lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 18 May 2019 08:50:00 -0700
From:   syzbot <syzbot+200d4bb11b23d929335f@...kaller.appspotmail.com>
To:     andreyknvl@...gle.com, chunkeey@...il.com, chunkeey@...glemail.com,
        davem@...emloft.net, kvalo@...eaurora.org,
        linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
        oneukum@...e.com, stern@...land.harvard.edu,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in p54u_load_firmware_cb

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb

usb 6-1: Direct firmware load for isl3887usb failed with error -2
p54u_load_firmware_cb: priv->udev = ffff88809ad5bb80
usb 6-1: Firmware not found.
==================================================================
BUG: KASAN: slab-out-of-bounds in p54u_load_firmware_cb+0x3c9/0x45f  
drivers/net/wireless/intersil/p54/p54usb.c:937
Read of size 8 at addr ffff88809abab588 by task kworker/1:8/5526

CPU: 1 PID: 5526 Comm: kworker/1:8 Not tainted 5.1.0-rc3-g43151d6-dirty #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xe8/0x16e lib/dump_stack.c:113
  print_address_description+0x6c/0x236 mm/kasan/report.c:187
  kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
  p54u_load_firmware_cb+0x3c9/0x45f  
drivers/net/wireless/intersil/p54/p54usb.c:937
  request_firmware_work_func+0x12d/0x249  
drivers/base/firmware_loader/main.c:785
  process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
  worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
  kthread+0x313/0x420 kernel/kthread.c:253
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 5503:
  set_track mm/kasan/common.c:87 [inline]
  __kasan_kmalloc mm/kasan/common.c:497 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470
  slab_post_alloc_hook mm/slab.h:437 [inline]
  slab_alloc_node mm/slub.c:2756 [inline]
  __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372
  __kmalloc_reserve.isra.0+0x3e/0xf0 net/core/skbuff.c:140
  __alloc_skb+0xf4/0x5a0 net/core/skbuff.c:208
  alloc_skb include/linux/skbuff.h:1058 [inline]
  netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
  netlink_sendmsg+0x8db/0xcd0 net/netlink/af_netlink.c:1900
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0xda/0x130 net/socket.c:661
  ___sys_sendmsg+0x80b/0x930 net/socket.c:2260
  __sys_sendmsg+0xf1/0x1b0 net/socket.c:2298
  do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 5503:
  set_track mm/kasan/common.c:87 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
  slab_free_hook mm/slub.c:1429 [inline]
  slab_free_freelist_hook+0x5e/0x140 mm/slub.c:1456
  slab_free mm/slub.c:3003 [inline]
  kfree+0xce/0x290 mm/slub.c:3958
  skb_free_head+0x90/0xb0 net/core/skbuff.c:557
  skb_release_data+0x543/0x8b0 net/core/skbuff.c:577
  skb_release_all+0x4b/0x60 net/core/skbuff.c:631
  __kfree_skb net/core/skbuff.c:645 [inline]
  consume_skb net/core/skbuff.c:705 [inline]
  consume_skb+0xc5/0x2f0 net/core/skbuff.c:699
  netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
  netlink_unicast+0x4e2/0x690 net/netlink/af_netlink.c:1336
  netlink_sendmsg+0x810/0xcd0 net/netlink/af_netlink.c:1925
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0xda/0x130 net/socket.c:661
  ___sys_sendmsg+0x80b/0x930 net/socket.c:2260
  __sys_sendmsg+0xf1/0x1b0 net/socket.c:2298
  do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809abab180
  which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes to the right of
  1024-byte region [ffff88809abab180, ffff88809abab580)
The buggy address belongs to the page:
page:ffffea00026aea00 count:1 mapcount:0 mapping:ffff88812c3f4a00 index:0x0  
compound_mapcount: 0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000200 ffff88812c3f4a00
raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88809abab480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88809abab500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809abab580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffff88809abab600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88809abab680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=108a0108a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1292f852a00000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ