lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 07 Feb 2018 06:13:01 -0800
From:   syzbot <syzbot+6e6a5ec8de31a94cd015@...kaller.appspotmail.com>
To:     davem@...emloft.net, jchapman@...alix.com,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: general protection fault in pppol2tp_connect

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
KASAN: use-after-free Read in pppol2tp_put_sk

IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in pppol2tp_put_sk+0xa8/0xb0  
net/l2tp/l2tp_ppp.c:457
IPVS: ftp: loaded support on port[0] = 21
Read of size 8 at addr ffff8801cf74fd88 by task syz-executor4/4367

CPU: 1 PID: 4367 Comm: syz-executor4 Not tainted 4.15.0+ #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:252
IPVS: ftp: loaded support on port[0] = 21
  kasan_report_error mm/kasan/report.c:351 [inline]
  kasan_report+0x25b/0x340 mm/kasan/report.c:409
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
  pppol2tp_put_sk+0xa8/0xb0 net/l2tp/l2tp_ppp.c:457
  __rcu_reclaim kernel/rcu/rcu.h:172 [inline]
  rcu_do_batch kernel/rcu/tree.c:2674 [inline]
  invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
  __rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
  rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
  __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
IPVS: ftp: loaded support on port[0] = 21
  invoke_softirq kernel/softirq.c:365 [inline]
  irq_exit+0x1cc/0x200 kernel/softirq.c:405
  exiting_irq arch/x86/include/asm/apic.h:541 [inline]
  smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
  apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
  </IRQ>
RIP: 0010:on_stack arch/x86/include/asm/stacktrace.h:41 [inline]
RIP: 0010:update_stack_state+0x19f/0x700 arch/x86/kernel/unwind_frame.c:238
RSP: 0018:ffff8801abd0f340 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff11
RAX: 0000000000000001 RBX: ffff8801abd0f498 RCX: 0000000000000001
RDX: 1ffff100357a1e9c RSI: ffff8801abd0f4b0 RDI: ffff8801abd0f4e0
RBP: ffff8801abd0f448 R08: ffffed00357a1ea0 R09: ffff8801abd0f4a8
R10: 000000000000000b R11: ffffed00357a1e9f R12: 1ffff100357a1e70
R13: ffffed00357a1e96 R14: dffffc0000000000 R15: ffff8801abd0f4a8
IPVS: ftp: loaded support on port[0] = 21
  __unwind_start+0xfd/0x330 arch/x86/kernel/unwind_frame.c:404
  unwind_start arch/x86/include/asm/unwind.h:54 [inline]
  __save_stack_trace+0x4a/0xd0 arch/x86/kernel/stacktrace.c:43
  save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
  set_track mm/kasan/kasan.c:459 [inline]
  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
  kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
  kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
  kmem_cache_zalloc include/linux/slab.h:691 [inline]
  jbd2_alloc_handle include/linux/jbd2.h:1421 [inline]
  new_handle fs/jbd2/transaction.c:400 [inline]
  jbd2__journal_start+0x1d3/0x9f0 fs/jbd2/transaction.c:425
  __ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:81
  __ext4_journal_start fs/ext4/ext4_jbd2.h:311 [inline]
  ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5937
  __mark_inode_dirty+0x915/0x1170 fs/fs-writeback.c:2129
  generic_update_time+0x2a2/0x370 fs/inode.c:1654
  update_time fs/inode.c:1670 [inline]
  touch_atime+0x26d/0x2f0 fs/inode.c:1742
  file_accessed include/linux/fs.h:2059 [inline]
  iterate_dir+0x451/0x530 fs/readdir.c:56
  SYSC_getdents fs/readdir.c:231 [inline]
  SyS_getdents+0x225/0x450 fs/readdir.c:212
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x4517db
RSP: 002b:00007ffcc43e8790 EFLAGS: 00000206 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00000000006fc0c0 RCX: 00000000004517db
RDX: 0000000000008000 RSI: 00000000016e0970 RDI: 0000000000000000
RBP: 0000000000008041 R08: 0000000000000001 R09: 00000000016df940
R10: 0000000000000000 R11: 0000000000000206 R12: 00000000006fc118
R13: 00000000006fc118 R14: 000000000000edb2 R15: 0000000000002710

Allocated by task 4382:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
  set_track mm/kasan/kasan.c:459 [inline]
  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
  __do_kmalloc mm/slab.c:3705 [inline]
  __kmalloc+0x162/0x760 mm/slab.c:3714
  kmalloc include/linux/slab.h:517 [inline]
  kzalloc include/linux/slab.h:701 [inline]
  l2tp_session_create+0x100/0xe50 net/l2tp/l2tp_core.c:1738
  pppol2tp_session_prep+0x2fc/0xa40 net/l2tp/l2tp_ppp.c:711
  pppol2tp_connect+0x74a/0x1550 net/l2tp/l2tp_ppp.c:856
  SYSC_connect+0x213/0x4a0 net/socket.c:1639
  SyS_connect+0x24/0x30 net/socket.c:1620
  entry_SYSCALL_64_fastpath+0x29/0xa0

Freed by task 4367:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
  set_track mm/kasan/kasan.c:459 [inline]
  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
  __cache_free mm/slab.c:3485 [inline]
  kfree+0xd6/0x260 mm/slab.c:3800
  pppol2tp_put_sk+0x4c/0xb0 net/l2tp/l2tp_ppp.c:456
  __rcu_reclaim kernel/rcu/rcu.h:172 [inline]
  rcu_do_batch kernel/rcu/tree.c:2674 [inline]
  invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
  __rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
  rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
  __do_softirq+0x2d7/0xb85 kernel/softirq.c:285

The buggy address belongs to the object at ffff8801cf74fb00
  which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 648 bytes inside of
  1024-byte region [ffff8801cf74fb00, ffff8801cf74ff00)
The buggy address belongs to the page:
page:ffffea00073dd380 count:1 mapcount:0 mapping:ffff8801cf74e000 index:0x0  
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801cf74e000 0000000000000000 0000000100000007
raw: ffffea00073c3b20 ffffea00073df820 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801cf74fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8801cf74fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cf74fd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
  ffff8801cf74fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8801cf74fe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on  
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master  
commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of  
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
Raw console output is attached.


View attachment "patch.diff" of type "text/plain" (38601 bytes)

View attachment "raw.log.txt" of type "text/plain" (19088 bytes)

View attachment "config.txt" of type "text/plain" (136953 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ