lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Sep 2023 23:02:29 +0000
From: Sanan Hasanov <Sanan.Hasanov@....edu>
To: "marcel@...tmann.org" <marcel@...tmann.org>, "johan.hedberg@...il.com"
	<johan.hedberg@...il.com>, "luiz.dentz@...il.com" <luiz.dentz@...il.com>,
	"davem@...emloft.net" <davem@...emloft.net>, "edumazet@...gle.com"
	<edumazet@...gle.com>, "kuba@...nel.org" <kuba@...nel.org>,
	"pabeni@...hat.com" <pabeni@...hat.com>, "linux-bluetooth@...r.kernel.org"
	<linux-bluetooth@...r.kernel.org>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
	"contact@...zz.com" <contact@...zz.com>
Subject: KASAN: slab-use-after-free Read in hci_conn_hash_flush

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/19nzVDVMtaTo8fv7RMtXDGYQzeRnNpp-r/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1vzoYO_aW6XQqR6NAaJqvacOcJy9J6R-0/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

==================================================================
BUG: KASAN: slab-use-after-free in hci_conn_hash_flush+0x1fa/0x230
Read of size 8 at addr ffff8880780da000 by task syz-executor.7/5990

CPU: 3 PID: 5990 Comm: syz-executor.7 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x178/0x260
 print_report+0xc1/0x5e0
 kasan_report+0xc0/0xf0
 hci_conn_hash_flush+0x1fa/0x230
 hci_dev_close_sync+0x5c2/0x1060
 hci_unregister_dev+0x1ce/0x4a0
 vhci_release+0x80/0xf0
 __fput+0x27c/0xa90
 task_work_run+0x168/0x260
 do_exit+0xbd9/0x2b20
 do_group_exit+0xd4/0x2a0
 __x64_sys_exit_group+0x3e/0x50
 do_syscall_64+0x39/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff463e8edcd
Code: Unable to access opcode bytes at 0x7ff463e8eda3.
RSP: 002b:00007ffde1873c18 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffde1874480 RCX: 00007ff463e8edcd
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043
RBP: 0000000000000003 R08: 0000000000000026 R09: 00007ffde1874480
R10: 0000000000000026 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ff463eeba70 R14: 0000000000000002 R15: 00007ffde18744c0
 </TASK>

Allocated by task 24391:
 kasan_save_stack+0x22/0x40
 kasan_set_track+0x25/0x30
 __kasan_kmalloc+0x7c/0x90
 hci_conn_add+0xa5/0x1570
 hci_connect_sco+0x3e4/0xf50
 sco_sock_connect+0x2c0/0x9c0
 __sys_connect_file+0x153/0x1a0
 __sys_connect+0x165/0x1a0
 __x64_sys_connect+0x72/0xb0
 do_syscall_64+0x39/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5990:
 kasan_save_stack+0x22/0x40
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2b/0x40
 ____kasan_slab_free+0x120/0x180
 __kmem_cache_free+0xcf/0x280
 device_release+0xa3/0x240
 kobject_put+0x175/0x270
 put_device+0x1f/0x30
 hci_conn_del+0x2df/0x860
 hci_conn_unlink+0x25b/0x3e0
 hci_conn_unlink+0x2ef/0x3e0
 hci_conn_hash_flush+0x18d/0x230
 hci_dev_close_sync+0x5c2/0x1060
 hci_unregister_dev+0x1ce/0x4a0
 vhci_release+0x80/0xf0
 __fput+0x27c/0xa90
 task_work_run+0x168/0x260
 do_exit+0xbd9/0x2b20
 do_group_exit+0xd4/0x2a0
 __x64_sys_exit_group+0x3e/0x50
 do_syscall_64+0x39/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Last potentially related work creation:
 kasan_save_stack+0x22/0x40
 __kasan_record_aux_stack+0x60/0x70
 insert_work+0x48/0x360
 __queue_work+0x5bc/0xfe0
 __queue_delayed_work+0x1c8/0x270
 queue_delayed_work_on+0x162/0x1c0
 sco_chan_del+0x1db/0x430
 __sco_sock_close+0x11f/0x640
 sco_sock_release+0x9f/0x2d0
 __sock_release+0xcd/0x290
 sock_close+0x1c/0x20
 __fput+0x27c/0xa90
 task_work_run+0x168/0x260
 get_signal+0x1cb/0x2460
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x128/0x1e0
 syscall_exit_to_user_mode+0x1a/0x40
 do_syscall_64+0x46/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880780da000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes inside of
 freed 4096-byte region [ffff8880780da000, ffff8880780db000)

The buggy address belongs to the physical page:
page:00000000fca63b13 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x780da
head:00000000fca63b13 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfffe0000010200(slab|head|node=0|zone=1|lastcpupid=0x3fff)
page_type: 0x1()
raw: 00fffe0000010200 ffff888100040900 ffffea000438c110 ffffea0001323210
raw: 0000000000000000 ffff8880780da000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880780d9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880780d9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880780da000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880780da080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880780da100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
general protection fault, probably for non-canonical address 0xe0b5dc4c800002ec: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x05af026400001760-0x05af026400001767]
CPU: 3 PID: 5990 Comm: syz-executor.7 Tainted: G    B              6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__list_del_entry_valid+0x91/0x1b0
Code: de 48 39 c2 0f 84 80 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 c1 74 7f 48 b8 00 00 00 00 00 fc ff df 48 89 cf 48 c1 ef 03 <80> 3c 07 00 0f 85 e7 00 00 00 4c 8b 01 49 39 f0 75 6d 48 8d 7a 08
RSP: 0018:ffffc9000d81fae0 EFLAGS: 00010213
RAX: dffffc0000000000 RBX: ffff8880780da000 RCX: 05af026400001766
RDX: ffff888046d06800 RSI: ffff8880780da000 RDI: 00b5e04c800002ec
RBP: ffff8880780da260 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff88e0008b R12: ffff8880780da008
R13: ffff8880780da260 R14: dffffc0000000000 R15: ffff88805f51c000
FS:  0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d74eb5c6a0 CR3: 000000010e5b2000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 hci_conn_cleanup+0x15d/0x7e0
 hci_conn_del+0x2df/0x860
 hci_conn_hash_flush+0x195/0x230
 hci_dev_close_sync+0x5c2/0x1060
 hci_unregister_dev+0x1ce/0x4a0
 vhci_release+0x80/0xf0
 __fput+0x27c/0xa90
 task_work_run+0x168/0x260
 do_exit+0xbd9/0x2b20
 do_group_exit+0xd4/0x2a0
 __x64_sys_exit_group+0x3e/0x50
 do_syscall_64+0x39/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff463e8edcd
Code: Unable to access opcode bytes at 0x7ff463e8eda3.
RSP: 002b:00007ffde1873c18 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffde1874480 RCX: 00007ff463e8edcd
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043
RBP: 0000000000000003 R08: 0000000000000026 R09: 00007ffde1874480
R10: 0000000000000026 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ff463eeba70 R14: 0000000000000002 R15: 00007ffde18744c0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid+0x91/0x1b0
Code: de 48 39 c2 0f 84 80 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 c1 74 7f 48 b8 00 00 00 00 00 fc ff df 48 89 cf 48 c1 ef 03 <80> 3c 07 00 0f 85 e7 00 00 00 4c 8b 01 49 39 f0 75 6d 48 8d 7a 08
RSP: 0018:ffffc9000d81fae0 EFLAGS: 00010213
RAX: dffffc0000000000 RBX: ffff8880780da000 RCX: 05af026400001766
RDX: ffff888046d06800 RSI: ffff8880780da000 RDI: 00b5e04c800002ec
RBP: ffff8880780da260 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff88e0008b R12: ffff8880780da008
R13: ffff8880780da260 R14: dffffc0000000000 R15: ffff88805f51c000
FS:  0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d74eb5c6a0 CR3: 000000010e5b2000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:   48 39 c2                cmp    %rax,%rdx
   3:   0f 84 80 00 00 00       je     0x89
   9:   48 b8 22 01 00 00 00    movabs $0xdead000000000122,%rax
  10:   00 ad de
  13:   48 39 c1                cmp    %rax,%rcx
  16:   74 7f                   je     0x97
  18:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  1f:   fc ff df
  22:   48 89 cf                mov    %rcx,%rdi
  25:   48 c1 ef 03             shr    $0x3,%rdi
* 29:   80 3c 07 00             cmpb   $0x0,(%rdi,%rax,1) <-- trapping instruction
  2d:   0f 85 e7 00 00 00       jne    0x11a
  33:   4c 8b 01                mov    (%rcx),%r8
  36:   49 39 f0                cmp    %rsi,%r8
  39:   75 6d                   jne    0xa8
  3b:   48 8d 7a 08             lea    0x8(%rdx),%rdi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ