KASAN: use-after-free Read in sprintf
7 views
Skip to first unread message
syzbot
Nov 6, 2019, 7:41:09 AM11/6/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=112cecb4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=2ea55ae22d71ff335e38
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2ea55a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ip4_string+0x40e/0x460 lib/vsprintf.c:1004
Read of size 1 at addr ffff8801c99f7439 by task syz-executor.1/10495
CPU: 0 PID: 10495 Comm: syz-executor.1 Not tainted 4.9.141+ #1
ffff8801cc9e6d98 ffffffff81b42e79 ffffea0007267dc0 ffff8801c99f7439
0000000000000000 ffff8801c99f7439 ffff8801cc9e6f38 ffff8801cc9e6dd0
ffffffff815009b8 ffff8801c99f7439 0000000000000001 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3014>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:430
[<ffffffff81b6276e>] ip4_string+0x40e/0x460 lib/vsprintf.c:1004
[<ffffffff81b6496e>] ip4_addr_string+0x8e/0xd0 lib/vsprintf.c:1142
[<ffffffff81b6c653>] pointer+0x593/0xb70 lib/vsprintf.c:1625
[<ffffffff81b6d1f0>] vsnprintf+0x5c0/0x1840 lib/vsprintf.c:2045
[<ffffffff81b6e7b0>] sprintf+0xb0/0xe0 lib/vsprintf.c:2243
[<ffffffff825782ce>] arp_format_pneigh_entry net/ipv4/arp.c:1354 [inline]
[<ffffffff825782ce>] arp_seq_show+0x52e/0x6d0 net/ipv4/arp.c:1369
[<ffffffff81580be6>] seq_read+0x4b6/0x12d0 fs/seq_file.c:240
[<ffffffff8165c00d>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:203
[<ffffffff81509df5>] do_loop_readv_writev.part.1+0xd5/0x280
fs/read_write.c:718
[<ffffffff8150b49e>] do_loop_readv_writev fs/read_write.c:707 [inline]
[<ffffffff8150b49e>] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873
[<ffffffff8150b764>] vfs_readv+0x84/0xc0 fs/read_write.c:897
[<ffffffff815ac2a1>] kernel_readv fs/splice.c:363 [inline]
[<ffffffff815ac2a1>] default_file_splice_read+0x451/0x7f0 fs/splice.c:435
[<ffffffff815ab39c>] do_splice_to+0x10c/0x170 fs/splice.c:899
[<ffffffff815ab63f>] splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971
[<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
[<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
[<ffffffff8150f864>] SYSC_sendfile64 fs/read_write.c:1454 [inline]
[<ffffffff8150f864>] SyS_sendfile64+0x144/0x160 fs/read_write.c:1440
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 10527:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
__kmalloc+0x12f/0x310 mm/slub.c:3741
kmalloc include/linux/slab.h:495 [inline]
pneigh_lookup+0x17d/0x3f0 net/core/neighbour.c:594
arp_req_set_public net/ipv4/arp.c:992 [inline]
arp_req_set+0x443/0x570 net/ipv4/arp.c:1008
arp_ioctl+0x32a/0x670 net/ipv4/arp.c:1203
inet_ioctl+0x90/0x1d0 net/ipv4/af_inet.c:895
packet_ioctl+0x176/0x280 net/packet/af_packet.c:4115
sock_do_ioctl+0x6a/0xb0 net/socket.c:905
sock_ioctl+0x32d/0x3c0 net/socket.c:991
vfs_ioctl fs/ioctl.c:43 [inline]
file_ioctl fs/ioctl.c:493 [inline]
do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 10494:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
pneigh_ifdown_and_unlock net/core/neighbour.c:674 [inline]
neigh_ifdown+0x1da/0x2a0 net/core/neighbour.c:258
arp_ifdown+0x1c/0x20 net/ipv4/arp.c:1249
inetdev_destroy net/ipv4/devinet.c:306 [inline]
inetdev_event+0x6f2/0x10b0 net/ipv4/devinet.c:1480
notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663 [inline]
rollback_registered_many+0x6e5/0xb50 net/core/dev.c:6860
rollback_registered+0xee/0x1b0 net/core/dev.c:6901
unregister_netdevice_queue+0x1aa/0x230 net/core/dev.c:7888
unregister_netdevice include/linux/netdevice.h:2465 [inline]
__tun_detach+0x821/0xa00 drivers/net/tun.c:575
tun_detach drivers/net/tun.c:585 [inline]
tun_chr_close+0x44/0x60 drivers/net/tun.c:2392
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801c99f7420
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 25 bytes inside of
64-byte region [ffff8801c99f7420, ffff8801c99f7460)
The buggy address belongs to the page:
page:ffffea0007267dc0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c99f7300: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
ffff8801c99f7380: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801c99f7400: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8801c99f7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c99f7500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=112cecb4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=2ea55ae22d71ff335e38
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2ea55a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ip4_string+0x40e/0x460 lib/vsprintf.c:1004
Read of size 1 at addr ffff8801c99f7439 by task syz-executor.1/10495
CPU: 0 PID: 10495 Comm: syz-executor.1 Not tainted 4.9.141+ #1
ffff8801cc9e6d98 ffffffff81b42e79 ffffea0007267dc0 ffff8801c99f7439
0000000000000000 ffff8801c99f7439 ffff8801cc9e6f38 ffff8801cc9e6dd0
ffffffff815009b8 ffff8801c99f7439 0000000000000001 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3014>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:430
[<ffffffff81b6276e>] ip4_string+0x40e/0x460 lib/vsprintf.c:1004
[<ffffffff81b6496e>] ip4_addr_string+0x8e/0xd0 lib/vsprintf.c:1142
[<ffffffff81b6c653>] pointer+0x593/0xb70 lib/vsprintf.c:1625
[<ffffffff81b6d1f0>] vsnprintf+0x5c0/0x1840 lib/vsprintf.c:2045
[<ffffffff81b6e7b0>] sprintf+0xb0/0xe0 lib/vsprintf.c:2243
[<ffffffff825782ce>] arp_format_pneigh_entry net/ipv4/arp.c:1354 [inline]
[<ffffffff825782ce>] arp_seq_show+0x52e/0x6d0 net/ipv4/arp.c:1369
[<ffffffff81580be6>] seq_read+0x4b6/0x12d0 fs/seq_file.c:240
[<ffffffff8165c00d>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:203
[<ffffffff81509df5>] do_loop_readv_writev.part.1+0xd5/0x280
fs/read_write.c:718
[<ffffffff8150b49e>] do_loop_readv_writev fs/read_write.c:707 [inline]
[<ffffffff8150b49e>] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873
[<ffffffff8150b764>] vfs_readv+0x84/0xc0 fs/read_write.c:897
[<ffffffff815ac2a1>] kernel_readv fs/splice.c:363 [inline]
[<ffffffff815ac2a1>] default_file_splice_read+0x451/0x7f0 fs/splice.c:435
[<ffffffff815ab39c>] do_splice_to+0x10c/0x170 fs/splice.c:899
[<ffffffff815ab63f>] splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971
[<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
[<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
[<ffffffff8150f864>] SYSC_sendfile64 fs/read_write.c:1454 [inline]
[<ffffffff8150f864>] SyS_sendfile64+0x144/0x160 fs/read_write.c:1440
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 10527:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
__kmalloc+0x12f/0x310 mm/slub.c:3741
kmalloc include/linux/slab.h:495 [inline]
pneigh_lookup+0x17d/0x3f0 net/core/neighbour.c:594
arp_req_set_public net/ipv4/arp.c:992 [inline]
arp_req_set+0x443/0x570 net/ipv4/arp.c:1008
arp_ioctl+0x32a/0x670 net/ipv4/arp.c:1203
inet_ioctl+0x90/0x1d0 net/ipv4/af_inet.c:895
packet_ioctl+0x176/0x280 net/packet/af_packet.c:4115
sock_do_ioctl+0x6a/0xb0 net/socket.c:905
sock_ioctl+0x32d/0x3c0 net/socket.c:991
vfs_ioctl fs/ioctl.c:43 [inline]
file_ioctl fs/ioctl.c:493 [inline]
do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 10494:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
pneigh_ifdown_and_unlock net/core/neighbour.c:674 [inline]
neigh_ifdown+0x1da/0x2a0 net/core/neighbour.c:258
arp_ifdown+0x1c/0x20 net/ipv4/arp.c:1249
inetdev_destroy net/ipv4/devinet.c:306 [inline]
inetdev_event+0x6f2/0x10b0 net/ipv4/devinet.c:1480
notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663 [inline]
rollback_registered_many+0x6e5/0xb50 net/core/dev.c:6860
rollback_registered+0xee/0x1b0 net/core/dev.c:6901
unregister_netdevice_queue+0x1aa/0x230 net/core/dev.c:7888
unregister_netdevice include/linux/netdevice.h:2465 [inline]
__tun_detach+0x821/0xa00 drivers/net/tun.c:575
tun_detach drivers/net/tun.c:585 [inline]
tun_chr_close+0x44/0x60 drivers/net/tun.c:2392
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801c99f7420
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 25 bytes inside of
64-byte region [ffff8801c99f7420, ffff8801c99f7460)
The buggy address belongs to the page:
page:ffffea0007267dc0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c99f7300: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
ffff8801c99f7380: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801c99f7400: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8801c99f7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c99f7500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 5, 2020, 6:41:06 AM3/5/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages