lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <8b8887b0-ae4f-20af-d3d1-bb2082a66f8d@huawei.com>
Date:   Wed, 26 Oct 2022 14:32:52 +0800
From:   zhongbaisong <zhongbaisong@...wei.com>
To:     Linux MM <linux-mm@...ck.org>, <netdev@...r.kernel.org>,
        <bpf@...r.kernel.org>, <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>, <wangkefeng@...wei.com>
Subject: [Bug]KFENCE: use-after-free in __skb_clone


Hi,
We observed a crash "KFENCE: use-after-free in __skb_clone" during fuzzing.

It's a frequent occurrance in aarch64 and the codepath is always the 
same,but cannot be reproduced in x86_64.

Detailed crash information is as follows:
-----------------------------------------

- Kernel commit:
89bf6e28373beef

- Crash report:

  BUG: KFENCE: use-after-free read in __skb_clone+0x214/0x280

  Use-after-free read at 0xffff00022250306f (in kfence-#250):
   __skb_clone+0x214/0x280
   skb_clone+0xb4/0x180
   bpf_clone_redirect+0x60/0x190
   bpf_prog_207b739f41707f89+0x88/0xb8
   bpf_test_run+0x2dc/0x4fc
   bpf_prog_test_run_skb+0x4ac/0x7d0
   __sys_bpf+0x700/0x1020
   __arm64_sys_bpf+0x4c/0x60
   invoke_syscall+0x64/0x190
   el0_svc_common.constprop.0+0x88/0x200
   do_el0_svc+0x3c/0x50
   el0_svc+0x68/0xd0
   el0t_64_sync_handler+0xb4/0x130
   el0t_64_sync+0x16c/0x170

  kfence-#250: 0xffff000222503000-0xffff00022250318e, size=399, 
cache=kmalloc-512

  allocated by task 2970 on cpu 0 at 65.981345s:
   bpf_test_init.isra.0+0x68/0x100
   bpf_prog_test_run_skb+0x114/0x7d0
   __sys_bpf+0x700/0x1020
   __arm64_sys_bpf+0x4c/0x60
   invoke_syscall+0x64/0x190
   el0_svc_common.constprop.0+0x88/0x200
   do_el0_svc+0x3c/0x50
   el0_svc+0x68/0xd0
   el0t_64_sync_handler+0xb4/0x130
   el0t_64_sync+0x16c/0x170

  CPU: 0 PID: 2970 Comm: syz Tainted: G    B   W 
6.1.0-rc2-next-20221025 #140
  Hardware name: linux,dummy-virt (DT)
  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : __skb_clone+0x214/0x280
  lr : __skb_clone+0x208/0x280
  sp : ffff80000fc37630
  x29: ffff80000fc37630 x28: ffff80000fc37bd0 x27: ffff80000fc37720
  x26: ffff000222503000 x25: 000000000000028f x24: ffff0000d0898d5c
  x23: ffff0000d08997c0 x22: ffff0000d089977e x21: ffff00022250304f
  x20: ffff0000d0899700 x19: ffff0000d0898c80 x18: 0000000000000000
  x17: ffff800008379bbc x16: ffff800008378ee0 x15: ffff800008379bbc
  x14: ffff800008378ee0 x13: 0040004effff0008 x12: ffff6000444a060f
  x11: 1fffe000444a060e x10: ffff6000444a060e x9 : dfff800000000000
  x8 : ffff000222503072 x7 : 00009fffbbb5f9f3 x6 : 0000000000000002
  x5 : ffff00022250306f x4 : ffff6000444a060f x3 : ffff8000096fb2a8
  x2 : 0000000000000001 x1 : ffff00022250306f x0 : 0000000000000001
  Call trace:
   __skb_clone+0x214/0x280
   skb_clone+0xb4/0x180
   bpf_clone_redirect+0x60/0x190
   bpf_prog_207b739f41707f89+0x88/0xb8
   bpf_test_run+0x2dc/0x4fc
   bpf_prog_test_run_skb+0x4ac/0x7d0
   __sys_bpf+0x700/0x1020
   __arm64_sys_bpf+0x4c/0x60
   invoke_syscall+0x64/0x190
   el0_svc_common.constprop.0+0x88/0x200
   do_el0_svc+0x3c/0x50
   el0_svc+0x68/0xd0
   el0t_64_sync_handler+0xb4/0x130
   el0t_64_sync+0x16c/0x170

Do you have any suggestion for this issue?
Thank you.

Best Regards,
Baisong Zhong


View attachment "config" of type "text/plain" (198005 bytes)

View attachment "reproduce.c" of type "text/plain" (18997 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ