| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <73f44351.5361.195a7268794.Coremail.baishuoran@hrbeu.edu.cn> Date: Tue, 18 Mar 2025 10:47:55 +0800 (GMT+08:00) From: 白烁冉 <baishuoran@...eu.edu.cn> To: "Andrew Morton" <akpm@...ux-foundation.org> Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org, "Jiaji Qin" <jjtan24@...udan.edu.cn>, "Kun Hu" <huk23@...udan.edu.cn>, syzkaller@...glegroups.com Subject: KASAN: slab-use-after-free in find_lock_entries+0x21e/0x1160 Dear Maintainers, When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (91th)was triggered. HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2 git tree: upstream Output:https://github.com/pghk13/Kernel-Bug/tree/main/0305_6.14rc3/91-KASAN_%20global-out-of-bounds%20Write%20in%20pcpu_alloc Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc3/config.txt C reproducer:https:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc3/91-KASAN_%20global-out-of-bounds%20Write%20in%20pcpu_alloc/91repro.c Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc3/91-KASAN_%20global-out-of-bounds%20Write%20in%20pcpu_alloc/91repro.txt Our reproducer uses mounts a constructed filesystem image. The system call shmem_undo_range call find_lock_entries to find and lock the folio, and it is possible that when a folio fails to lock or the mapping does not match, the code will release the folio through a goto put jump, but then it is possible to use the released folio on line 2153. We have reproduced this issue several times on 6.14-rc5 again. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn> ================================================================== BUG: KASAN: slab-use-after-free in find_lock_entries+0x21e/0x1160 Read of size 4 at addr ffff88807917d8f4 by task syz.0.32/15410 CPU: 3 UID: 0 PID: 15410 Comm: syz.0.32 Not tainted 6.14.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x116/0x1b0 print_report+0xc1/0x630 kasan_report+0x93/0xc0 kasan_check_range+0xed/0x1a0 find_lock_entries+0x21e/0x1160 shmem_undo_range+0x205/0x11b0 shmem_truncate_range+0x30/0xd0 shmem_evict_inode+0x2ec/0xa00 evict+0x3f2/0x860 iput+0x51c/0x830 dentry_unlink_inode+0x2cd/0x4c0 __dentry_kill+0x186/0x5b0 dput.part.0+0x49e/0x990 dput+0x1f/0x30 __fput+0x52b/0xb60 task_work_run+0x173/0x280 syscall_exit_to_user_mode+0x29e/0x2a0 do_syscall_64+0xdc/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2da111ebdb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007f2da20839a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 000000000000597f RCX: 00007f2da111ebdb RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003 RBP: 00007f2da20846b0 R08: 0000000000000000 R09: 0000000000800000 R10: 0000000000000000 R11: 0000000000000293 R12: ffffffffffffffff R13: 0000000000000016 R14: 0000000000000003 R15: 0000000020005bc0 </TASK> Allocated by task 30372096: ------------[ cut here ]------------ pool index 125439 out of bounds (850) for stack id ffffea00 WARNING: CPU: 3 PID: 15410 at lib/stackdepot.c:451 depot_fetch_stack+0x96/0xc0 Modules linked in: CPU: 3 UID: 0 PID: 15410 Comm: syz.0.32 Not tainted 6.14.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:depot_fetch_stack+0x96/0xc0 Code: f8 7a d7 8e e8 6b ee 5a 06 83 f8 01 75 b8 90 0f 0b 90 eb b2 90 48 c7 c7 b8 66 90 8d 44 89 e1 44 89 ea 89 ee e8 bb 03 7c fc 90 <0f> 0b 90 90 31 c0 eb bb 90 0f 0b 90 eb b5 90 0f 0b 90 31 c0 eb ad RSP: 0018:ffffc900024f7480 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000003ff0 RCX: ffffffff8179ec7a RDX: 0000000000000000 RSI: ffff88806f728000 RDI: 0000000000000002 RBP: 000000000001e9ff R08: fffffbfff1c0b800 R09: ffffed100fde5182 R10: ffffed100fde5181 R11: ffff88807ef28c0b R12: 00000000ffffea00 R13: 0000000000000352 R14: ffffffff81f0b71e R15: 0000000000000001 FS: 00007f2da2084700(0000) GS:ffff88807ef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f52e19ff000 CR3: 000000006aa74000 CR4: 0000000000750ef0 PKRU: 00000000 Call Trace: <TASK> stack_depot_fetch.part.0+0x9/0x40 stack_depot_print+0x4e/0x70 print_report+0x5ff/0x630 kasan_report+0x93/0xc0 kasan_check_range+0xed/0x1a0 find_lock_entries+0x21e/0x1160 shmem_undo_range+0x205/0x11b0 shmem_truncate_range+0x30/0xd0 shmem_evict_inode+0x2ec/0xa00 evict+0x3f2/0x860 iput+0x51c/0x830 dentry_unlink_inode+0x2cd/0x4c0 __dentry_kill+0x186/0x5b0 dput.part.0+0x49e/0x990 dput+0x1f/0x30 __fput+0x52b/0xb60 task_work_run+0x173/0x280 syscall_exit_to_user_mode+0x29e/0x2a0 do_syscall_64+0xdc/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2da111ebdb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007f2da20839a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 000000000000597f RCX: 00007f2da111ebdb RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003 RBP: 00007f2da20846b0 R08: 0000000000000000 R09: 0000000000800000 R10: 0000000000000000 R11: 0000000000000293 R12: ffffffffffffffff R13: 0000000000000016 R14: 0000000000000003 R15: 0000000020005bc0 thanks, Kun Hu
Powered by blists - more mailing lists