Re: [Bug 201949] New: KASAN: use-after-free Read in __handle_mm_fault
3 views
Skip to first unread message
Andrew Morton
Dec 10, 2018, 6:45:55 PM12/10/18
to Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, bugzill...@bugzilla.kernel.org, kasa...@googlegroups.com, jagu...@outlook.com
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Mon, 10 Dec 2018 10:56:31 +0000 bugzill...@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=201949
>
> Bug ID: 201949
> Summary: KASAN: use-after-free Read in __handle_mm_fault
> Product: Memory Management
> Version: 2.5
> Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> Assignee: ak...@linux-foundation.org
> Reporter: jagu...@outlook.com
> Regression: No
>
> Created attachment 279915
> --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit
> poc.c
>
> Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug.
>
> ==================================================================
> BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline]
> BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> Read of size 8 at addr ffff888000048008 by task syz-executor666/2067
>
> CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x75/0xae lib/dump_stack.c:113
> print_address_description+0x65/0x270 mm/kasan/report.c:256
> kasan_report_error mm/kasan/report.c:354 [inline]
> kasan_report+0x25b/0x380 mm/kasan/report.c:412
> handle_pte_fault mm/memory.c:3744 [inline]
> __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> handle_mm_fault+0xfc/0x350 mm/memory.c:3926
> do_user_addr_fault arch/x86/mm/fault.c:1423 [inline]
> __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489
> async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142
> RIP: 0033:0x4014fd
> Code: Bad RIP value.
> RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0
> RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0
> RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270
> R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000
> R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000
>
> The buggy address belongs to the page:
> page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> flags: 0x0()
> raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000
> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ^
> ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
>
>
> Syzkaller reproducer:
> # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox:
> Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true
> EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true
> Repro:false Trace:false}
> r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0)
> ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, "ae"})
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
bugzilla web interface).
On Mon, 10 Dec 2018 10:56:31 +0000 bugzill...@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=201949
>
> Bug ID: 201949
> Summary: KASAN: use-after-free Read in __handle_mm_fault
> Product: Memory Management
> Version: 2.5
> Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> Assignee: ak...@linux-foundation.org
> Reporter: jagu...@outlook.com
> Regression: No
>
> Created attachment 279915
> --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit
> poc.c
>
> Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug.
>
> ==================================================================
> BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline]
> BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> Read of size 8 at addr ffff888000048008 by task syz-executor666/2067
>
> CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x75/0xae lib/dump_stack.c:113
> print_address_description+0x65/0x270 mm/kasan/report.c:256
> kasan_report_error mm/kasan/report.c:354 [inline]
> kasan_report+0x25b/0x380 mm/kasan/report.c:412
> handle_pte_fault mm/memory.c:3744 [inline]
> __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> handle_mm_fault+0xfc/0x350 mm/memory.c:3926
> do_user_addr_fault arch/x86/mm/fault.c:1423 [inline]
> __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489
> async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142
> RIP: 0033:0x4014fd
> Code: Bad RIP value.
> RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0
> RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0
> RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270
> R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000
> R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000
>
> The buggy address belongs to the page:
> page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> flags: 0x0()
> raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000
> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ^
> ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
>
>
> Syzkaller reproducer:
> # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox:
> Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true
> EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true
> Repro:false Trace:false}
> r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0)
> ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, "ae"})
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
Dmitry Vyukov
Dec 11, 2018, 5:16:33 AM12/11/18
to Andrew Morton, Jens Axboe, linux...@vger.kernel.org, LKML, Andrey Ryabinin, Alexander Potapenko, bugzill...@bugzilla.kernel.org, kasan-dev, jagu...@outlook.com
On Tue, Dec 11, 2018 at 12:45 AM Andrew Morton
<ak...@linux-foundation.org> wrote:
>
> (switched to email. Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
Looking at the reproducer this looks like a bug in sg ioctl.
<ak...@linux-foundation.org> wrote:
>
> (switched to email. Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
+block/scsi_ioctl.c maintainers
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+...@googlegroups.com.
> To post to this group, send email to kasa...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20181210154550.03bf3fe93944a7c786ba924d%40linux-foundation.org.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages