KASAN: slab-use-after-free Read in nfc_llcp_unregister_device

[Abagail ren]

Good day, dear maintainers.

Since the email system replied that it refused to accept the email because the text contained HTML, I sent it to you again in the form of shared files.

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the probability of vulnerability discovery using our prototype system developed based on syzkaller and found a bug "' KASAN: slab-use-after-free Read in nfc_llcp_unregister_device." I'm still working on it to find out its root cause and availability.

The stack information: https://docs.google.com/document/d/1gdHebCRsvVsSPKfilcoXVu3Pctvoj2FSZCACcVYZXns/edit?usp=sharing

Kernel Branch: 6.4.0-rc3

Kernel Config: https://docs.google.com/document/d/1WIM0btqS2dex18HQYaL2xyoW6WdX2TsaNguTnWzHMps/edit?usp=sharing

Reproducer:  https://docs.google.com/document/d/1LrgGdOgZwO8wz0opusZ7flP9QSFZa32GdozvoxGysyY/edit?usp=sharing

Thank you!

Best regards,
Ren Zezhong

[Abagail ren]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the probability of vulnerability discovery using our prototype system developed based on syzkaller and found a bug "' KASAN: slab-use-after-free Read in nfc_llcp_unregister_device." I'm still working on it to find out its root cause and availability.

The following are details:

Kernel Branch: 6.4.0-rc3

Kernel Config and Reproducer are attached.
Thank you!

Best regards,
Ren Zezhong

Syzkaller hit 'KASAN: slab-use-after-free Read in nfc_llcp_unregister_device' bug.

==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid+0x170/0x1b0 lib/list_debug.c:62
Read of size 8 at addr ffff88801a961008 by task syz-executor.6/106718

CPU: 1 PID: 106718 Comm: syz-executor.6 Not tainted 6.4.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd5/0x150 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:351 [inline]
 print_report+0xc1/0x5e0 mm/kasan/report.c:462
 kasan_report+0xbc/0xf0 mm/kasan/report.c:572
 __list_del_entry_valid+0x170/0x1b0 lib/list_debug.c:62
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 local_release net/nfc/llcp_core.c:172 [inline]
 kref_put include/linux/kref.h:65 [inline]
 nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline]
 nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline]
 nfc_llcp_unregister_device+0xb4/0x260 net/nfc/llcp_core.c:1620
 nfc_unregister_device+0x192/0x330 net/nfc/core.c:1179
 virtual_ncidev_close+0x4e/0xa0 drivers/nfc/virtual_ncidev.c:163
 __fput+0x27c/0xa90 fs/file_table.c:321
 task_work_run+0x164/0x250 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:297
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0a78e8dbcb
Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 53 fc 02 00 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc 02 00 8b 44
RSP: 002b:00007ffce2ce4790 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f0a78e8dbcb
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00007f0a78fcd980 R08: 0000000000000000 R09: 00007f0a78a00b40
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000001445e6
R13: 00007ffce2ce4890 R14: 00007f0a78a00f68 R15: 00007f0a78a00f60
 </TASK>

Allocated by task 106708:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
 kasan_set_track+0x21/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 ____kasan_kmalloc mm/kasan/common.c:333 [inline]
 __kasan_kmalloc+0x9e/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:680 [inline]
 nfc_llcp_register_device+0x45/0x9e0 net/nfc/llcp_core.c:1567
 nfc_register_device+0x6c/0x3c0 net/nfc/core.c:1124
 nci_register_device+0x7c7/0xb50 net/nfc/nci/core.c:1257
 virtual_ncidev_open+0x14b/0x220 drivers/nfc/virtual_ncidev.c:148
 misc_open+0x379/0x490 drivers/char/misc.c:165
 chrdev_open+0x266/0x770 fs/char_dev.c:414
 do_dentry_open+0x67f/0x13c0 fs/open.c:920
 do_open fs/namei.c:3636 [inline]
 path_openat+0x1b99/0x26c0 fs/namei.c:3791
 do_filp_open+0x1c5/0x410 fs/namei.c:3818
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x13c/0x1f0 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 106706:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
 kasan_set_track+0x21/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:521
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x161/0x1c0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook+0x89/0x1c0 mm/slub.c:1807
 slab_free mm/slub.c:3786 [inline]
 __kmem_cache_free+0xab/0x2e0 mm/slub.c:3799
 local_release net/nfc/llcp_core.c:174 [inline]
 kref_put include/linux/kref.h:65 [inline]
 nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline]
 nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline]
 nfc_llcp_unregister_device+0x1b6/0x260 net/nfc/llcp_core.c:1620
 nfc_unregister_device+0x192/0x330 net/nfc/core.c:1179
 virtual_ncidev_close+0x4e/0xa0 drivers/nfc/virtual_ncidev.c:163
 __fput+0x27c/0xa90 fs/file_table.c:321
 task_work_run+0x164/0x250 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:297
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xbf/0xd0 mm/kasan/generic.c:491
 insert_work+0x48/0x360 kernel/workqueue.c:1365
 __queue_work+0x5c6/0xfb0 kernel/workqueue.c:1526
 queue_work_on+0xee/0x110 kernel/workqueue.c:1554
 queue_work include/linux/workqueue.h:505 [inline]
 schedule_work include/linux/workqueue.h:566 [inline]
 rfkill_register+0x678/0xb00 net/rfkill/core.c:1090
 nfc_register_device+0x120/0x3c0 net/nfc/core.c:1132
 nci_register_device+0x7c7/0xb50 net/nfc/nci/core.c:1257
 virtual_ncidev_open+0x14b/0x220 drivers/nfc/virtual_ncidev.c:148
 misc_open+0x379/0x490 drivers/char/misc.c:165
 chrdev_open+0x266/0x770 fs/char_dev.c:414
 do_dentry_open+0x67f/0x13c0 fs/open.c:920
 do_open fs/namei.c:3636 [inline]
 path_openat+0x1b99/0x26c0 fs/namei.c:3791
 do_filp_open+0x1c5/0x410 fs/namei.c:3818
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x13c/0x1f0 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xbf/0xd0 mm/kasan/generic.c:491
 insert_work+0x48/0x360 kernel/workqueue.c:1365
 __queue_work+0x5c6/0xfb0 kernel/workqueue.c:1526
 queue_work_on+0xee/0x110 kernel/workqueue.c:1554
 queue_work include/linux/workqueue.h:505 [inline]
 schedule_work include/linux/workqueue.h:566 [inline]
 rfkill_register+0x678/0xb00 net/rfkill/core.c:1090
 nfc_register_device+0x120/0x3c0 net/nfc/core.c:1132
 nci_register_device+0x7c7/0xb50 net/nfc/nci/core.c:1257
 virtual_ncidev_open+0x14b/0x220 drivers/nfc/virtual_ncidev.c:148
 misc_open+0x379/0x490 drivers/char/misc.c:165
 chrdev_open+0x266/0x770 fs/char_dev.c:414
 do_dentry_open+0x67f/0x13c0 fs/open.c:920
 do_open fs/namei.c:3636 [inline]
 path_openat+0x1b99/0x26c0 fs/namei.c:3791
 do_filp_open+0x1c5/0x410 fs/namei.c:3818
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x13c/0x1f0 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88801a961000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 8 bytes inside of
 freed 2048-byte region [ffff88801a961000, ffff88801a961800)

The buggy address belongs to the physical page:
page:ffffea00006a5800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a960
head:ffffea00006a5800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff888012442000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 9047, tgid 9047 (kworker/1:2), ts 1085728553252, free_ts 1084588319734
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d7/0x350 mm/page_alloc.c:1731
 prep_new_page mm/page_alloc.c:1738 [inline]
 get_page_from_freelist+0xf60/0x2ac0 mm/page_alloc.c:3502
 __alloc_pages+0x1c7/0x490 mm/page_alloc.c:4768
 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2279
 alloc_slab_page mm/slub.c:1851 [inline]
 allocate_slab+0x25f/0x390 mm/slub.c:1998
 new_slab mm/slub.c:2051 [inline]
 ___slab_alloc+0xa99/0x13e0 mm/slub.c:3192
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3291
 __slab_alloc_node mm/slub.c:3344 [inline]
 slab_alloc_node mm/slub.c:3441 [inline]
 __kmem_cache_alloc_node+0x12e/0x320 mm/slub.c:3490
 __do_kmalloc_node mm/slab_common.c:965 [inline]
 __kmalloc_node_track_caller+0x4b/0x190 mm/slab_common.c:986
 kmalloc_reserve+0xf0/0x270 net/core/skbuff.c:585
 pskb_expand_head+0x233/0x10e0 net/core/skbuff.c:2054
 netlink_trim+0x1ea/0x240 net/netlink/af_netlink.c:1321
 netlink_broadcast+0x5f/0xd90 net/netlink/af_netlink.c:1517
 nlmsg_multicast include/net/netlink.h:1083 [inline]
 nlmsg_notify+0x8f/0x280 net/netlink/af_netlink.c:2589
 rtnl_notify net/core/rtnetlink.c:771 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:4016 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4032 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4019 [inline]
 rtmsg_ifinfo+0x16a/0x1a0 net/core/rtnetlink.c:4038
 netdev_state_change net/core/dev.c:1319 [inline]
 netdev_state_change+0x127/0x140 net/core/dev.c:1310
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1302 [inline]
 free_unref_page_prepare+0x4dd/0xb80 mm/page_alloc.c:2564
 free_unref_page+0x2f/0x3c0 mm/page_alloc.c:2659
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x187/0x1d0 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x5f/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook mm/slab.h:711 [inline]
 slab_alloc_node mm/slub.c:3451 [inline]
 __kmem_cache_alloc_node+0x174/0x320 mm/slub.c:3490
 __do_kmalloc_node mm/slab_common.c:965 [inline]
 __kmalloc_node+0x4d/0x190 mm/slab_common.c:973
 kmalloc_node include/linux/slab.h:579 [inline]
 kvmalloc_node+0x9e/0x1a0 mm/util.c:604
 kvmalloc include/linux/slab.h:697 [inline]
 seq_buf_alloc fs/seq_file.c:38 [inline]
 seq_read_iter+0x7f8/0x1260 fs/seq_file.c:210
 kernfs_fop_read_iter+0x4c7/0x690 fs/kernfs/file.c:279
 call_read_iter include/linux/fs.h:1862 [inline]
 new_sync_read fs/read_write.c:389 [inline]
 vfs_read+0x4ab/0x8a0 fs/read_write.c:470
 ksys_read+0x127/0x250 fs/read_write.c:613
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88801a960f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801a960f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801a961000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88801a961080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801a961100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[Aleksandr Nogikh]

Hi,

Please also note this report by syzbot:
https://syzkaller.appspot.com/bug?extid=81232c4a81a886e2b580

Its title is a bit different, but the stacktraces are the same. At the
bottom, you may also find KASAN crashes.

Judging by the "Discussions" block, there've been a couple of fix
attempts already, but they did not make it to the kernel.

--
Aleksandr

> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/CALkECRjyG8AtbUunWFYErQethdyCfiNC2-ZHP6oVtO3%2BGHxahA%40mail.gmail.com.

[Krzysztof Kozlowski]

On 25/10/2023 08:27, Abagail ren wrote:
> Good day, dear maintainers.
>
> Since the email system replied that it refused to accept the email because
> the text contained HTML, I sent it to you again in the form of shared files.
>
> We found a bug using a modified kernel configuration file used by syzbot.
>
> We enhanced the probability of vulnerability discovery using our prototype
> system developed based on syzkaller and found a bug "' KASAN:
> slab-use-after-free Read in nfc_llcp_unregister_device." I'm still working
> on it to find out its root cause and availability.
>
> The stack information:
> https://docs.google.com/document/d/1gdHebCRsvVsSPKfilcoXVu3Pctvoj2FSZCACcVYZXns/edit?usp=sharing
>
> Kernel Branch: 6.4.0-rc3
>

Hi,

I received two emails from you, so I am not sure if these are separate
issues or not.

Anyway, there were fixes to these paths and you are testing quite old
kernel. If you have the reproducer, it should be straightforward to test
new kernel, so please do so. Test on linux-next.

> Kernel Config:
> https://docs.google.com/document/d/1WIM0btqS2dex18HQYaL2xyoW6WdX2TsaNguTnWzHMps/edit?usp=sharing
>
> Reproducer:
> https://docs.google.com/document/d/1LrgGdOgZwO8wz0opusZ7flP9QSFZa32GdozvoxGysyY/edit?usp=sharing

Best regards,
Krzysztof