KASAN: use-after-free Read in bpf_prog_kallsyms_add
6 views
Skip to first unread message
syzbot
Jul 16, 2019, 1:11:06 PM7/16/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3bd837bf Linux 4.19.59
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12257184600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2f3bc2e9ff5d4
dashboard link: https://syzkaller.appspot.com/bug?extid=bac15c16da66ee39546c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bac15c...@syzkaller.appspotmail.com
gfs2: invalid mount option: stat"s_percent=0x0000000000000000
gfs2: can't parse mount arguments
gfs2: invalid mount option: stat"s_percent=0x0000000000000000
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193
[inline]
BUG: KASAN: use-after-free in list_empty include/linux/list.h:203 [inline]
BUG: KASAN: use-after-free in bpf_prog_ksym_node_add kernel/bpf/core.c:458
[inline]
BUG: KASAN: use-after-free in bpf_prog_kallsyms_add+0x7c5/0x840
kernel/bpf/core.c:490
Read of size 8 at addr ffff8880a55964e0 by task syz-executor.4/18204
CPU: 1 PID: 18204 Comm: syz-executor.4 Not tainted 4.19.59 #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
gfs2: can't parse mount arguments
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__read_once_size include/linux/compiler.h:193 [inline]
list_empty include/linux/list.h:203 [inline]
bpf_prog_ksym_node_add kernel/bpf/core.c:458 [inline]
bpf_prog_kallsyms_add+0x7c5/0x840 kernel/bpf/core.c:490
bpf_prog_load+0xf7e/0x1400 kernel/bpf/syscall.c:1469
__do_sys_bpf kernel/bpf/syscall.c:2405 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2367 [inline]
__x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2367
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459819
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffb25899c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819
RDX: 0000000000000048 RSI: 00000000200017c0 RDI: 0000000000000005
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffb2589a6d4
R13: 00000000004bfc7c R14: 00000000004d16d8 R15: 00000000ffffffff
Allocated by task 18204:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
bpf_prog_alloc+0x216/0x2a0 kernel/bpf/core.c:90
bpf_prog_load+0x558/0x1400 kernel/bpf/syscall.c:1399
__do_sys_bpf kernel/bpf/syscall.c:2405 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2367 [inline]
__x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2367
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1473:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
bpf_jit_free+0xa5/0x300
bpf_prog_free_deferred+0x2f6/0x420 kernel/bpf/core.c:1814
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a5596480
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 96 bytes inside of
256-byte region [ffff8880a5596480, ffff8880a5596580)
The buggy address belongs to the page:
page:ffffea0002956580 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002913d48 ffffea0002342848 ffff88812c3f07c0
raw: 0000000000000000 ffff8880a55960c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a5596380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a5596400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a5596480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a5596500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a5596580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 3bd837bf Linux 4.19.59
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12257184600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2f3bc2e9ff5d4
dashboard link: https://syzkaller.appspot.com/bug?extid=bac15c16da66ee39546c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bac15c...@syzkaller.appspotmail.com
gfs2: invalid mount option: stat"s_percent=0x0000000000000000
gfs2: can't parse mount arguments
gfs2: invalid mount option: stat"s_percent=0x0000000000000000
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193
[inline]
BUG: KASAN: use-after-free in list_empty include/linux/list.h:203 [inline]
BUG: KASAN: use-after-free in bpf_prog_ksym_node_add kernel/bpf/core.c:458
[inline]
BUG: KASAN: use-after-free in bpf_prog_kallsyms_add+0x7c5/0x840
kernel/bpf/core.c:490
Read of size 8 at addr ffff8880a55964e0 by task syz-executor.4/18204
CPU: 1 PID: 18204 Comm: syz-executor.4 Not tainted 4.19.59 #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
gfs2: can't parse mount arguments
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__read_once_size include/linux/compiler.h:193 [inline]
list_empty include/linux/list.h:203 [inline]
bpf_prog_ksym_node_add kernel/bpf/core.c:458 [inline]
bpf_prog_kallsyms_add+0x7c5/0x840 kernel/bpf/core.c:490
bpf_prog_load+0xf7e/0x1400 kernel/bpf/syscall.c:1469
__do_sys_bpf kernel/bpf/syscall.c:2405 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2367 [inline]
__x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2367
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459819
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffb25899c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819
RDX: 0000000000000048 RSI: 00000000200017c0 RDI: 0000000000000005
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffb2589a6d4
R13: 00000000004bfc7c R14: 00000000004d16d8 R15: 00000000ffffffff
Allocated by task 18204:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
bpf_prog_alloc+0x216/0x2a0 kernel/bpf/core.c:90
bpf_prog_load+0x558/0x1400 kernel/bpf/syscall.c:1399
__do_sys_bpf kernel/bpf/syscall.c:2405 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2367 [inline]
__x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2367
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1473:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
bpf_jit_free+0xa5/0x300
bpf_prog_free_deferred+0x2f6/0x420 kernel/bpf/core.c:1814
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a5596480
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 96 bytes inside of
256-byte region [ffff8880a5596480, ffff8880a5596580)
The buggy address belongs to the page:
page:ffffea0002956580 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002913d48 ffffea0002342848 ffff88812c3f07c0
raw: 0000000000000000 ffff8880a55960c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a5596380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a5596400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a5596480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a5596500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a5596580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 14, 2020, 9:34:07 AM1/14/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages