KASAN: use-after-free Read in bpf_test_finish
6 views
Skip to first unread message
syzbot
Aug 3, 2019, 7:31:07 AM8/3/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 10d6aa56 Linux 4.14.135
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14e82a30600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff4089e901d1d013
dashboard link: https://syzkaller.appspot.com/bug?extid=3c9ad1804804b4de0fae
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167cddb2600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228493a600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c9ad1...@syzkaller.appspotmail.com
audit: type=1400 audit(1564829577.213:36): avc: denied { map } for
pid=6952 comm="syz-executor429" path="/root/syz-executor429329191"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in _copy_to_user+0xa4/0xd0 lib/usercopy.c:27
Read of size 924 at addr ffff8880747ffff3 by task syz-executor429/6952
CPU: 0 PID: 6952 Comm: syz-executor429 Not tainted 4.14.135 #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
_copy_to_user+0xa4/0xd0 lib/usercopy.c:27
copy_to_user include/linux/uaccess.h:155 [inline]
bpf_test_finish.isra.0+0xaf/0x150 net/bpf/test_run.c:59
bpf_prog_test_run_skb+0x5af/0x9a0 net/bpf/test_run.c:144
bpf_prog_test_run kernel/bpf/syscall.c:1258 [inline]
SYSC_bpf kernel/bpf/syscall.c:1520 [inline]
SyS_bpf+0x749/0x38f3 kernel/bpf/syscall.c:1469
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440379
RSP: 002b:00007ffd82ee9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379
RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c00
R13: 0000000000401c90 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001d1ffc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0001d1ffe0 ffffea0001d1ffe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880747ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880747fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8880747fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888074800000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888074800080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 10d6aa56 Linux 4.14.135
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14e82a30600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff4089e901d1d013
dashboard link: https://syzkaller.appspot.com/bug?extid=3c9ad1804804b4de0fae
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167cddb2600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1228493a600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c9ad1...@syzkaller.appspotmail.com
audit: type=1400 audit(1564829577.213:36): avc: denied { map } for
pid=6952 comm="syz-executor429" path="/root/syz-executor429329191"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in _copy_to_user+0xa4/0xd0 lib/usercopy.c:27
Read of size 924 at addr ffff8880747ffff3 by task syz-executor429/6952
CPU: 0 PID: 6952 Comm: syz-executor429 Not tainted 4.14.135 #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
_copy_to_user+0xa4/0xd0 lib/usercopy.c:27
copy_to_user include/linux/uaccess.h:155 [inline]
bpf_test_finish.isra.0+0xaf/0x150 net/bpf/test_run.c:59
bpf_prog_test_run_skb+0x5af/0x9a0 net/bpf/test_run.c:144
bpf_prog_test_run kernel/bpf/syscall.c:1258 [inline]
SYSC_bpf kernel/bpf/syscall.c:1520 [inline]
SyS_bpf+0x749/0x38f3 kernel/bpf/syscall.c:1469
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440379
RSP: 002b:00007ffd82ee9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440379
RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c00
R13: 0000000000401c90 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001d1ffc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0001d1ffe0 ffffea0001d1ffe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880747ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880747fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8880747fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888074800000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888074800080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages