KASAN: use-after-free Read in corrupted
11 views
Skip to first unread message
syzbot
Aug 3, 2019, 8:36:06 AM8/3/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 2ea88150 Merge remote-tracking branch 'origin/upstream-f2f..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=11456852600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfce353b92031d07
dashboard link: https://syzkaller.appspot.com/bug?extid=631a0ad335de6bfd5116
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101d22f8600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123c0fe6600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+631a0a...@syzkaller.appspotmail.com
audit: type=1400 audit(1564831969.140:7): avc: denied { map } for
pid=1776 comm="syz-executor376" path="/root/syz-executor376744530"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1564831969.180:8): avc: denied { prog_load } for
pid=1776 comm="syz-executor376"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
audit: type=1400 audit(1564831969.180:9): avc: denied { prog_run } for
pid=1776 comm="syz-executor376"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
BUG: KASAN: use-after-free in _copy_to_user+0x9d/0xd0 lib/usercopy.c:27
Read of size 924 at addr ffff8881be3ffff3 by task syz-executor376/1776
CPU: 1 PID: 1776 Comm: syz-executor376 Not tainted 4.14.135+ #26
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
The buggy address belongs to the page:
page:ffffea0006f8ffc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0006f8ffe0 ffffea0006f8ffe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881be3ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881be3fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8881be3fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881be400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881be400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 2ea88150 Merge remote-tracking branch 'origin/upstream-f2f..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=11456852600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfce353b92031d07
dashboard link: https://syzkaller.appspot.com/bug?extid=631a0ad335de6bfd5116
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101d22f8600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123c0fe6600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+631a0a...@syzkaller.appspotmail.com
audit: type=1400 audit(1564831969.140:7): avc: denied { map } for
pid=1776 comm="syz-executor376" path="/root/syz-executor376744530"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1564831969.180:8): avc: denied { prog_load } for
pid=1776 comm="syz-executor376"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
audit: type=1400 audit(1564831969.180:9): avc: denied { prog_run } for
pid=1776 comm="syz-executor376"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
BUG: KASAN: use-after-free in _copy_to_user+0x9d/0xd0 lib/usercopy.c:27
Read of size 924 at addr ffff8881be3ffff3 by task syz-executor376/1776
CPU: 1 PID: 1776 Comm: syz-executor376 Not tainted 4.14.135+ #26
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
The buggy address belongs to the page:
page:ffffea0006f8ffc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0006f8ffe0 ffffea0006f8ffe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881be3ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881be3fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8881be3fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881be400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881be400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages