lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 3 Jun 2023 02:52:44 -0700
From: Palash Oswal <oswalpalash@...il.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, 
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, 
	Alexander Duyck <alexanderduyck@...com>, Pavel Begunkov <asml.silence@...il.com>, 
	Jesper Dangaard Brouer <brouer@...hat.com>, Menglong Dong <imagedong@...cent.com>, 
	Kees Cook <keescook@...omium.org>, netdev@...r.kernel.org, 
	LKML <linux-kernel@...r.kernel.org>, 
	syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: KASAN: slab-use-after-free Read in skb_dequeue

Hello,
I found the following issue using syzkaller with enriched corpus[1] on:
HEAD commit : 0bcc4025550403ae28d2984bddacafbca0a2f112
git tree: linux
C Reproducer : I do not have a C reproducer yet. I will update this
thread when I get one.
Kernel .config :
https://gist.github.com/oswalpalash/d9580b0bfce202b37445fa5fd426e41f

Link:
1. https://github.com/cmu-pasta/linux-kernel-enriched-corpus

Console log :
==================================================================
BUG: KASAN: slab-use-after-free in skb_dequeue+0x163/0x180
Read of size 8 at addr ffff88803460d080 by task ksoftirqd/0/16

CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted
6.3.0-rc6-pasta-00035-g0bcc40255504 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xd9/0x150
 print_address_description.constprop.0+0x2c/0x3c0
 kasan_report+0x11c/0x130
 skb_dequeue+0x163/0x180
 ieee80211_tasklet_handler+0x38/0x140
 tasklet_action_common.constprop.0+0x201/0x2e0
 __do_softirq+0x1d4/0x905
 run_ksoftirqd+0x31/0x60
 smpboot_thread_fn+0x659/0x9e0
 kthread+0x2e8/0x3a0
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 16:
 kasan_save_stack+0x22/0x40
 kasan_set_track+0x25/0x30
 __kasan_slab_alloc+0x7f/0x90
 kmem_cache_alloc_node+0x296/0x510
 __alloc_skb+0x288/0x330
 skb_copy+0x13d/0x3e0
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb02/0x1290
 mac80211_hwsim_tx_frame+0x1ee/0x2a0
 mac80211_hwsim_beacon_tx+0x561/0xb10
 __iterate_interfaces+0x2c8/0x570
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x101/0x200
 __hrtimer_run_queues+0x5fa/0xbe0
 hrtimer_run_softirq+0x17f/0x360
 __do_softirq+0x1d4/0x905

Freed by task 16:
 kasan_save_stack+0x22/0x40
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2b/0x40
 ____kasan_slab_free+0x13b/0x1a0
 kmem_cache_free+0x105/0x370
 kfree_skbmem+0xef/0x1b0
 consume_skb+0xdd/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x561/0xb10
 __iterate_interfaces+0x2c8/0x570
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x101/0x200
 __hrtimer_run_queues+0x5fa/0xbe0
 hrtimer_run_softirq+0x17f/0x360
 __do_softirq+0x1d4/0x905
Last potentially related work creation:
------------[ cut here ]------------
pool index 44248 out of bounds (719) for stack id 21b8acd8
WARNING: CPU: 0 PID: 16 at lib/stackdepot.c:472
stack_depot_print+0x6b/0x90
Modules linked in:
CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted
6.3.0-rc6-pasta-00035-g0bcc40255504 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:stack_depot_print+0x6b/0x90
Code: f0 3f 00 00 48 01 c1 8b 71 0c 48 8d 79 18 85 f6 74 1a 48 83 c4
08 31 d2 5b e9 b1 9d 32 fd 48 c7 c7 f0 b8 f4 8b e8 25 03 0d fd <0f> 0b
48 83 c4 08 5b c3 c3 48 89 de 48 c7 c7 80 a4 12 8d 89 4c 24
RSP: 0018:ffffc9000055fca0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88803460d170 RCX: 0000000000000100
RDX: ffff8880151d63c0 RSI: ffffffff814a8297 RDI: 0000000000000001
RBP: ffff88803460d080 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 646e69206c6f6f70 R12: ffffea0000d18340
R13: ffff88803460d080 R14: 0000000000000008 R15: ffff8880151d63c0
FS:  0000000000000000(0000) GS:ffff888063a00000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b2e7e9f39f CR3: 000000010fb6e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kasan_print_aux_stacks+0x57/0x70
 print_address_description.constprop.0+0x71/0x3c0
 kasan_report+0x11c/0x130
 skb_dequeue+0x163/0x180
 ieee80211_tasklet_handler+0x38/0x140
 tasklet_action_common.constprop.0+0x201/0x2e0
 __do_softirq+0x1d4/0x905
 run_ksoftirqd+0x31/0x60
 smpboot_thread_fn+0x659/0x9e0
 kthread+0x2e8/0x3a0
 ret_from_fork+0x1f/0x30
 </TASK>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ