| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jun 2022 05:00:31 -0700
From: syzbot <syzbot+04b20e641c99a5d99ac2@...kaller.appspotmail.com>
To: andrii@...nel.org, anton@...msg.org, ast@...nel.org,
bpf@...r.kernel.org, ccross@...roid.com, daniel@...earbox.net,
eparis@...isplace.org, john.fastabend@...il.com, kafai@...com,
keescook@...omium.org, kpsingh@...nel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
paul@...l-moore.com, selinux@...r.kernel.org,
songliubraving@...com, stephen.smalley.work@...il.com,
syzkaller-bugs@...glegroups.com, tony.luck@...el.com, yhs@...com
Subject: [syzbot] KASAN: use-after-free Read in selinux_socket_recvmsg
Hello,
syzbot found the following issue on:
HEAD commit: 941e3e791269 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=175b3f90080000
kernel config: https://syzkaller.appspot.com/x/.config?x=3a010dbf6a7af480
dashboard link: https://syzkaller.appspot.com/bug?extid=04b20e641c99a5d99ac2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+04b20e641c99a5d99ac2@...kaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in sock_has_perm security/selinux/hooks.c:4535 [inline]
BUG: KASAN: use-after-free in selinux_socket_recvmsg+0x278/0x2b0 security/selinux/hooks.c:4899
Read of size 8 at addr ffff8880787ec480 by task syz-executor.3/5491
CPU: 0 PID: 5491 Comm: syz-executor.3 Not tainted 5.19.0-rc4-syzkaller-00014-g941e3e791269 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
sock_has_perm security/selinux/hooks.c:4535 [inline]
selinux_socket_recvmsg+0x278/0x2b0 security/selinux/hooks.c:4899
security_socket_recvmsg+0x5c/0xc0 security/security.c:2223
sock_recvmsg net/socket.c:1011 [inline]
____sys_recvmsg+0x23b/0x600 net/socket.c:2711
___sys_recvmsg+0x127/0x200 net/socket.c:2753
do_recvmmsg+0x254/0x6d0 net/socket.c:2847
__sys_recvmmsg net/socket.c:2926 [inline]
__do_sys_recvmmsg net/socket.c:2949 [inline]
__se_sys_recvmmsg net/socket.c:2942 [inline]
__x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2942
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa488689109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa4875dd168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fa48879c100 RCX: 00007fa488689109
RDX: 00000000000005dd RSI: 0000000020000540 RDI: 0000000000000004
RBP: 00007fa4886e305d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000040012062 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd8d55b81f R14: 00007fa4875dd300 R15: 0000000000022000
</TASK>
Allocated by task 5468:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
kasan_kmalloc include/linux/kasan.h:234 [inline]
__do_kmalloc mm/slab.c:3696 [inline]
__kmalloc+0x209/0x4d0 mm/slab.c:3705
kmalloc include/linux/slab.h:605 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1975
sk_alloc+0x36/0x770 net/core/sock.c:2028
nr_create+0xb2/0x5f0 net/netrom/af_netrom.c:433
__sock_create+0x353/0x790 net/socket.c:1515
sock_create net/socket.c:1566 [inline]
__sys_socket_create net/socket.c:1603 [inline]
__sys_socket_create net/socket.c:1588 [inline]
__sys_socket+0x12f/0x240 net/socket.c:1636
__do_sys_socket net/socket.c:1649 [inline]
__se_sys_socket net/socket.c:1647 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1647
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 15:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:200 [inline]
__cache_free mm/slab.c:3425 [inline]
kfree+0x113/0x310 mm/slab.c:3796
sk_prot_free net/core/sock.c:2011 [inline]
__sk_destruct+0x5e5/0x710 net/core/sock.c:2097
sk_destruct net/core/sock.c:2112 [inline]
__sk_free+0x1a4/0x4a0 net/core/sock.c:2123
sk_free+0x78/0xa0 net/core/sock.c:2134
sock_put include/net/sock.h:1927 [inline]
nr_heartbeat_expiry+0x2de/0x460 net/netrom/nr_timer.c:148
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x29b/0x9c2 kernel/softirq.c:571
The buggy address belongs to the object at ffff8880787ec000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1152 bytes inside of
2048-byte region [ffff8880787ec000, ffff8880787ec800)
The buggy address belongs to the physical page:
page:ffffea0001e1fb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x787ec
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000099a248 ffffea0001e40888 ffff888011840800
raw: 0000000000000000 ffff8880787ec000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x3420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 5390, tgid 5382 (syz-executor.5), ts 476769442431, free_ts 475866169421
prep_new_page mm/page_alloc.c:2456 [inline]
get_page_from_freelist+0x1290/0x3b70 mm/page_alloc.c:4198
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
__alloc_pages_node include/linux/gfp.h:587 [inline]
kmem_getpages mm/slab.c:1363 [inline]
cache_grow_begin+0x75/0x350 mm/slab.c:2569
cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
____cache_alloc mm/slab.c:3024 [inline]
____cache_alloc mm/slab.c:3007 [inline]
__do_cache_alloc mm/slab.c:3253 [inline]
slab_alloc mm/slab.c:3295 [inline]
__do_kmalloc mm/slab.c:3694 [inline]
__kmalloc_track_caller+0x3b0/0x4d0 mm/slab.c:3711
__do_krealloc mm/slab_common.c:1185 [inline]
krealloc+0x87/0xf0 mm/slab_common.c:1218
krealloc_array include/linux/slab.h:660 [inline]
snd_pcm_hw_rule_add+0x41c/0x590 sound/core/pcm_lib.c:1133
snd_pcm_hw_constraints_init sound/core/pcm_native.c:2582 [inline]
snd_pcm_open_substream+0x958/0x1820 sound/core/pcm_native.c:2733
snd_pcm_oss_open_file sound/core/oss/pcm_oss.c:2454 [inline]
snd_pcm_oss_open.part.0+0x6dc/0x1320 sound/core/oss/pcm_oss.c:2535
snd_pcm_oss_open+0x3c/0x50 sound/core/oss/pcm_oss.c:2499
soundcore_open+0x44e/0x620 sound/sound_core.c:593
chrdev_open+0x266/0x770 fs/char_dev.c:414
do_dentry_open+0x4a1/0x11f0 fs/open.c:848
do_open fs/namei.c:3520 [inline]
path_openat+0x1c71/0x2910 fs/namei.c:3653
do_filp_open+0x1aa/0x400 fs/namei.c:3680
do_sys_openat2+0x16d/0x4c0 fs/open.c:1278
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:359
apply_to_pte_range mm/memory.c:2625 [inline]
apply_to_pmd_range mm/memory.c:2669 [inline]
apply_to_pud_range mm/memory.c:2705 [inline]
apply_to_p4d_range mm/memory.c:2741 [inline]
__apply_to_page_range+0x686/0x1030 mm/memory.c:2775
kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:469
__purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1722
drain_vmap_area_work+0x52/0xe0 mm/vmalloc.c:1751
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
Memory state around the buggy address:
ffff8880787ec380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880787ec400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880787ec480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880787ec500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880787ec580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Powered by blists - more mailing lists