fs/dcache.c:1115 > shrink_dcache_parent+0x88/0x21c > do_one_tree+0x2c/0xc0 fs/dcache.c:1578 > shrink_dcache_for_umount+0x90/0x118 fs/dcache.c:1595 > generic_shutdown_super+0x50/0x214 fs/super.c:620 > kill_anon_super fs/super.c:1237 [inline] > kill_litter_super+0x64/0x90 fs/super.c:1247 > binderfs_kill_super+0x3c/0x88 drivers/android/binderfs.c:791 > deactivate_locked_super+0xa8/0x110 fs/super.c:473 > deactivate_super+0xdc/0xe0 fs/super.c:506 > cleanup_mnt+0x228/0x298 fs/namespace.c:1413 > __cleanup_mnt+0x20/0x30 fs/namespace.c:1420 > task_work_run+0x154/0x1c4 kernel/task_work.c:227 > exit_task_work include/linux/task_work.h:40 [inline] > do_exit+0x3b8/0x10dc kernel/exit.c:938 > do_group_exit+0xfc/0x13c kernel/exit.c:1087 > get_signal+0xd1c/0xd94 kernel/signal.c:3036 > do_signal+0x17c/0x29a4 arch/arm64/kernel/signal.c:1658 > do_notify_resume+0x7c/0x1b8 arch/arm64/kernel/entry-common.c:148 > exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] > exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] > el0_svc+0xac/0x14c arch/arm64/kernel/entry-common.c:745 > el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 > el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 > > The buggy address belongs to the object at fff00000124ffa00 > which belongs to the cache kmalloc-512 of size 512 > The buggy address is located 8 bytes inside of > 288-byte region [fff00000124ffa00, fff00000124ffb20) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x524ff > anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) > page_type: f5(slab) > raw: 01ffc00000000000 28f000000a001900 0000000000000000 0000000000000001 > raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > fff00000124ff800: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 > fff00000124ff900: 01 01 01 01 fe fe fe fe fe fe fe fe fe fe fe fe > >fff00000124ffa00: 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 > ^ > fff00000124ffb00: 84 84 fe fe fe fe fe fe fe fe fe fe fe fe fe fe > fff00000124ffc00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > ================================================================== > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@...glegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/67d71fd3.050a0220.3657bb.0003.GAE%40google.com.
Powered by blists - more mailing lists