KASAN: use-after-free Read in tun_chr_write_iter
25 views
Skip to first unread message
syzbot
Jan 22, 2020, 1:02:11 AM1/22/20
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4e16a227 ANDROID: x86: gki_defconfig: enable LTO and CFI
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=14894d85e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2213046ccc02bdc
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e6be80aec7f92d0890
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2e6be...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:649 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:959 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103
Read of size 4 at addr ffff8881a417ac78 by task syz-executor.2/9867
CPU: 0 PID: 9867 Comm: syz-executor.2 Tainted: G W 5.4.13-syzkaller-00773-g4e16a227acbd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b0/0x228 lib/dump_stack.c:118
print_address_description+0x96/0x5d0 mm/kasan/report.c:374
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:634
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline]
mutex_optimistic_spin kernel/locking/mutex.c:649 [inline]
__mutex_lock_common kernel/locking/mutex.c:959 [inline]
__mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1364
mutex_lock+0x106/0x110 kernel/locking/mutex.c:284
tun_get_user+0xbca/0x3cd0 drivers/net/tun.c:1835
tun_chr_write_iter+0x134/0x1c0 drivers/net/tun.c:2022
do_iter_readv_writev+0x5fa/0x890 include/linux/fs.h:1909
do_iter_write+0x180/0x590 fs/read_write.c:973
vfs_writev fs/read_write.c:1018 [inline]
do_writev+0x2cd/0x560 fs/read_write.c:1061
__do_sys_writev fs/read_write.c:1134 [inline]
__se_sys_writev fs/read_write.c:1131 [inline]
__x64_sys_writev+0x7d/0x90 fs/read_write.c:1131
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b201
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fb08fecdba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00000000200001fe RCX: 000000000045b201
RDX: 0000000000000002 RSI: 00007fb08fecdc00 RDI: 00000000000000f0
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007fb08fece9d0 R11: 0000000000000293 R12: 00000000ffffffff
R13: 0000000000000b4c R14: 00000000004cc318 R15: 000000000075bf2c
Allocated by task 17486:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_slab_alloc+0xe/0x10 mm/kasan/common.c:518
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2758 [inline]
slab_alloc mm/slub.c:2766 [inline]
kmem_cache_alloc+0x120/0x2b0 mm/slub.c:2771
kmem_cache_alloc_node include/linux/slab.h:427 [inline]
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct kernel/fork.c:872 [inline]
copy_process+0x59b/0x52d0 kernel/fork.c:1858
_do_fork+0x185/0x950 kernel/fork.c:2369
__do_sys_clone kernel/fork.c:2526 [inline]
__se_sys_clone kernel/fork.c:2507 [inline]
__x64_sys_clone+0x247/0x2b0 kernel/fork.c:2507
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 16:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
slab_free_hook mm/slub.c:1424 [inline]
slab_free_freelist_hook mm/slub.c:1457 [inline]
slab_free mm/slub.c:3004 [inline]
kmem_cache_free+0x181/0x7a0 mm/slub.c:3020
free_task_struct kernel/fork.c:176 [inline]
free_task+0xc0/0x110 kernel/fork.c:478
__put_task_struct+0x1fd/0x380 kernel/fork.c:753
put_task_struct include/linux/sched/task.h:119 [inline]
delayed_put_task_struct+0x1c2/0x200 kernel/exit.c:182
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2157 [inline]
rcu_core+0xba0/0x1330 kernel/rcu/tree.c:2377
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
__do_softirq+0x235/0x57e kernel/softirq.c:292
The buggy address belongs to the object at ffff8881a417ac40
which belongs to the cache task_struct(43:syz2) of size 3648
The buggy address is located 56 bytes inside of
3648-byte region [ffff8881a417ac40, ffff8881a417ba80)
The buggy address belongs to the page:
page:ffffea0006905e00 refcount:1 mapcount:0 mapping:ffff8881d6c40800 index:0xffff8881a417d880 compound_mapcount: 0
raw: 8000000000010200 ffffea00066b3208 ffffea000665d608 ffff8881d6c40800
raw: ffff8881a417d880 0000000000080005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881a417ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881a417ab80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881a417ac00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881a417ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881a417ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4e16a227 ANDROID: x86: gki_defconfig: enable LTO and CFI
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=14894d85e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2213046ccc02bdc
dashboard link: https://syzkaller.appspot.com/bug?extid=c2e6be80aec7f92d0890
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c2e6be...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:649 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:959 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103
Read of size 4 at addr ffff8881a417ac78 by task syz-executor.2/9867
CPU: 0 PID: 9867 Comm: syz-executor.2 Tainted: G W 5.4.13-syzkaller-00773-g4e16a227acbd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b0/0x228 lib/dump_stack.c:118
print_address_description+0x96/0x5d0 mm/kasan/report.c:374
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:634
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline]
mutex_optimistic_spin kernel/locking/mutex.c:649 [inline]
__mutex_lock_common kernel/locking/mutex.c:959 [inline]
__mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103
__mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1364
mutex_lock+0x106/0x110 kernel/locking/mutex.c:284
tun_get_user+0xbca/0x3cd0 drivers/net/tun.c:1835
tun_chr_write_iter+0x134/0x1c0 drivers/net/tun.c:2022
do_iter_readv_writev+0x5fa/0x890 include/linux/fs.h:1909
do_iter_write+0x180/0x590 fs/read_write.c:973
vfs_writev fs/read_write.c:1018 [inline]
do_writev+0x2cd/0x560 fs/read_write.c:1061
__do_sys_writev fs/read_write.c:1134 [inline]
__se_sys_writev fs/read_write.c:1131 [inline]
__x64_sys_writev+0x7d/0x90 fs/read_write.c:1131
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b201
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fb08fecdba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00000000200001fe RCX: 000000000045b201
RDX: 0000000000000002 RSI: 00007fb08fecdc00 RDI: 00000000000000f0
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007fb08fece9d0 R11: 0000000000000293 R12: 00000000ffffffff
R13: 0000000000000b4c R14: 00000000004cc318 R15: 000000000075bf2c
Allocated by task 17486:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_slab_alloc+0xe/0x10 mm/kasan/common.c:518
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2758 [inline]
slab_alloc mm/slub.c:2766 [inline]
kmem_cache_alloc+0x120/0x2b0 mm/slub.c:2771
kmem_cache_alloc_node include/linux/slab.h:427 [inline]
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct kernel/fork.c:872 [inline]
copy_process+0x59b/0x52d0 kernel/fork.c:1858
_do_fork+0x185/0x950 kernel/fork.c:2369
__do_sys_clone kernel/fork.c:2526 [inline]
__se_sys_clone kernel/fork.c:2507 [inline]
__x64_sys_clone+0x247/0x2b0 kernel/fork.c:2507
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 16:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
slab_free_hook mm/slub.c:1424 [inline]
slab_free_freelist_hook mm/slub.c:1457 [inline]
slab_free mm/slub.c:3004 [inline]
kmem_cache_free+0x181/0x7a0 mm/slub.c:3020
free_task_struct kernel/fork.c:176 [inline]
free_task+0xc0/0x110 kernel/fork.c:478
__put_task_struct+0x1fd/0x380 kernel/fork.c:753
put_task_struct include/linux/sched/task.h:119 [inline]
delayed_put_task_struct+0x1c2/0x200 kernel/exit.c:182
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2157 [inline]
rcu_core+0xba0/0x1330 kernel/rcu/tree.c:2377
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
__do_softirq+0x235/0x57e kernel/softirq.c:292
The buggy address belongs to the object at ffff8881a417ac40
which belongs to the cache task_struct(43:syz2) of size 3648
The buggy address is located 56 bytes inside of
3648-byte region [ffff8881a417ac40, ffff8881a417ba80)
The buggy address belongs to the page:
page:ffffea0006905e00 refcount:1 mapcount:0 mapping:ffff8881d6c40800 index:0xffff8881a417d880 compound_mapcount: 0
raw: 8000000000010200 ffffea00066b3208 ffffea000665d608 ffff8881d6c40800
raw: ffff8881a417d880 0000000000080005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881a417ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881a417ab80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881a417ac00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881a417ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881a417ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 21, 2020, 2:02:10 AM5/21/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages