| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51AA93C4-947F-4013-B9A8-FF3E06FF221E@psu.edu> Date: Mon, 19 Jan 2026 18:35:07 +0000 From: "Bai, Shuangpeng" <SJB7183@....EDU> To: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "syzkaller@...glegroups.com" <syzkaller@...glegroups.com> CC: "andrew+netdev@...n.ch" <andrew+netdev@...n.ch>, "davem@...emloft.net" <davem@...emloft.net>, "edumazet@...gle.com" <edumazet@...gle.com>, "kuba@...nel.org" <kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com>, "jirislaby@...nel.org" <jirislaby@...nel.org> Subject: Re: [BUG] KASAN: slab-use-after-free in tty_write_room on v6.18 We reported a refcount imbalance of the tty object (https://www.spinics.net/lists/netdev/msg1147934.html). In shout, the function ldisc_close decrements the refcount of ser->tty but does not remove the pointer, which is accessed later to trigger this UAF bug. Please see more details in the imbalance report. Thanks, Shuangpeng > On Jan 19, 2026, at 12:42, Bai, Shuangpeng <baisp@....edu> wrote: > > Hi Kernel Maintainers, > > Our tool found a new kernel bug KASAN: slab-use-after-free in tty_write_room. Please see the details below. > > Kernel commit: v6.18 > Kernel config: attachment > C/Syz reproducer: attachment > > > I’m happy to test debug patches or provide additional information. > > Reported-by: Shuangpeng Bai <SJB7183@....edu> > > > > [ 39.297583][ T8450] debugfs: 'pts0' already exists in 'caif_serial' > [ 39.442847][ T8449] ================================================================== > [ 39.443692][ T8449] BUG: KASAN: slab-use-after-free in tty_write_room (drivers/tty/tty_ioctl.c:68) > [ 39.444474][ T8449] Read of size 8 at addr ffff888170570020 by task a.out/8449 > [ 39.445240][ T8449] > [ 39.445507][ T8449] CPU: 0 UID: 0 PID: 8449 Comm: a.out Not tainted 6.18.0 #19 PREEMPT(full) > [ 39.445514][ T8449] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > [ 39.445518][ T8449] Call Trace: > [ 39.445521][ T8449] <TASK> > [ 39.445523][ T8449] dump_stack_lvl (lib/dump_stack.c:122) > [ 39.445553][ T8449] print_report (mm/kasan/report.c:399 mm/kasan/report.c:502) > [ 39.445577][ T8449] kasan_report (mm/kasan/report.c:732) > [ 39.445590][ T8449] tty_write_room (drivers/tty/tty_ioctl.c:68) > [ 39.445596][ T8449] handle_tx (drivers/net/caif/caif_serial.c:211) > [ 39.445606][ T8449] dev_hard_start_xmit (./include/linux/netdevice.h:5304 ./include/linux/netdevice.h:5313 net/core/dev.c:3849 net/core/dev.c:3865) > [ 39.445614][ T8449] __dev_queue_xmit (net/core/dev.h:373 net/core/dev.c:4766) > [ 39.445772][ T8449] transmit (net/caif/caif_dev.c:237) > [ 39.445786][ T8449] cfserl_transmit (net/caif/cfserl.c:185) > [ 39.445817][ T8449] cffrml_transmit (net/caif/cffrml.c:?) > [ 39.445833][ T8449] cfmuxl_transmit (net/caif/cfmuxl.c:240) > [ 39.445849][ T8449] caif_connect_client (net/caif/cfcnfg.c:?) > [ 39.445879][ T8449] caif_connect (net/caif/caif_socket.c:841) > [ 39.445899][ T8449] __sys_connect (net/socket.c:2117 net/socket.c:2136) > [ 39.445919][ T8449] __x64_sys_connect (net/socket.c:2142 net/socket.c:2139 net/socket.c:2139) > [ 39.445924][ T8449] do_syscall_64 (arch/x86/entry/syscall_64.c:?) > [ 39.445936][ T8449] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 39.445941][ T8449] RIP: 0033:0x7ff784f7325b > [ 39.445949][ T8449] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 bb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 4 > > Code starting with the faulting instruction > =========================================== > 0: 83 ec 18 sub $0x18,%esp > 3: 89 54 24 0c mov %edx,0xc(%rsp) > 7: 48 89 34 24 mov %rsi,(%rsp) > b: 89 7c 24 08 mov %edi,0x8(%rsp) > f: e8 bb fa ff ff call 0xfffffffffffffacf > 14: 8b 54 24 0c mov 0xc(%rsp),%edx > 18: 48 8b 34 24 mov (%rsp),%rsi > 1c: 41 89 c0 mov %eax,%r8d > 1f: 8b 7c 24 08 mov 0x8(%rsp),%edi > 23: 04 .byte 0x4 > [ 39.445954][ T8449] RSP: 002b:00007ff784587ea0 EFLAGS: 00000293 ORIG_RAX: 000000000000002a > [ 39.445961][ T8449] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff784f7325b > [ 39.445965][ T8449] RDX: 0000000000000018 RSI: 00007ff784587ed0 RDI: 0000000000000004 > [ 39.445968][ T8449] RBP: 00007ff784587ef0 R08: 0000000000000000 R09: 00007ff784588700 > [ 39.445971][ T8449] R10: 000055588833861f R11: 0000000000000293 R12: 00007ffcfaa9ae2e > [ 39.445975][ T8449] R13: 00007ffcfaa9ae2f R14: 00007ff784587fc0 R15: 0000000000802000 > [ 39.445980][ T8449] </TASK> > [ 39.445982][ T8449] > [ 39.493380][ T8449] Freed by task 1143: > [ 39.493796][ T8449] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:77) > [ 39.494287][ T8449] __kasan_save_free_info (mm/kasan/generic.c:590) > [ 39.494824][ T8449] __kasan_slab_free (mm/kasan/common.c:322) > [ 39.495318][ T8449] kfree (./arch/x86/include/asm/jump_label.h:36 mm/slab.h:494 mm/slab.h:515 mm/slab.h:683 mm/slub.c:886 mm/slub.c:2570 mm/slub.c:6707 mm/slub.c:6945) > [ 39.495726][ T8449] process_scheduled_works (kernel/workqueue.c:3277 kernel/workqueue.c:3428) > [ 39.496290][ T8449] worker_thread (kernel/workqueue.c:? kernel/workqueue.c:1204 kernel/workqueue.c:3508) > [ 39.496766][ T8449] kthread (./include/linux/cgroup.h:655 kernel/kthread.c:472) > [ 39.497201][ T8449] ret_from_fork (arch/x86/kernel/process.c:171) > [ 39.497680][ T8449] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) > [ 39.498178][ T8449] > [ 39.498427][ T8449] The buggy address belongs to the object at ffff888170570000 > [ 39.498427][ T8449] which belongs to the cache kmalloc-cg-1k of size 1024 > [ 39.499868][ T8449] The buggy address is located 32 bytes inside of > [ 39.499868][ T8449] freed 1024-byte region [ffff888170570000, ffff888170570400) > [ 39.501339][ T8449] > [ 39.501591][ T8449] The buggy address belongs to the physical page: > [ 39.502248][ T8449] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x170570 > [ 39.503153][ T8449] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > [ 39.504014][ T8449] memcg:ffff888122f06401 > [ 39.504453][ T8449] anon flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) > [ 39.505279][ T8449] page_type: f5(slab) > [ 39.505694][ T8449] raw: 017ff00000000040 ffff88810004a280 0000000000000000 dead000000000001 > [ 39.506568][ T8449] raw: 0000000000000000 0000000080100010 00000000f5000000 ffff888122f06401 > [ 39.507443][ T8449] head: 017ff00000000040 ffff88810004a280 0000000000000000 dead000000000001 > [ 39.508328][ T8449] head: 0000000000000000 0000000080100010 00000000f5000000 ffff888122f06401 > [ 39.509227][ T8449] head: 017ff00000000003 ffffea0005c15c01 00000000ffffffff 00000000ffffffff > [ 39.510129][ T8449] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 > [ 39.511030][ T8449] page dumped because: kasan: bad access detected > [ 39.511669][ T8449] page_owner tracks the page as allocated > [ 39.512236][ T8449] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_N4 > [ 39.514318][ T8449] post_alloc_hook (mm/page_alloc.c:? mm/page_alloc.c:1845) > [ 39.514802][ T8449] get_page_from_freelist (mm/page_alloc.c:3750) > [ 39.515357][ T8449] __alloc_frozen_pages_noprof (mm/page_alloc.c:5181) > [ 39.515936][ T8449] alloc_pages_mpol (mm/mempolicy.c:2416) > [ 39.516422][ T8449] allocate_slab (mm/slub.c:3115 mm/slub.c:3288) > [ 39.516880][ T8449] ___slab_alloc (mm/slub.c:3344 mm/slub.c:4713) > [ 39.517353][ T8449] __slab_alloc (mm/slub.c:4836) > [ 39.517800][ T8449] __kmalloc_noprof (mm/slub.c:4912 mm/slub.c:5334 mm/slub.c:5714 mm/slub.c:5727) > [ 39.518287][ T8449] alloc_pipe_info (fs/pipe.c:? fs/pipe.c:814) > [ 39.518767][ T8449] create_pipe_files (fs/pipe.c:894 fs/pipe.c:928) > [ 39.519259][ T8449] __do_pipe_flags (fs/pipe.c:991) > [ 39.519740][ T8449] do_pipe2 (fs/pipe.c:1039) > [ 39.520161][ T8449] __x64_sys_pipe2 (fs/pipe.c:1056 fs/pipe.c:1054 fs/pipe.c:1054) > [ 39.520638][ T8449] do_syscall_64 (arch/x86/entry/syscall_64.c:?) > [ 39.521117][ T8449] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 39.521720][ T8449] page last free pid 4577 tgid 4577 stack trace: > [ 39.522368][ T8449] __free_frozen_pages (mm/page_alloc.c:1041 mm/page_alloc.c:1080 mm/page_alloc.c:1388 mm/page_alloc.c:2903) > [ 39.522891][ T8449] __slab_free (mm/slub.c:?) > [ 39.523352][ T8449] qlist_free_all (./include/linux/string.h:377 mm/kasan/quarantine.c:166 mm/kasan/quarantine.c:185) > [ 39.523828][ T8449] kasan_quarantine_reduce (./include/linux/srcu.h:389 mm/kasan/quarantine.c:293) > [ 39.524390][ T8449] __kasan_slab_alloc (mm/kasan/common.c:390) > [ 39.524897][ T8449] __kmalloc_noprof (mm/slub.c:5201 mm/slub.c:5331 mm/slub.c:5714 mm/slub.c:5727) > [ 39.525400][ T8449] tomoyo_realpath_from_path (security/tomoyo/realpath.c:252) > [ 39.525967][ T8449] tomoyo_path_perm (./include/linux/srcu.h:252 security/tomoyo/common.h:1108 security/tomoyo/file.c:821) > [ 39.526472][ T8449] security_inode_getattr (security/security.c:2422) > [ 39.527027][ T8449] __se_sys_newfstat (fs/stat.c:260 fs/stat.c:281 fs/stat.c:555 fs/stat.c:550) > [ 39.527528][ T8449] do_syscall_64 (arch/x86/entry/syscall_64.c:?) > [ 39.527992][ T8449] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 39.528587][ T8449] > [ 39.528831][ T8449] Memory state around the buggy address: > [ 39.529397][ T8449] ffff88817056ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > [ 39.530224][ T8449] ffff88817056ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > [ 39.531023][ T8449] >ffff888170570000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 39.531825][ T8449] ^ > [ 39.532338][ T8449] ffff888170570080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 39.533165][ T8449] ffff888170570100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 39.533953][ T8449] ================================================================== > [ 39.534804][ T8449] Kernel panic - not syncing: KASAN: panic_on_warn set ... > [ 39.535507][ T8449] CPU: 0 UID: 0 PID: 8449 Comm: a.out Not tainted 6.18.0 #19 PREEMPT(full) > [ 39.536344][ T8449] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > [ 39.537241][ T8449] Call Trace: > [ 39.537576][ T8449] <TASK> > [ 39.537873][ T8449] dump_stack_lvl (lib/dump_stack.c:122) > [ 39.539858][ T8449] vpanic (kernel/panic.c:499) > [ 39.540273][ T8449] panic (??:?) > [ 39.543496][ T8449] check_panic_on_warn (kernel/panic.c:380) > [ 39.544498][ T8449] end_report (./arch/x86/include/asm/bitops.h:202 ./arch/x86/include/asm/bitops.h:232 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 mm/kasan/report.c:233) > [ 39.544941][ T8449] kasan_report (mm/kasan/report.c:?) > [ 39.545891][ T8449] tty_write_room (drivers/tty/tty_ioctl.c:68) > [ 39.546362][ T8449] handle_tx (drivers/net/caif/caif_serial.c:211) > [ 39.546801][ T8449] dev_hard_start_xmit (./include/linux/netdevice.h:5304 ./include/linux/netdevice.h:5313 net/core/dev.c:3849 net/core/dev.c:3865) > [ 39.547331][ T8449] __dev_queue_xmit (net/core/dev.h:373 net/core/dev.c:4766) > [ 39.562488][ T8449] transmit (net/caif/caif_dev.c:237) > [ 39.563866][ T8449] cfserl_transmit (net/caif/cfserl.c:185) > [ 39.566416][ T8449] cffrml_transmit (net/caif/cffrml.c:?) > [ 39.567939][ T8449] cfmuxl_transmit (net/caif/cfmuxl.c:240) > [ 39.569493][ T8449] caif_connect_client (net/caif/cfcnfg.c:?) > [ 39.572167][ T8449] caif_connect (net/caif/caif_socket.c:841) > [ 39.574216][ T8449] __sys_connect (net/socket.c:2117 net/socket.c:2136) > [ 39.576227][ T8449] __x64_sys_connect (net/socket.c:2142 net/socket.c:2139 net/socket.c:2139) > [ 39.576722][ T8449] do_syscall_64 (arch/x86/entry/syscall_64.c:?) > [ 39.577840][ T8449] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 39.578449][ T8449] RIP: 0033:0x7ff784f7325b > [ 39.578914][ T8449] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 bb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 4 > > Code starting with the faulting instruction > =========================================== > 0: 83 ec 18 sub $0x18,%esp > 3: 89 54 24 0c mov %edx,0xc(%rsp) > 7: 48 89 34 24 mov %rsi,(%rsp) > b: 89 7c 24 08 mov %edi,0x8(%rsp) > f: e8 bb fa ff ff call 0xfffffffffffffacf > 14: 8b 54 24 0c mov 0xc(%rsp),%edx > 18: 48 8b 34 24 mov (%rsp),%rsi > 1c: 41 89 c0 mov %eax,%r8d > 1f: 8b 7c 24 08 mov 0x8(%rsp),%edi > 23: 04 .byte 0x4 > [ 39.580883][ T8449] RSP: 002b:00007ff784587ea0 EFLAGS: 00000293 ORIG_RAX: 000000000000002a > [ 39.581741][ T8449] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff784f7325b > [ 39.582553][ T8449] RDX: 0000000000000018 RSI: 00007ff784587ed0 RDI: 0000000000000004 > [ 39.583366][ T8449] RBP: 00007ff784587ef0 R08: 0000000000000000 R09: 00007ff784588700 > [ 39.584179][ T8449] R10: 000055588833861f R11: 0000000000000293 R12: 00007ffcfaa9ae2e > [ 39.584995][ T8449] R13: 00007ffcfaa9ae2f R14: 00007ff784587fc0 R15: 0000000000802000 > [ 39.585807][ T8449] </TASK> > [ 39.586299][ T8449] Kernel Offset: disabled > > > Best, > Shuangpeng > > > Content of type "text/html" skipped Download attachment "repro.c" of type "application/octet-stream" (7045 bytes) Download attachment "ATT42035.config" of type "application/octet-stream" (270069 bytes)
Powered by blists - more mailing lists