KASAN: use-after-free Read in bpf_prog_kallsyms_find
7 views
Skip to first unread message
syzbot
Oct 14, 2019, 2:50:08 AM10/14/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: dafd6344 Linux 4.19.79
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=152265ab600000
kernel config: https://syzkaller.appspot.com/x/.config?x=f825f73d8fea6b52
dashboard link: https://syzkaller.appspot.com/bug?extid=78c0055f570265b80c19
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a685ab600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153c74a0e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+78c005...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in bpf_tree_comp kernel/bpf/core.c:437 [inline]
BUG: KASAN: use-after-free in __lt_find include/linux/rbtree_latch.h:115
[inline]
BUG: KASAN: use-after-free in latch_tree_find
include/linux/rbtree_latch.h:208 [inline]
BUG: KASAN: use-after-free in bpf_prog_kallsyms_find kernel/bpf/core.c:511
[inline]
BUG: KASAN: use-after-free in bpf_prog_kallsyms_find+0x264/0x2c0
kernel/bpf/core.c:504
Read of size 8 at addr ffff888096040600 by task syz-executor117/7804
CPU: 0 PID: 7804 Comm: syz-executor117 Not tainted 4.19.79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
bpf_tree_comp kernel/bpf/core.c:437 [inline]
__lt_find include/linux/rbtree_latch.h:115 [inline]
latch_tree_find include/linux/rbtree_latch.h:208 [inline]
bpf_prog_kallsyms_find kernel/bpf/core.c:511 [inline]
bpf_prog_kallsyms_find+0x264/0x2c0 kernel/bpf/core.c:504
is_bpf_text_address+0x78/0x170 kernel/bpf/core.c:546
kernel_text_address+0x73/0xf0 kernel/extable.c:152
__kernel_text_address+0xd/0x40 kernel/extable.c:107
unwind_get_return_address arch/x86/kernel/unwind_frame.c:18 [inline]
unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:13
__save_stack_trace+0x99/0x100 arch/x86/kernel/stacktrace.c:45
save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc mm/slab.c:3397 [inline]
kmem_cache_alloc+0x11b/0x700 mm/slab.c:3557
anon_vma_chain_alloc mm/rmap.c:129 [inline]
__anon_vma_prepare+0x62/0x3c0 mm/rmap.c:183
anon_vma_prepare include/linux/rmap.h:153 [inline]
do_huge_pmd_anonymous_page+0xeff/0x14e0 mm/huge_memory.c:676
create_huge_pmd mm/memory.c:3932 [inline]
__handle_mm_fault+0x2c80/0x3f80 mm/memory.c:4136
handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
__do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390
do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204
RIP: 0033:0x400d4b
Code: 8b 03 85 c0 74 e1 44 8b 4d 04 c7 45 08 00 00 00 00 45 85 c9 0f 85 54
02 00 00 31 c0 ba 04 00 00 00 31 c9 31 f6 31 ff 45 31 c0 <66> 89 04 25 02
00 00 20 66 89 14 25 0a 00 00 20 31 c0 66 89 0c 25
RSP: 002b:00007f5903552dc0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000006dbc28 RCX: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f59035539d0 R11: 0000000000000202 R12: 00000000006dbc2c
R13: 00007ffc282b32bf R14: 00007f59035539c0 R15: 000000000000002d
Allocated by task 7798:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
bpf_prog_alloc+0x216/0x2a0 kernel/bpf/core.c:90
jit_subprogs kernel/bpf/verifier.c:5814 [inline]
fixup_call_args kernel/bpf/verifier.c:5933 [inline]
bpf_check+0x3e7f/0x6259 kernel/bpf/verifier.c:6340
bpf_prog_load+0xdcf/0x13f0 kernel/bpf/syscall.c:1445
__do_sys_bpf kernel/bpf/syscall.c:2411 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2373 [inline]
__x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2373
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3224:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
bpf_jit_free+0xa5/0x300
bpf_prog_free_deferred+0x1a6/0x420 kernel/bpf/core.c:1809
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff888096040580
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 128 bytes inside of
256-byte region [ffff888096040580, ffff888096040680)
The buggy address belongs to the page:
page:ffffea0002581000 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002653308 ffffea0002878888 ffff88812c3f07c0
raw: 0000000000000000 ffff888096040080 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888096040500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888096040580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888096040600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888096040680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff888096040700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: dafd6344 Linux 4.19.79
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=152265ab600000
kernel config: https://syzkaller.appspot.com/x/.config?x=f825f73d8fea6b52
dashboard link: https://syzkaller.appspot.com/bug?extid=78c0055f570265b80c19
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a685ab600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153c74a0e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+78c005...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in bpf_tree_comp kernel/bpf/core.c:437 [inline]
BUG: KASAN: use-after-free in __lt_find include/linux/rbtree_latch.h:115
[inline]
BUG: KASAN: use-after-free in latch_tree_find
include/linux/rbtree_latch.h:208 [inline]
BUG: KASAN: use-after-free in bpf_prog_kallsyms_find kernel/bpf/core.c:511
[inline]
BUG: KASAN: use-after-free in bpf_prog_kallsyms_find+0x264/0x2c0
kernel/bpf/core.c:504
Read of size 8 at addr ffff888096040600 by task syz-executor117/7804
CPU: 0 PID: 7804 Comm: syz-executor117 Not tainted 4.19.79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
bpf_tree_comp kernel/bpf/core.c:437 [inline]
__lt_find include/linux/rbtree_latch.h:115 [inline]
latch_tree_find include/linux/rbtree_latch.h:208 [inline]
bpf_prog_kallsyms_find kernel/bpf/core.c:511 [inline]
bpf_prog_kallsyms_find+0x264/0x2c0 kernel/bpf/core.c:504
is_bpf_text_address+0x78/0x170 kernel/bpf/core.c:546
kernel_text_address+0x73/0xf0 kernel/extable.c:152
__kernel_text_address+0xd/0x40 kernel/extable.c:107
unwind_get_return_address arch/x86/kernel/unwind_frame.c:18 [inline]
unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:13
__save_stack_trace+0x99/0x100 arch/x86/kernel/stacktrace.c:45
save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc mm/slab.c:3397 [inline]
kmem_cache_alloc+0x11b/0x700 mm/slab.c:3557
anon_vma_chain_alloc mm/rmap.c:129 [inline]
__anon_vma_prepare+0x62/0x3c0 mm/rmap.c:183
anon_vma_prepare include/linux/rmap.h:153 [inline]
do_huge_pmd_anonymous_page+0xeff/0x14e0 mm/huge_memory.c:676
create_huge_pmd mm/memory.c:3932 [inline]
__handle_mm_fault+0x2c80/0x3f80 mm/memory.c:4136
handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
__do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390
do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204
RIP: 0033:0x400d4b
Code: 8b 03 85 c0 74 e1 44 8b 4d 04 c7 45 08 00 00 00 00 45 85 c9 0f 85 54
02 00 00 31 c0 ba 04 00 00 00 31 c9 31 f6 31 ff 45 31 c0 <66> 89 04 25 02
00 00 20 66 89 14 25 0a 00 00 20 31 c0 66 89 0c 25
RSP: 002b:00007f5903552dc0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000006dbc28 RCX: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f59035539d0 R11: 0000000000000202 R12: 00000000006dbc2c
R13: 00007ffc282b32bf R14: 00007f59035539c0 R15: 000000000000002d
Allocated by task 7798:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
bpf_prog_alloc+0x216/0x2a0 kernel/bpf/core.c:90
jit_subprogs kernel/bpf/verifier.c:5814 [inline]
fixup_call_args kernel/bpf/verifier.c:5933 [inline]
bpf_check+0x3e7f/0x6259 kernel/bpf/verifier.c:6340
bpf_prog_load+0xdcf/0x13f0 kernel/bpf/syscall.c:1445
__do_sys_bpf kernel/bpf/syscall.c:2411 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2373 [inline]
__x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2373
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3224:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
bpf_jit_free+0xa5/0x300
bpf_prog_free_deferred+0x1a6/0x420 kernel/bpf/core.c:1809
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff888096040580
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 128 bytes inside of
256-byte region [ffff888096040580, ffff888096040680)
The buggy address belongs to the page:
page:ffffea0002581000 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002653308 ffffea0002878888 ffff88812c3f07c0
raw: 0000000000000000 ffff888096040080 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888096040500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888096040580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888096040600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888096040680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff888096040700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages