| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <213f493d-1451-ac7c-3208-86c44b73cd00@huawei.com>
Date: Mon, 24 Feb 2020 17:50:19 +0800
From: Yuehaibing <yuehaibing@...wei.com>
To: linux-kernel <linux-kernel@...r.kernel.org>,
<netdev@...r.kernel.org>, <steffen.klassert@...unet.com>
Subject: [stable-Linux 4.4.214] BUG: KASAN: use-after-free in
rcu_accelerate_cbs+0x2f3/0x3c0 at addr ffff88007e419db0
We get this bug report, the config and reproducing procedure is attached.
Any comment is appreciated.
[ 69.865090] ==================================================================
[ 69.866570] BUG: KASAN: use-after-free in rcu_accelerate_cbs+0x2f3/0x3c0 at addr ffff88007e419db0
[ 69.868330] Read of size 8 by task syz-executor.15/2590
[ 69.869361] =============================================================================
[ 69.870969] BUG kmalloc-1024 (Not tainted): kasan: bad access detected
[ 69.872263] -----------------------------------------------------------------------------
[ 69.872263]
[ 69.874137] Disabling lock debugging due to kernel taint
[ 69.875208] INFO: Allocated in xfrm_policy_alloc+0x52/0x430 age=2914 cpu=1 pid=5773
[ 69.876728] ___slab_alloc+0x547/0x5b0
[ 69.877499] __slab_alloc+0x51/0x90
[ 69.878201] kmem_cache_alloc_trace+0x29c/0x370
[ 69.879109] xfrm_policy_alloc+0x52/0x430
[ 69.879923] xfrm_policy_construct+0x29/0x7a0
[ 69.880797] xfrm_add_policy+0x35e/0x7c0
[ 69.881596] xfrm_user_rcv_msg+0x2f0/0x5d0
[ 69.882420] netlink_rcv_skb+0x24a/0x350
[ 69.883204] xfrm_netlink_rcv+0x6e/0x90
[ 69.883980] netlink_unicast+0x413/0x5a0
[ 69.884772] netlink_sendmsg+0x987/0xbb0
[ 69.885566] sock_sendmsg+0xbc/0xf0
[ 69.886264] ___sys_sendmsg+0x663/0x7b0
[ 69.887034] __sys_sendmsg+0xd2/0x170
[ 69.887775] SyS_sendmsg+0x12/0x20
[ 69.888473] entry_SYSCALL_64_fastpath+0x1e/0x9a
[ 69.889408] INFO: Freed in xfrm_policy_destroy_rcu+0x49/0x60 age=16 cpu=3 pid=5874
[ 69.890904] __slab_free+0x1bc/0x280
[ 69.891632] kfree+0x168/0x2e0
[ 69.892250] xfrm_policy_destroy_rcu+0x49/0x60
[ 69.893149] rcu_process_callbacks+0xc5c/0x13a0
[ 69.894061] __do_softirq+0x250/0x9a0
[ 69.894807] irq_exit+0x213/0x260
[ 69.895487] smp_apic_timer_interrupt+0x86/0xb0
[ 69.896400] apic_timer_interrupt+0xad/0xc0
[ 69.897236] finish_task_switch+0x157/0x680
[ 69.898081] __schedule+0x90a/0x1b70
[ 69.898806] schedule+0x9c/0x1b0
[ 69.899467] futex_wait_queue_me+0x2dd/0x590
[ 69.900326] futex_wait+0x1fb/0x5a0
[ 69.901025] do_futex+0x1dd/0x920
[ 69.901698] SyS_futex+0x1a4/0x280
[ 69.902367] entry_SYSCALL_64_fastpath+0x1e/0x9a
[ 69.903254] INFO: Slab 0xffffea0001f90600 objects=24 used=12 fp=0xffff88007e418f90 flags=0x1fffff80004080
[ 69.905140] INFO: Object 0xffff88007e4199f0 @offset=6640 fp=0xffff88007e41a980
[ 69.905140]
[ 69.906804] Bytes b4 ffff88007e4199e0: 03 00 00 00 ad 16 00 00 7a 68 fc ff 00 00 00 00 ........zh......
[ 69.908675] Object ffff88007e4199f0: 80 a9 41 7e 00 88 ff ff 00 01 00 00 00 00 ad de ..A~............
[ 69.910474] Object ffff88007e419a00: 00 02 00 00 00 00 ad de 00 01 00 00 00 00 ad de ................
[ 69.912255] Object ffff88007e419a10: 00 02 00 00 00 00 ad de 00 00 00 00 00 00 00 00 ................
[ 69.914083] Object ffff88007e419a20: ed 1e af de ff ff ff ff ff ff ff ff ff ff ff ff ................
[ 69.915920] Object ffff88007e419a30: 60 e3 6f 84 ff ff ff ff 40 a3 f7 83 ff ff ff ff `.o.....@.......
[ 69.917752] Object ffff88007e419a40: 00 00 00 00 00 00 00 00 00 d3 b6 82 ff ff ff ff ................
[ 69.919539] Object ffff88007e419a50: 00 00 00 00 00 00 00 00 00 02 00 00 00 00 ad de ................
[ 69.921346] Object ffff88007e419a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 80 ................
[ 69.923165] Object ffff88007e419a70: c0 5c 49 82 ff ff ff ff f0 99 41 7e 00 88 ff ff .\I.......A~....
[ 69.924967] Object ffff88007e419a80: 01 00 00 00 ff ff ff ff 20 e3 6f 84 ff ff ff ff ........ .o.....
[ 69.926800] Object ffff88007e419a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.928581] Object ffff88007e419aa0: 80 d3 b6 82 ff ff ff ff 00 db b6 82 ff ff ff ff ................
[ 69.930414] Object ffff88007e419ab0: 01 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 ........x.......
[ 69.932240] Object ffff88007e419ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.934072] Object ffff88007e419ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.935944] Object ffff88007e419ae0: 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 ................
[ 69.937797] Object ffff88007e419af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.939633] Object ffff88007e419b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.941467] Object ffff88007e419b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.943314] Object ffff88007e419b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 46 76 64 .............Fvd
[ 69.945111] Object ffff88007e419b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.946927] Object ffff88007e419b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.948751] Object ffff88007e419b50: fd 84 53 5e 00 00 00 00 00 00 00 00 00 00 00 00 ..S^............
[ 69.950562] Object ffff88007e419b60: 60 9b 41 7e 00 88 ff ff 60 9b 41 7e 00 88 ff ff `.A~....`.A~....
[ 69.952398] Object ffff88007e419b70: 01 00 00 00 00 00 00 00 78 9b 41 7e 00 88 ff ff ........x.A~....
[ 69.954221] Object ffff88007e419b80: 78 9b 41 7e 00 88 ff ff 00 00 00 00 00 00 00 00 x.A~............
[ 69.956059] Object ffff88007e419b90: 02 00 02 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
[ 69.957890] Object ffff88007e419ba0: ff ff ff ff ff ff ff ff a0 e2 6f 84 ff ff ff ff ..........o.....
[ 69.959725] Object ffff88007e419bb0: 20 99 f7 83 ff ff ff ff 00 00 00 00 00 00 00 00 ...............
[ 69.961552] Object ffff88007e419bc0: 40 d3 b6 82 ff ff ff ff 00 00 00 00 00 00 00 00 @...............
[ 69.963381] Object ffff88007e419bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.965211] Object ffff88007e419be0: 70 0c 4a 82 ff ff ff ff f0 99 41 7e 00 88 ff ff p.J.......A~....
[ 69.967046] Object ffff88007e419bf0: 01 00 00 00 ff ff ff ff e0 e2 6f 84 ff ff ff ff ..........o.....
[ 69.968870] Object ffff88007e419c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.970612] Object ffff88007e419c10: c0 d3 b6 82 ff ff ff ff 00 00 00 00 00 00 00 00 ................
[ 69.972440] Object ffff88007e419c20: 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.974259] Object ffff88007e419c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.976097] Object ffff88007e419c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.977931] Object ffff88007e419c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.979763] Object ffff88007e419c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.981565] Object ffff88007e419c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.983397] Object ffff88007e419c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.985224] Object ffff88007e419c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.987057] Object ffff88007e419ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.988889] Object ffff88007e419cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.990728] Object ffff88007e419cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.992545] Object ffff88007e419cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.994315] Object ffff88007e419ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.996135] Object ffff88007e419cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.997968] Object ffff88007e419d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 69.999801] Object ffff88007e419d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.001636] Object ffff88007e419d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.003467] Object ffff88007e419d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.005305] Object ffff88007e419d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.007156] Object ffff88007e419d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.008692] Object ffff88007e419d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.010140] Object ffff88007e419d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.011587] Object ffff88007e419d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.013020] Object ffff88007e419d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.014472] Object ffff88007e419da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.015911] Object ffff88007e419db0: 00 00 00 00 00 00 00 00 90 d1 48 82 ff ff ff ff ..........H.....
[ 70.017367] Object ffff88007e419dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.018805] Object ffff88007e419dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.020245] Object ffff88007e419de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 70.021690] CPU: 1 PID: 2590 Comm: syz-executor.15 Tainted: G B 4.4.214-514.55.6.9.x86_64 #1
[ 70.023167] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 70.024635] 0000000000000000 1ca8148cac7f79fe ffff8803aee87c00 ffffffff819acbbb
[ 70.025872] ffff880187c07180 ffff88007e4199f0 ffff8803aee87c30 ffffffff815c0359
[ 70.027107] ffff880187c07180 ffffea0001f90600 ffff88007e4199f0 0000000000000000
[ 70.028347] Call Trace:
[ 70.028740] <IRQ> [<ffffffff819acbbb>] dump_stack+0x8f/0xd4
[ 70.029673] [<ffffffff815c0359>] print_trailer+0xf9/0x150
[ 70.030532] [<ffffffff815c7cb4>] object_err+0x34/0x40
[ 70.031340] [<ffffffff815ca652>] kasan_report.part.2+0x232/0x530
[ 70.032297] [<ffffffff81259f17>] ? trigger_load_balance+0x147/0xca0
[ 70.033285] [<ffffffff812da023>] ? rcu_accelerate_cbs+0x2f3/0x3c0
[ 70.034253] [<ffffffff8128536b>] ? perf_trace_lock+0xbb/0x4b0
[ 70.035171] [<ffffffff815caa0e>] __asan_report_load8_noabort+0x2e/0x30
[ 70.036201] [<ffffffff812da023>] rcu_accelerate_cbs+0x2f3/0x3c0
[ 70.037147] [<ffffffff812da24d>] rcu_advance_cbs+0x15d/0x4a0
[ 70.038046] [<ffffffff812e3336>] ? note_gp_changes+0xa6/0x1e0
[ 70.038962] [<ffffffff812da607>] __note_gp_changes+0x77/0x4c0
[ 70.039872] [<ffffffff812e340d>] note_gp_changes+0x17d/0x1e0
[ 70.040777] [<ffffffff812e52ac>] rcu_process_callbacks+0x11c/0x13a0
[ 70.041766] [<ffffffff812f3920>] ? msleep_interruptible+0x1b0/0x1b0
[ 70.042762] [<ffffffff8128c9e8>] ? mark_held_locks+0xc8/0x120
[ 70.043675] [<ffffffff81196510>] __do_softirq+0x250/0x9a0
[ 70.044540] [<ffffffff81197003>] irq_exit+0x213/0x260
[ 70.045347] [<ffffffff82659cb6>] smp_apic_timer_interrupt+0x86/0xb0
[ 70.046342] [<ffffffff8265776d>] apic_timer_interrupt+0xad/0xc0
[ 70.047272] <EOI> [<ffffffff812938f8>] ? lock_release+0x6f8/0xc90
[ 70.048276] [<ffffffff81828f65>] ? task_has_perm+0x5/0x2e0
[ 70.049147] [<ffffffff818290fe>] ? task_has_perm+0x19e/0x2e0
[ 70.050053] [<ffffffff8182911d>] task_has_perm+0x1bd/0x2e0
[ 70.050927] [<ffffffff81828f65>] ? task_has_perm+0x5/0x2e0
[ 70.051802] [<ffffffff8182925c>] selinux_task_wait+0x1c/0x20
[ 70.052702] [<ffffffff8180d295>] security_task_wait+0x65/0x90
[ 70.053616] [<ffffffff8118ac01>] wait_consider_task+0x241/0x3760
[ 70.054570] [<ffffffff812d5087>] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 70.055604] [<ffffffff8118a9c0>] ? release_task+0x1310/0x1310
[ 70.056520] [<ffffffff8118e3ad>] ? do_wait+0x28d/0x920
[ 70.057341] [<ffffffff8128ce3e>] ? trace_hardirqs_on_caller+0x3fe/0x580
[ 70.058384] [<ffffffff8118e437>] do_wait+0x317/0x920
[ 70.059172] [<ffffffff8118e120>] ? wait_consider_task+0x3760/0x3760
[ 70.060168] [<ffffffff8154a43b>] ? __might_fault+0xcb/0x1b0
[ 70.061051] [<ffffffff8154a466>] ? __might_fault+0xf6/0x1b0
[ 70.061937] [<ffffffff81192882>] SyS_wait4+0xf2/0x1b0
[ 70.062742] [<ffffffff81192790>] ? SyS_waitid+0x270/0x270
[ 70.063601] [<ffffffff81189000>] ? task_stopped_code+0x100/0x100
[ 70.064551] [<ffffffff81005044>] ? lockdep_sys_exit_thunk+0x12/0x14
[ 70.065542] [<ffffffff826567e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[ 70.066544] Memory state around the buggy address:
[ 70.067302] ffff88007e419c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.068425] ffff88007e419d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.069550] >ffff88007e419d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 70.070674] ^
[ 70.071438] ffff88007e419e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.072564] ffff88007e419e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.073683] ==================================================================
View attachment "xfrm.log" of type "text/plain" (1916 bytes)
View attachment "config" of type "text/plain" (152671 bytes)
Powered by blists - more mailing lists