KASAN: use-after-free Write in ex_handler_refcount (2)
7 views
Skip to first unread message
syzbot
Mar 29, 2021, 9:41:19 AM3/29/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 78fec161 Linux 4.19.183
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15e2cd9ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b2beec637df5f52
dashboard link: https://syzkaller.appspot.com/bug?extid=a2d92f19728cc7ea347f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e214aad00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16972016d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a2d92f...@syzkaller.appspotmail.com
netlink: 4 bytes leftover after parsing attributes in process `syz-executor440'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor440'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor440'.
==================================================================
BUG: KASAN: use-after-free in ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff8880a9213398 by task systemd-udevd/8956
CPU: 1 PID: 8956 Comm: systemd-udevd Not tainted 4.19.183-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_store4_noabort+0x88/0x90 mm/kasan/report.c:437
ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
fixup_exception+0x8a/0xd0 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:209 [inline]
do_trap+0x61/0x250 arch/x86/kernel/traps.c:258
do_error_trap+0x15d/0x310 arch/x86/kernel/traps.c:303
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038
RIP: 0010:__noinstr_text_end+0x2426/0x77c7
Code: 0f 0b 48 8d 4b 50 0f 0b 48 8d 4b 08 0f 0b 48 8d 4d 08 0f 0b 48 8d 8d 08 02 00 00 0f 0b 48 8d 0b 0f 0b 48 8d 0b 0f 0b 48 8d 0b <0f> 0b 48 8d 4d 00 0f 0b 49 8d 0c 24 0f 0b 48 8d 8b c0 00 00 00 0f
RSP: 0018:ffff8880a24f7cd8 EFLAGS: 00010296
RAX: 0000000000000000 RBX: ffff8880a9213398 RCX: ffff8880a9213398
RDX: 0000000000000004 RSI: 0000000000000004 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff14b7519
R10: ffffffff8a5ba8cb R11: 0000000000000000 R12: ffffffff8a5ba8c0
R13: 0000000000000000 R14: 1ffff1101156fd65 R15: dffffc0000000000
nbd_put drivers/block/nbd.c:228 [inline]
nbd_release+0x108/0x170 drivers/block/nbd.c:1462
__blkdev_put+0x636/0x870 fs/block_dev.c:1819
blkdev_close+0x86/0xb0 fs/block_dev.c:1888
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ffae4dc8270
Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24
RSP: 002b:00007ffcdf120718 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007ffae4dc8270
RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 00007ffae5c82710 R08: 0000000000000045 R09: 0000000000000018
R10: 000055b3d6cd9c98 R11: 0000000000000246 R12: 0000000000000000
R13: 000055b3d6cd9d20 R14: 0000000000000003 R15: 000000000000000e
Allocated by task 8916:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nbd_dev_add+0x44/0x890 drivers/block/nbd.c:1627
nbd_genl_connect+0x4cc/0x1630 drivers/block/nbd.c:1773
genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602
genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
genl_rcv+0x24/0x40 net/netlink/genetlink.c:638
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2115
__sys_sendmsg net/socket.c:2153 [inline]
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2160
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8927:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
nbd_dev_remove drivers/block/nbd.c:223 [inline]
nbd_put.part.0+0xfe/0x140 drivers/block/nbd.c:231
nbd_put drivers/block/nbd.c:228 [inline]
nbd_genl_connect+0x120e/0x1630 drivers/block/nbd.c:1913
genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602
genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
genl_rcv+0x24/0x40 net/netlink/genetlink.c:638
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2115
__sys_sendmsg net/socket.c:2153 [inline]
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2160
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a92132c0
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 216 bytes inside of
512-byte region [ffff8880a92132c0, ffff8880a92134c0)
The buggy address belongs to the page:
page:ffffea0002a484c0 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002a49748 ffffea0002a23a88 ffff88813bff0940
raw: 0000000000000000 ffff8880a9213040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a9213280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8880a9213300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a9213380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a9213400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9213480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 78fec161 Linux 4.19.183
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15e2cd9ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b2beec637df5f52
dashboard link: https://syzkaller.appspot.com/bug?extid=a2d92f19728cc7ea347f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e214aad00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16972016d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a2d92f...@syzkaller.appspotmail.com
netlink: 4 bytes leftover after parsing attributes in process `syz-executor440'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor440'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor440'.
==================================================================
BUG: KASAN: use-after-free in ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff8880a9213398 by task systemd-udevd/8956
CPU: 1 PID: 8956 Comm: systemd-udevd Not tainted 4.19.183-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_store4_noabort+0x88/0x90 mm/kasan/report.c:437
ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
fixup_exception+0x8a/0xd0 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:209 [inline]
do_trap+0x61/0x250 arch/x86/kernel/traps.c:258
do_error_trap+0x15d/0x310 arch/x86/kernel/traps.c:303
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038
RIP: 0010:__noinstr_text_end+0x2426/0x77c7
Code: 0f 0b 48 8d 4b 50 0f 0b 48 8d 4b 08 0f 0b 48 8d 4d 08 0f 0b 48 8d 8d 08 02 00 00 0f 0b 48 8d 0b 0f 0b 48 8d 0b 0f 0b 48 8d 0b <0f> 0b 48 8d 4d 00 0f 0b 49 8d 0c 24 0f 0b 48 8d 8b c0 00 00 00 0f
RSP: 0018:ffff8880a24f7cd8 EFLAGS: 00010296
RAX: 0000000000000000 RBX: ffff8880a9213398 RCX: ffff8880a9213398
RDX: 0000000000000004 RSI: 0000000000000004 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff14b7519
R10: ffffffff8a5ba8cb R11: 0000000000000000 R12: ffffffff8a5ba8c0
R13: 0000000000000000 R14: 1ffff1101156fd65 R15: dffffc0000000000
nbd_put drivers/block/nbd.c:228 [inline]
nbd_release+0x108/0x170 drivers/block/nbd.c:1462
__blkdev_put+0x636/0x870 fs/block_dev.c:1819
blkdev_close+0x86/0xb0 fs/block_dev.c:1888
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ffae4dc8270
Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24
RSP: 002b:00007ffcdf120718 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007ffae4dc8270
RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 00007ffae5c82710 R08: 0000000000000045 R09: 0000000000000018
R10: 000055b3d6cd9c98 R11: 0000000000000246 R12: 0000000000000000
R13: 000055b3d6cd9d20 R14: 0000000000000003 R15: 000000000000000e
Allocated by task 8916:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nbd_dev_add+0x44/0x890 drivers/block/nbd.c:1627
nbd_genl_connect+0x4cc/0x1630 drivers/block/nbd.c:1773
genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602
genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
genl_rcv+0x24/0x40 net/netlink/genetlink.c:638
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2115
__sys_sendmsg net/socket.c:2153 [inline]
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2160
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8927:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
nbd_dev_remove drivers/block/nbd.c:223 [inline]
nbd_put.part.0+0xfe/0x140 drivers/block/nbd.c:231
nbd_put drivers/block/nbd.c:228 [inline]
nbd_genl_connect+0x120e/0x1630 drivers/block/nbd.c:1913
genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602
genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
genl_rcv+0x24/0x40 net/netlink/genetlink.c:638
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2115
__sys_sendmsg net/socket.c:2153 [inline]
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2160
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a92132c0
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 216 bytes inside of
512-byte region [ffff8880a92132c0, ffff8880a92134c0)
The buggy address belongs to the page:
page:ffffea0002a484c0 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002a49748 ffffea0002a23a88 ffff88813bff0940
raw: 0000000000000000 ffff8880a9213040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a9213280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8880a9213300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a9213380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a9213400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9213480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages