lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Oct 2019 06:53:09 -0700 From: syzbot <syzbot+0cd01c9e0f5cd37a357e@...kaller.appspotmail.com> To: ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, davem@...emloft.net, hawk@...nel.org, jakub.kicinski@...ronome.com, john.fastabend@...il.com, kafai@...com, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, songliubraving@...com, syzkaller-bugs@...glegroups.com, yhs@...com Subject: KASAN: use-after-free Read in is_bpf_text_address Hello, syzbot found the following crash on: HEAD commit: 4fe34d61 Merge branch 'x86-urgent-for-linus' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15b01a60e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=f0a8b0a0736a2ac1 dashboard link: https://syzkaller.appspot.com/bug?extid=0cd01c9e0f5cd37a357e compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161f89f7600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e2d0f8e00000 Bisection is inconclusive: the first bad commit could be any of: 7105e828 bpf: allow for correlation of maps and helpers in dump 74661776 Merge branch 'bpftool-improvements-kallsymfix' 4f74d809 bpf: fix kallsyms handling for subprogs c475ffad tools/bpf: adjust rlimit RLIMIT_MEMLOCK for test_dev_cgroup 5f5a6411 bpf: sparc64: Add JIT support for multi-function programs. 7d9890ef libbpf: Fix build errors. 06ef0ccb bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog fd05e57b bpf: fix stacksafe exploration when comparing states 6b80ad29 bpf: selftest for late caller stack size increase c060bc61 bpf: make function xdp_do_generic_redirect_map() static 4ca998fe selftests/bpf: add netdevsim to config 70a87ffe bpf: fix maximum stack depth tracking logic 5ee7f784 bpf: arm64: fix uninitialized variable 6b86c421 selftests/bpf: additional stack depth tests aada9ce6 bpf: fix max call depth check fa2d41ad bpf: make function skip_callee static and return NULL rather than 0 624588d9 Merge branch 'bpf-stack-depth-tracking-fixes' e90004d5 bpf: fix spelling mistake: "funcation"-> "function" fcffe2ed Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=131a39b0e00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0cd01c9e0f5cd37a357e@...kaller.appspotmail.com ================================================================== BUG: KASAN: use-after-free in __lt_find include/linux/rbtree_latch.h:120 [inline] BUG: KASAN: use-after-free in latch_tree_find include/linux/rbtree_latch.h:208 [inline] BUG: KASAN: use-after-free in bpf_prog_kallsyms_find kernel/bpf/core.c:674 [inline] BUG: KASAN: use-after-free in is_bpf_text_address+0x250/0x3b0 kernel/bpf/core.c:709 Read of size 8 at addr ffff8880a366b448 by task syz-executor594/8353 CPU: 1 PID: 8353 Comm: syz-executor594 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 print_address_description+0x75/0x5c0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:634 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __lt_find include/linux/rbtree_latch.h:120 [inline] latch_tree_find include/linux/rbtree_latch.h:208 [inline] bpf_prog_kallsyms_find kernel/bpf/core.c:674 [inline] is_bpf_text_address+0x250/0x3b0 kernel/bpf/core.c:709 kernel_text_address kernel/extable.c:147 [inline] __kernel_text_address+0x9a/0x110 kernel/extable.c:102 unwind_get_return_address+0x4c/0x90 arch/x86/kernel/unwind_frame.c:19 arch_stack_walk+0x98/0xe0 arch/x86/kernel/stacktrace.c:26 stack_trace_save+0xb6/0x150 kernel/stacktrace.c:123 save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slab.c:3262 [inline] kmem_cache_alloc_node+0x235/0x280 mm/slab.c:3574 alloc_vmap_area+0x1eb/0x1b60 mm/vmalloc.c:1094 __get_vm_area_node+0x199/0x320 mm/vmalloc.c:2063 __vmalloc_node_range+0xea/0x860 mm/vmalloc.c:2491 kasan_module_alloc+0x73/0xc0 mm/kasan/common.c:607 module_alloc+0x9a/0xb0 arch/x86/kernel/module.c:80 bpf_jit_alloc_exec+0x15/0x20 bpf_jit_binary_alloc+0xa0/0x1b0 kernel/bpf/core.c:812 bpf_int_jit_compile+0x6f5d/0x7a80 arch/x86/net/bpf_jit_comp.c:1151 jit_subprogs kernel/bpf/verifier.c:8741 [inline] fixup_call_args kernel/bpf/verifier.c:8845 [inline] bpf_check+0xc423/0xe790 kernel/bpf/verifier.c:9349 bpf_prog_load kernel/bpf/syscall.c:1709 [inline] __do_sys_bpf+0x7a4f/0xbef0 kernel/bpf/syscall.c:2866 __se_sys_bpf kernel/bpf/syscall.c:2825 [inline] __x64_sys_bpf+0x7a/0x90 kernel/bpf/syscall.c:2825 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441449 Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffe2e84b718 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441449 RDX: 0000000000000032 RSI: 0000000020000440 RDI: 0000000000000005 RBP: 0000000000073d8f R08: 0000000000000004 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021c0 R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 8355: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] bpf_prog_alloc_no_stats+0xdc/0x2b0 kernel/bpf/core.c:88 jit_subprogs kernel/bpf/verifier.c:8716 [inline] fixup_call_args kernel/bpf/verifier.c:8845 [inline] bpf_check+0xbe9a/0xe790 kernel/bpf/verifier.c:9349 bpf_prog_load kernel/bpf/syscall.c:1709 [inline] __do_sys_bpf+0x7a4f/0xbef0 kernel/bpf/syscall.c:2866 __se_sys_bpf kernel/bpf/syscall.c:2825 [inline] __x64_sys_bpf+0x7a/0x90 kernel/bpf/syscall.c:2825 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 2923: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x115/0x200 mm/slab.c:3756 bpf_jit_free+0x189/0x1f0 bpf_prog_free_deferred+0x1b9/0x380 kernel/bpf/core.c:1980 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a366b400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 72 bytes inside of 512-byte region [ffff8880a366b400, ffff8880a366b600) The buggy address belongs to the page: page:ffffea00028d9ac0 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00028b8608 ffffea000249f548 ffff8880aa400a80 raw: 0000000000000000 ffff8880a366b000 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a366b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a366b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff8880a366b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a366b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a366b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@...glegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Powered by blists - more mailing lists