KASAN: use-after-free Read in has_ns_capability_noaudit
7 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:52:11 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 7d2d5fc1 Merge 4.14.91 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=1176eb8f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=c184a4faf24e0c0c
dashboard link: https://syzkaller.appspot.com/bug?extid=1fe1ad3ca3f8d8481dad
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1fe1ad...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in has_ns_capability_noaudit+0x1b1/0x1c0
kernel/capability.c:343
Read of size 8 at addr ffff8881c7eb1de8 by task syz-executor3/26432
CPU: 0 PID: 26432 Comm: syz-executor3 Not tainted 4.14.91+ #1
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393
Allocated by task 26401:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
kmem_cache_alloc_node include/linux/slab.h:361 [inline]
alloc_task_struct_node kernel/fork.c:157 [inline]
dup_task_struct kernel/fork.c:523 [inline]
copy_process.part.0+0x1461/0x6540 kernel/fork.c:1598
copy_process kernel/fork.c:1573 [inline]
_do_fork+0x193/0xcc0 kernel/fork.c:2054
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
Freed by task 17:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0xc4/0x330 mm/slub.c:2988
__put_task_struct+0x26d/0x460 kernel/fork.c:428
put_task_struct include/linux/sched/task.h:96 [inline]
delayed_put_task_struct+0x92/0x2f0 kernel/exit.c:180
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2691 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2954 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2921 [inline]
rcu_process_callbacks+0x56f/0xf40 kernel/rcu/tree.c:2938
__do_softirq+0x234/0x9ca kernel/softirq.c:288
The buggy address belongs to the object at ffff8881c7eb1780
which belongs to the cache task_struct of size 5760
The buggy address is located 1640 bytes inside of
5760-byte region [ffff8881c7eb1780, ffff8881c7eb2e00)
The buggy address belongs to the page:
page:ffffea00071fac00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 0000000100050005
raw: 0000000000000000 0000000200000001 ffff8881da823e00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c7eb1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c7eb1d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881c7eb1d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c7eb1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c7eb1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 7d2d5fc1 Merge 4.14.91 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=1176eb8f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=c184a4faf24e0c0c
dashboard link: https://syzkaller.appspot.com/bug?extid=1fe1ad3ca3f8d8481dad
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1fe1ad...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in has_ns_capability_noaudit+0x1b1/0x1c0
kernel/capability.c:343
Read of size 8 at addr ffff8881c7eb1de8 by task syz-executor3/26432
CPU: 0 PID: 26432 Comm: syz-executor3 Not tainted 4.14.91+ #1
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393
Allocated by task 26401:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
kmem_cache_alloc_node include/linux/slab.h:361 [inline]
alloc_task_struct_node kernel/fork.c:157 [inline]
dup_task_struct kernel/fork.c:523 [inline]
copy_process.part.0+0x1461/0x6540 kernel/fork.c:1598
copy_process kernel/fork.c:1573 [inline]
_do_fork+0x193/0xcc0 kernel/fork.c:2054
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
Freed by task 17:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0xc4/0x330 mm/slub.c:2988
__put_task_struct+0x26d/0x460 kernel/fork.c:428
put_task_struct include/linux/sched/task.h:96 [inline]
delayed_put_task_struct+0x92/0x2f0 kernel/exit.c:180
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2691 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2954 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2921 [inline]
rcu_process_callbacks+0x56f/0xf40 kernel/rcu/tree.c:2938
__do_softirq+0x234/0x9ca kernel/softirq.c:288
The buggy address belongs to the object at ffff8881c7eb1780
which belongs to the cache task_struct of size 5760
The buggy address is located 1640 bytes inside of
5760-byte region [ffff8881c7eb1780, ffff8881c7eb2e00)
The buggy address belongs to the page:
page:ffffea00071fac00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 0000000100050005
raw: 0000000000000000 0000000200000001 ffff8881da823e00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c7eb1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c7eb1d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881c7eb1d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c7eb1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c7eb1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 21, 2020, 5:32:07 PM2/21/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages