KASAN: use-after-free Read in nfc_llcp_getsockopt
7 views
Skip to first unread message
syzbot
May 8, 2021, 5:57:17 AM5/8/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3c8c2309 Linux 4.19.190
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17775a63d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3c2572d41264a3d
dashboard link: https://syzkaller.appspot.com/bug?extid=42bfeff3dfafc9e9c21a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1155e593d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154f97c3d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+42bfef...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in nfc_llcp_getsockopt+0x4c4/0x4d0 net/nfc/llcp_sock.c:360
Read of size 2 at addr ffff8880adecd68e by task syz-executor850/8120
CPU: 0 PID: 8120 Comm: syz-executor850 Not tainted 4.19.190-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load2_noabort+0x88/0x90 mm/kasan/report.c:431
nfc_llcp_getsockopt+0x4c4/0x4d0 net/nfc/llcp_sock.c:360
__sys_getsockopt+0x135/0x210 net/socket.c:1938
__do_sys_getsockopt net/socket.c:1949 [inline]
__se_sys_getsockopt net/socket.c:1946 [inline]
__x64_sys_getsockopt+0xba/0x150 net/socket.c:1946
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445a09
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd941fdf2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004ca420 RCX: 0000000000445a09
RDX: 0000000000000003 RSI: 0000000000000118 RDI: 0000000000000003
RBP: 00000000004ca42c R08: 00000000207a0cb3 R09: 0000000000000000
R10: 0000000020000100 R11: 0000000000000246 R12: 000000000049a074
R13: 6905fecae4b90cfa R14: 652e79726f6d656d R15: 00000000004ca428
Allocated by task 1:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nfc_llcp_register_device+0x45/0x9b0 net/nfc/llcp_core.c:1584
nfc_register_device+0x6d/0x360 net/nfc/core.c:1129
nfcsim_device_new+0x333/0x5af drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:464
do_one_initcall+0xf1/0x740 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
kernel_init+0xd/0x1b6 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8106:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x155/0x1b0 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x7b/0x140 net/nfc/llcp_sock.c:959
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1559
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
llcp_sock_release+0x37a/0x520 net/nfc/llcp_sock.c:656
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
get_signal+0x3f2/0x1f70 kernel/signal.c:2589
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880adecd3c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 718 bytes inside of
2048-byte region [ffff8880adecd3c0, ffff8880adecdbc0)
The buggy address belongs to the page:
page:ffffea0002b7b300 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002b79688 ffffea0002b0b708 ffff88813bff0c40
raw: 0000000000000000 ffff8880adecc2c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880adecd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880adecd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880adecd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880adecd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880adecd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 3c8c2309 Linux 4.19.190
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17775a63d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3c2572d41264a3d
dashboard link: https://syzkaller.appspot.com/bug?extid=42bfeff3dfafc9e9c21a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1155e593d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154f97c3d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+42bfef...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in nfc_llcp_getsockopt+0x4c4/0x4d0 net/nfc/llcp_sock.c:360
Read of size 2 at addr ffff8880adecd68e by task syz-executor850/8120
CPU: 0 PID: 8120 Comm: syz-executor850 Not tainted 4.19.190-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load2_noabort+0x88/0x90 mm/kasan/report.c:431
nfc_llcp_getsockopt+0x4c4/0x4d0 net/nfc/llcp_sock.c:360
__sys_getsockopt+0x135/0x210 net/socket.c:1938
__do_sys_getsockopt net/socket.c:1949 [inline]
__se_sys_getsockopt net/socket.c:1946 [inline]
__x64_sys_getsockopt+0xba/0x150 net/socket.c:1946
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445a09
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd941fdf2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000004ca420 RCX: 0000000000445a09
RDX: 0000000000000003 RSI: 0000000000000118 RDI: 0000000000000003
RBP: 00000000004ca42c R08: 00000000207a0cb3 R09: 0000000000000000
R10: 0000000020000100 R11: 0000000000000246 R12: 000000000049a074
R13: 6905fecae4b90cfa R14: 652e79726f6d656d R15: 00000000004ca428
Allocated by task 1:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nfc_llcp_register_device+0x45/0x9b0 net/nfc/llcp_core.c:1584
nfc_register_device+0x6d/0x360 net/nfc/core.c:1129
nfcsim_device_new+0x333/0x5af drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:464
do_one_initcall+0xf1/0x740 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
kernel_init+0xd/0x1b6 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8106:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x155/0x1b0 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x7b/0x140 net/nfc/llcp_sock.c:959
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1559
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
llcp_sock_release+0x37a/0x520 net/nfc/llcp_sock.c:656
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
get_signal+0x3f2/0x1f70 kernel/signal.c:2589
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880adecd3c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 718 bytes inside of
2048-byte region [ffff8880adecd3c0, ffff8880adecdbc0)
The buggy address belongs to the page:
page:ffffea0002b7b300 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002b79688 ffffea0002b0b708 ffff88813bff0c40
raw: 0000000000000000 ffff8880adecc2c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880adecd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880adecd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880adecd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880adecd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880adecd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages