KASAN: use-after-free Read in xt_find_match
5 views
Skip to first unread message
syzbot
Sep 10, 2020, 10:31:16 PM9/10/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 67957f12 Linux 4.19.144
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13aa9c11900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8f92680d5d45401
dashboard link: https://syzkaller.appspot.com/bug?extid=1e058f6d69a8b1946ac1
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=159d0759900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1152ea2d900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1e058f...@syzkaller.appspotmail.com
audit: type=1400 audit(1599791312.209:8): avc: denied { execmem } for pid=6450 comm="syz-executor444" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff88809adb3520 by task syz-executor444/6451
CPU: 1 PID: 6451 Comm: syz-executor444 Not tainted 4.19.144-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xd7/0x1260 kernel/locking/mutex.c:1072
xt_find_match net/netfilter/x_tables.c:189 [inline]
xt_find_match+0xa3/0x280 net/netfilter/x_tables.c:181
xt_request_find_match net/netfilter/x_tables.c:219 [inline]
xt_request_find_match+0x88/0x110 net/netfilter/x_tables.c:212
get_xt_match net/sched/em_ipt.c:112 [inline]
em_ipt_change+0x1c7/0x46b net/sched/em_ipt.c:132
tcf_em_validate net/sched/ematch.c:248 [inline]
tcf_em_tree_validate net/sched/ematch.c:365 [inline]
tcf_em_tree_validate+0x8fa/0xe95 net/sched/ematch.c:307
flow_change+0x2a4/0x1ca0 net/sched/cls_flow.c:439
tc_new_tfilter+0xb52/0x16c0 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x3b3/0x8e0 net/socket.c:2115
__sys_sendmmsg+0x195/0x470 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2236
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440d09
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe0791ee58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004a2570 RCX: 0000000000440d09
RDX: 010efe10675dec16 RSI: 0000000020000200 RDI: 0000000000000004
RBP: 00007ffe0791ee60 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a2570
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809adb2900
which belongs to the cache names_cache of size 4096
The buggy address is located 3104 bytes inside of
4096-byte region [ffff88809adb2900, ffff88809adb3900)
The buggy address belongs to the page:
page:ffffea00026b6c80 count:1 mapcount:0 mapping:ffff8880aa00ab40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00026aad88 ffffea0002691488 ffff8880aa00ab40
raw: 0000000000000000 ffff88809adb2900 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809adb3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809adb3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809adb3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809adb3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809adb3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 67957f12 Linux 4.19.144
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13aa9c11900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8f92680d5d45401
dashboard link: https://syzkaller.appspot.com/bug?extid=1e058f6d69a8b1946ac1
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=159d0759900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1152ea2d900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1e058f...@syzkaller.appspotmail.com
audit: type=1400 audit(1599791312.209:8): avc: denied { execmem } for pid=6450 comm="syz-executor444" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff88809adb3520 by task syz-executor444/6451
CPU: 1 PID: 6451 Comm: syz-executor444 Not tainted 4.19.144-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xd7/0x1260 kernel/locking/mutex.c:1072
xt_find_match net/netfilter/x_tables.c:189 [inline]
xt_find_match+0xa3/0x280 net/netfilter/x_tables.c:181
xt_request_find_match net/netfilter/x_tables.c:219 [inline]
xt_request_find_match+0x88/0x110 net/netfilter/x_tables.c:212
get_xt_match net/sched/em_ipt.c:112 [inline]
em_ipt_change+0x1c7/0x46b net/sched/em_ipt.c:132
tcf_em_validate net/sched/ematch.c:248 [inline]
tcf_em_tree_validate net/sched/ematch.c:365 [inline]
tcf_em_tree_validate+0x8fa/0xe95 net/sched/ematch.c:307
flow_change+0x2a4/0x1ca0 net/sched/cls_flow.c:439
tc_new_tfilter+0xb52/0x16c0 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x3b3/0x8e0 net/socket.c:2115
__sys_sendmmsg+0x195/0x470 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2236
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440d09
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe0791ee58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004a2570 RCX: 0000000000440d09
RDX: 010efe10675dec16 RSI: 0000000020000200 RDI: 0000000000000004
RBP: 00007ffe0791ee60 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a2570
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809adb2900
which belongs to the cache names_cache of size 4096
The buggy address is located 3104 bytes inside of
4096-byte region [ffff88809adb2900, ffff88809adb3900)
The buggy address belongs to the page:
page:ffffea00026b6c80 count:1 mapcount:0 mapping:ffff8880aa00ab40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00026aad88 ffffea0002691488 ffff8880aa00ab40
raw: 0000000000000000 ffff88809adb2900 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809adb3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809adb3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809adb3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809adb3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809adb3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages