| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 07 Feb 2018 06:04:01 -0800
From: syzbot <syzbot+9df43faf09bd400f2993@...kaller.appspotmail.com>
To: davem@...emloft.net, jchapman@...alix.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: KASAN: use-after-free Read in pppol2tp_connect
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in pppol2tp_put_sk
==================================================================
BUG: KASAN: use-after-free in pppol2tp_put_sk+0xa8/0xb0
net/l2tp/l2tp_ppp.c:457
Read of size 8 at addr ffff8801cdf5b4c8 by task syz-executor3/4335
CPU: 0 PID: 4335 Comm: syz-executor3 Not tainted 4.15.0+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
pppol2tp_put_sk+0xa8/0xb0 net/l2tp/l2tp_ppp.c:457
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
</IRQ>
RIP: 0010:ext4_generic_delete_entry+0x0/0x470 fs/ext4/ext4.h:1729
RSP: 0018:ffff8801ac8e7bf0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff11
RAX: 0000000000000000 RBX: ffff8801d0a0e770 RCX: ffff8801a8a701f8
RDX: ffff8801bcc20018 RSI: ffff8801d0a0e770 RDI: ffff8801a8982940
RBP: ffff8801ac8e7ca0 R08: ffff8801bcc20000 R09: 0000000000001000
R10: ffff8801ac8e79d0 R11: 0000000000000004 R12: 1ffff1003591cf83
R13: ffff8801a8a701f8 R14: ffff8801a8982940 R15: ffff8801d0a0e798
ext4_rmdir+0x5fa/0xdc0 fs/ext4/namei.c:2955
vfs_rmdir+0x216/0x410 fs/namei.c:3858
do_rmdir+0x4c8/0x5f0 fs/namei.c:3918
SYSC_rmdir fs/namei.c:3936 [inline]
SyS_rmdir+0x1a/0x20 fs/namei.c:3934
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x452c77
RSP: 002b:00007ffc113fcbb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000452c77
RDX: 0000000000000000 RSI: 00007ffc113fdcb0 RDI: 00007ffc113fdcb0
RBP: 00007ffc113fdcb0 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000002446940
R13: 0000000000000000 R14: 0000000000010961 R15: 0000000000000001
Allocated by task 4352:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3705 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3714
kmalloc include/linux/slab.h:517 [inline]
kzalloc include/linux/slab.h:701 [inline]
l2tp_session_create+0x100/0xe50 net/l2tp/l2tp_core.c:1738
pppol2tp_session_prep+0x2fc/0xa40 net/l2tp/l2tp_ppp.c:711
pppol2tp_connect+0x74a/0x1550 net/l2tp/l2tp_ppp.c:856
SYSC_connect+0x213/0x4a0 net/socket.c:1639
SyS_connect+0x24/0x30 net/socket.c:1620
entry_SYSCALL_64_fastpath+0x29/0xa0
Freed by task 4335:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3485 [inline]
kfree+0xd6/0x260 mm/slab.c:3800
pppol2tp_put_sk+0x4c/0xb0 net/l2tp/l2tp_ppp.c:456
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801cdf5b240
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 648 bytes inside of
1024-byte region [ffff8801cdf5b240, ffff8801cdf5b640)
The buggy address belongs to the page:
page:ffffea000737d680 count:1 mapcount:0 mapping:ffff8801cdf5a040 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801cdf5a040 0000000000000000 0000000100000007
raw: ffffea0007340ba0 ffffea0006a61620 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cdf5b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdf5b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cdf5b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cdf5b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdf5b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
Raw console output is attached.
View attachment "patch.diff" of type "text/plain" (38601 bytes)
View attachment "raw.log.txt" of type "text/plain" (12888 bytes)
View attachment "config.txt" of type "text/plain" (136131 bytes)
Powered by blists - more mailing lists