KASAN: use-after-free Read in get_work_pool
46 views
Skip to first unread message
syzbot
Oct 26, 2017, 12:35:45 PM10/26/17
to jiangs...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
Hello,
syzkaller hit the following crash on
ad9a19d003703ae06a6e8efc64cf26a939d9e84d
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276
[inline]
BUG: KASAN: use-after-free in atomic64_read
arch/x86/include/asm/atomic64_64.h:21 [inline]
BUG: KASAN: use-after-free in atomic_long_read
include/asm-generic/atomic-long.h:44 [inline]
BUG: KASAN: use-after-free in get_work_pool+0x1c2/0x1e0
kernel/workqueue.c:709
Read of size 8 at addr ffff8801cc58c378 by task syz-executor5/21326
CPU: 1 PID: 21326 Comm: syz-executor5 Not tainted 4.13.0+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:276 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:21 [inline]
atomic_long_read include/asm-generic/atomic-long.h:44 [inline]
get_work_pool+0x1c2/0x1e0 kernel/workqueue.c:709
__queue_work+0x235/0x1150 kernel/workqueue.c:1401
queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1486
queue_work include/linux/workqueue.h:489 [inline]
strp_check_rcv+0x25/0x30 net/strparser/strparser.c:553
kcm_attach net/kcm/kcmsock.c:1439 [inline]
kcm_attach_ioctl net/kcm/kcmsock.c:1460 [inline]
kcm_ioctl+0x826/0x1610 net/kcm/kcmsock.c:1695
sock_do_ioctl+0x65/0xb0 net/socket.c:961
sock_ioctl+0x2c2/0x440 net/socket.c:1058
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x451e59
RSP: 002b:00007f95185c3c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000718160 RCX: 0000000000451e59
RDX: 00000000209b9000 RSI: 00000000000089e0 RDI: 000000000000000a
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb657
R13: 00000000ffffffff R14: 0000000000000002 R15: 0000000000000001
Allocated by task 21326:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561
kmem_cache_zalloc include/linux/slab.h:656 [inline]
kcm_attach net/kcm/kcmsock.c:1394 [inline]
kcm_attach_ioctl net/kcm/kcmsock.c:1460 [inline]
kcm_ioctl+0x2d1/0x1610 net/kcm/kcmsock.c:1695
sock_do_ioctl+0x65/0xb0 net/socket.c:961
sock_ioctl+0x2c2/0x440 net/socket.c:1058
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 21329:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x77/0x280 mm/slab.c:3763
kcm_unattach+0xe50/0x1510 net/kcm/kcmsock.c:1563
kcm_unattach_ioctl net/kcm/kcmsock.c:1608 [inline]
kcm_ioctl+0xdf0/0x1610 net/kcm/kcmsock.c:1705
sock_do_ioctl+0x65/0xb0 net/socket.c:961
sock_ioctl+0x2c2/0x440 net/socket.c:1058
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
The buggy address belongs to the object at ffff8801cc58c240
which belongs to the cache kcm_psock_cache of size 664
The buggy address is located 312 bytes inside of
664-byte region [ffff8801cc58c240, ffff8801cc58c4d8)
The buggy address belongs to the page:
page:ffffea0007316300 count:1 mapcount:0 mapping:ffff8801cc58c240 index:0x0
compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801cc58c240 0000000000000000 0000000100000009
raw: ffffea000732f520 ffffea0007314ca0 ffff8801d2866e40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cc58c200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8801cc58c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cc58c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cc58c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cc58c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
syzkaller hit the following crash on
ad9a19d003703ae06a6e8efc64cf26a939d9e84d
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276
[inline]
BUG: KASAN: use-after-free in atomic64_read
arch/x86/include/asm/atomic64_64.h:21 [inline]
BUG: KASAN: use-after-free in atomic_long_read
include/asm-generic/atomic-long.h:44 [inline]
BUG: KASAN: use-after-free in get_work_pool+0x1c2/0x1e0
kernel/workqueue.c:709
Read of size 8 at addr ffff8801cc58c378 by task syz-executor5/21326
CPU: 1 PID: 21326 Comm: syz-executor5 Not tainted 4.13.0+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:276 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:21 [inline]
atomic_long_read include/asm-generic/atomic-long.h:44 [inline]
get_work_pool+0x1c2/0x1e0 kernel/workqueue.c:709
__queue_work+0x235/0x1150 kernel/workqueue.c:1401
queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1486
queue_work include/linux/workqueue.h:489 [inline]
strp_check_rcv+0x25/0x30 net/strparser/strparser.c:553
kcm_attach net/kcm/kcmsock.c:1439 [inline]
kcm_attach_ioctl net/kcm/kcmsock.c:1460 [inline]
kcm_ioctl+0x826/0x1610 net/kcm/kcmsock.c:1695
sock_do_ioctl+0x65/0xb0 net/socket.c:961
sock_ioctl+0x2c2/0x440 net/socket.c:1058
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x451e59
RSP: 002b:00007f95185c3c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000718160 RCX: 0000000000451e59
RDX: 00000000209b9000 RSI: 00000000000089e0 RDI: 000000000000000a
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb657
R13: 00000000ffffffff R14: 0000000000000002 R15: 0000000000000001
Allocated by task 21326:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561
kmem_cache_zalloc include/linux/slab.h:656 [inline]
kcm_attach net/kcm/kcmsock.c:1394 [inline]
kcm_attach_ioctl net/kcm/kcmsock.c:1460 [inline]
kcm_ioctl+0x2d1/0x1610 net/kcm/kcmsock.c:1695
sock_do_ioctl+0x65/0xb0 net/socket.c:961
sock_ioctl+0x2c2/0x440 net/socket.c:1058
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 21329:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x77/0x280 mm/slab.c:3763
kcm_unattach+0xe50/0x1510 net/kcm/kcmsock.c:1563
kcm_unattach_ioctl net/kcm/kcmsock.c:1608 [inline]
kcm_ioctl+0xdf0/0x1610 net/kcm/kcmsock.c:1705
sock_do_ioctl+0x65/0xb0 net/socket.c:961
sock_ioctl+0x2c2/0x440 net/socket.c:1058
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
The buggy address belongs to the object at ffff8801cc58c240
which belongs to the cache kcm_psock_cache of size 664
The buggy address is located 312 bytes inside of
664-byte region [ffff8801cc58c240, ffff8801cc58c4d8)
The buggy address belongs to the page:
page:ffffea0007316300 count:1 mapcount:0 mapping:ffff8801cc58c240 index:0x0
compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801cc58c240 0000000000000000 0000000100000009
raw: ffffea000732f520 ffffea0007314ca0 ffff8801d2866e40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cc58c200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8801cc58c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cc58c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cc58c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cc58c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Dmitry Vyukov
Oct 26, 2017, 12:38:49 PM10/26/17
to syzbot, Lai Jiangshan, LKML, syzkall...@googlegroups.com, Tejun Heo
On Thu, Oct 26, 2017 at 6:35 PM, syzbot
<bot+ea75c0ffcd353d3251...@syzkaller.appspotmail.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/089e0825d42484310b055c75c3f6%40google.com.
> For more options, visit https://groups.google.com/d/optout.
<bot+ea75c0ffcd353d3251...@syzkaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> ad9a19d003703ae06a6e8efc64cf26a939d9e84d
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
This also happened on net-next 49ca1943a7adb429b11b8e05d81bc821694b76c7
>
> syzkaller hit the following crash on
> ad9a19d003703ae06a6e8efc64cf26a939d9e84d
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/089e0825d42484310b055c75c3f6%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Tejun Heo
Oct 26, 2017, 1:58:51 PM10/26/17
to syzbot, jiangs...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
Looks like kcm is trying to reuse a work item whose last workqueue has
been destroyed without re-initing it. A work item needs to be
reinit'd.
Thanks.
--
tejun
been destroyed without re-initing it. A work item needs to be
reinit'd.
Thanks.
--
tejun
Dmitry Vyukov
Oct 27, 2017, 2:00:34 AM10/27/17
to Tejun Heo, syzbot, Lai Jiangshan, LKML, syzkall...@googlegroups.com, David Miller, Cong Wang, t...@quantonium.net, Eric Dumazet, ebig...@google.com, netdev
Cong Wang
Oct 27, 2017, 5:18:37 PM10/27/17
to Dmitry Vyukov, Tejun Heo, syzbot, Lai Jiangshan, LKML, syzkall...@googlegroups.com, David Miller, t...@quantonium.net, Eric Dumazet, ebig...@google.com, netdev
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index af4e76ac88ff..7816f44c576a 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1433,11 +1433,12 @@ static int kcm_attach(struct socket *sock,
struct socket *csock,
KCM_STATS_INCR(mux->stats.psock_attach);
mux->psocks_cnt++;
psock_now_avail(psock);
- spin_unlock_bh(&mux->lock);
/* Schedule RX work in case there are already bytes queued */
strp_check_rcv(&psock->strp);
+ spin_unlock_bh(&mux->lock);
+
return 0;
}
Dmitry Vyukov
Dec 6, 2017, 7:50:26 AM12/6/17
to Cong Wang, Tejun Heo, syzbot, Lai Jiangshan, LKML, syzkall...@googlegroups.com, David Miller, t...@quantonium.net, Eric Dumazet, Eric Biggers, netdev
syzbot can now test proposed patches, see
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot
for details. Please give it a try.
Dmitry Vyukov
Feb 14, 2018, 8:45:26 AM2/14/18
to Cong Wang, Tejun Heo, syzbot, Lai Jiangshan, LKML, syzkall...@googlegroups.com, David Miller, Tom Herbert, Eric Dumazet, Eric Biggers, netdev
Was this ever merged? Is it still necessary?
Eric Biggers
Mar 11, 2018, 5:34:07 PM3/11/18
to Tom Herbert, Cong Wang, Tejun Heo, syzbot, Lai Jiangshan, LKML, Dmitry Vyukov, syzkall...@googlegroups.com, David Miller, Eric Dumazet, Eric Biggers, netdev
it looks like you wrote the buggy code (it's yet another KCM bug, apparently);
can you please look into it?
I've put together a C reproducer that works on latest linux-next (next-20180309,
commit 61530b14b059d). It works as an unprivileged user provided that KCM is
enabled, and that KASAN is enabled so you see the use-after-free report:
#include <linux/bpf.h>
#include <linux/in.h>
#include <linux/kcm.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <unistd.h>
int main()
{
union bpf_attr prog = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 2,
.insns = (__u64)(__u64[]){ 0xb7, 0x95 },
.license = (__u64)"",
};
int tcp_fd, bpf_fd, kcm_fd;
struct sockaddr_in addr = {
.sin_family = AF_INET,
.sin_port = __constant_htons(3270),
.sin_addr = { __constant_htonl(0x7f000001) }
};
tcp_fd = socket(AF_INET, SOCK_STREAM, 0);
bind(tcp_fd, (void *)&addr, sizeof(addr));
listen(tcp_fd, 1);
tcp_fd = socket(AF_INET, SOCK_STREAM, 0);
connect(tcp_fd, (void *)&addr, sizeof(addr));
bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD, &prog, 48);
kcm_fd = socket(AF_KCM, SOCK_SEQPACKET, 0);
if (fork() == 0) {
struct kcm_attach attach = { tcp_fd, bpf_fd };
for (;;)
ioctl(kcm_fd, SIOCKCMATTACH, &attach);
} else {
struct kcm_unattach unattach = { tcp_fd };
for (;;)
ioctl(kcm_fd, SIOCKCMUNATTACH, &unattach);
}
}
Tom Herbert
Mar 11, 2018, 6:35:21 PM3/11/18
to Eric Biggers, Cong Wang, Tejun Heo, syzbot, Lai Jiangshan, LKML, Dmitry Vyukov, syzkall...@googlegroups.com, David Miller, Eric Dumazet, Eric Biggers, netdev
Tom
Reply all
Reply to author
Forward
0 new messages