KASAN: use-after-free Read in l2cap_chan_close
30 views
Skip to first unread message
syzbot
Feb 6, 2020, 1:16:10 PM2/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b499cf4b Linux 4.19.102
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1541dc0de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7ebf58b0a913d3ef
dashboard link: https://syzkaller.appspot.com/bug?extid=dc7c8ed1a29a930d7883
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107ccce6e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e73cb5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dc7c8e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x608/0x910 net/bluetooth/l2cap_core.c:727
Read of size 1 at addr ffff8880874109e0 by task kworker/0:2/3389
CPU: 0 PID: 3389 Comm: kworker/0:2 Not tainted 4.19.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
l2cap_chan_close+0x608/0x910 net/bluetooth/l2cap_core.c:727
do_enable_set+0x535/0x950 net/bluetooth/6lowpan.c:1086
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 3389:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
l2cap_chan_create+0x45/0x390 net/bluetooth/l2cap_core.c:441
chan_create+0x10/0xe0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x579/0x950 net/bluetooth/6lowpan.c:1090
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8242:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
l2cap_chan_destroy+0x14f/0x1c0 net/bluetooth/l2cap_core.c:479
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x3a/0x50 net/bluetooth/l2cap_core.c:493
do_enable_set+0x541/0x950 net/bluetooth/6lowpan.c:1087
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880874109c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 32 bytes inside of
2048-byte region [ffff8880874109c0, ffff8880874111c0)
The buggy address belongs to the page:
page:ffffea00021d0400 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002802e88 ffffea0002802288 ffff88812c31cc40
raw: 0000000000000000 ffff888087410140 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888087410880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888087410900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888087410980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff888087410a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888087410a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: b499cf4b Linux 4.19.102
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1541dc0de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7ebf58b0a913d3ef
dashboard link: https://syzkaller.appspot.com/bug?extid=dc7c8ed1a29a930d7883
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107ccce6e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e73cb5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+dc7c8e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x608/0x910 net/bluetooth/l2cap_core.c:727
Read of size 1 at addr ffff8880874109e0 by task kworker/0:2/3389
CPU: 0 PID: 3389 Comm: kworker/0:2 Not tainted 4.19.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
l2cap_chan_close+0x608/0x910 net/bluetooth/l2cap_core.c:727
do_enable_set+0x535/0x950 net/bluetooth/6lowpan.c:1086
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 3389:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
l2cap_chan_create+0x45/0x390 net/bluetooth/l2cap_core.c:441
chan_create+0x10/0xe0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x579/0x950 net/bluetooth/6lowpan.c:1090
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8242:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
l2cap_chan_destroy+0x14f/0x1c0 net/bluetooth/l2cap_core.c:479
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x3a/0x50 net/bluetooth/l2cap_core.c:493
do_enable_set+0x541/0x950 net/bluetooth/6lowpan.c:1087
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880874109c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 32 bytes inside of
2048-byte region [ffff8880874109c0, ffff8880874111c0)
The buggy address belongs to the page:
page:ffffea00021d0400 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002802e88 ffffea0002802288 ffff88812c31cc40
raw: 0000000000000000 ffff888087410140 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888087410880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888087410900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888087410980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff888087410a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888087410a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Feb 7, 2020, 9:54:12 PM2/7/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e0f8b8a6 Linux 4.14.170
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11d9cca1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=633dd9db249084f5
dashboard link: https://syzkaller.appspot.com/bug?extid=b70b68318b213bb8c149
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ed7431e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14378301e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
==================================================================
BUG: KASAN: use-after-free in l2cap_chan_close+0x540/0x830 net/bluetooth/l2cap_core.c:727
Read of size 1 at addr ffff8880a80f8160 by task kworker/0:0/3
CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.14.170-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Workqueue: events do_enable_set
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
l2cap_chan_close+0x540/0x830 net/bluetooth/l2cap_core.c:727
do_enable_set+0x48f/0x840 net/bluetooth/6lowpan.c:1086
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 7497:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
l2cap_chan_create+0x43/0x3c0 net/bluetooth/l2cap_core.c:441
chan_create+0x10/0xe0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x4c6/0x840 net/bluetooth/6lowpan.c:1090
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 7497:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
l2cap_chan_destroy+0x141/0x1b0 net/bluetooth/l2cap_core.c:479
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x2c/0x40 net/bluetooth/l2cap_core.c:493
do_enable_set+0x49b/0x840 net/bluetooth/6lowpan.c:1087
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff8880a80f8140
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 32 bytes inside of
2048-byte region [ffff8880a80f8140, ffff8880a80f8940)
The buggy address is located 32 bytes inside of
The buggy address belongs to the page:
page:ffffea0002a03e00 count:1 mapcount:0 mapping:ffff8880a80f8140 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a80f8140 0000000000000000 0000000100000003
raw: ffffea0002a3dd20 ffffea0002a22a20 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a80f8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8880a80f8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a80f8100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880a80f8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a80f8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
syzbot
Sep 6, 2020, 5:54:09 AM9/6/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 29e1dfcd5150097f32f34891c85a50d9ead19df3
Author: Lihong Kou <koul...@huawei.com>
Date: Tue Jun 23 12:28:41 2020 +0000
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1136d4f9900000
start commit: c076c79e Linux 4.19.137
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b8bacc01843402f4
dashboard link: https://syzkaller.appspot.com/bug?extid=dc7c8ed1a29a930d7883
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104393fa900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1552df32900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 29e1dfcd5150097f32f34891c85a50d9ead19df3
Author: Lihong Kou <koul...@huawei.com>
Date: Tue Jun 23 12:28:41 2020 +0000
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1136d4f9900000
start commit: c076c79e Linux 4.19.137
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b8bacc01843402f4
dashboard link: https://syzkaller.appspot.com/bug?extid=dc7c8ed1a29a930d7883
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104393fa900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1552df32900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages