KASAN: use-after-free Read in selinux_inode_free_security
15 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:33:09 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1766a733400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=86876657b7b7291f1b25
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+868766...@syzkaller.appspotmail.com
binder_alloc: binder_alloc_mmap_handler: 6256 20001000-20004000 already
mapped failed -16
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
binder: 6256:6264 got transaction to invalid handle
binder: 6256:6264 transaction failed 29201/-22, size 0-0 line 3013
==================================================================
BUG: KASAN: use-after-free in inode_free_security
security/selinux/hooks.c:330 [inline]
BUG: KASAN: use-after-free in selinux_inode_free_security+0x219/0x2b0
security/selinux/hooks.c:2830
Read of size 8 at addr ffff8801875b55f8 by task syz-executor3/6255
CPU: 0 PID: 6255 Comm: syz-executor3 Not tainted 4.9.141+ #1
ffff8801ca7df870 ffffffff81b42e79 ffffea00061d6c00 ffff8801875b55f8
0000000000000000 ffff8801875b55f8 ffffffff82af3de0 ffff8801ca7df8a8
ffffffff815009b8 ffff8801875b55f8 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff81a07049>] inode_free_security security/selinux/hooks.c:330
[inline]
[<ffffffff81a07049>] selinux_inode_free_security+0x219/0x2b0
security/selinux/hooks.c:2830
[<ffffffff819e3c96>] security_inode_free+0x56/0x90 security/security.c:356
[<ffffffff8155ff6e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
[<ffffffff8156236e>] destroy_inode+0x4e/0x120 fs/inode.c:262
[<ffffffff81562816>] evict+0x3d6/0x620 fs/inode.c:570
[<ffffffff81563a01>] iput_final fs/inode.c:1516 [inline]
[<ffffffff81563a01>] iput+0x371/0x900 fs/inode.c:1543
[<ffffffff815e4868>] fsnotify_detach_mark+0x2c8/0x410 fs/notify/mark.c:170
[<ffffffff815e608c>] fsnotify_detach_group_marks+0x5c/0xd0
fs/notify/mark.c:506
[<ffffffff815e34f2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
[<ffffffff815e7967>] inotify_release+0x37/0x50
fs/notify/inotify/inotify_user.c:282
[<ffffffff81510293>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff815107b5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8113dc4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8110f6c2>] get_signal+0x1042/0x1460 kernel/signal.c:2151
[<ffffffff81052aa5>] do_signal+0x95/0x1b00 arch/x86/kernel/signal.c:807
[<ffffffff81003e2e>] exit_to_usermode_loop+0x10e/0x150
arch/x86/entry/common.c:158
[<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194
[inline]
[<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263
[inline]
[<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 6254:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
kmem_cache_alloc_trace+0x117/0x2e0 mm/slub.c:2742
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:636 [inline]
alloc_super fs/super.c:187 [inline]
sget_userns+0xf1/0xc40 fs/super.c:503
sget+0xd6/0x120 fs/super.c:559
mount_nodev+0x37/0x100 fs/super.c:1141
ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
mount_fs+0x28c/0x370 fs/super.c:1206
vfs_kern_mount.part.8+0xd1/0x4b0 fs/namespace.c:1000
vfs_kern_mount fs/namespace.c:982 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x3c9/0x28a0 fs/namespace.c:2871
SYSC_mount fs/namespace.c:3087 [inline]
SyS_mount+0xea/0x100 fs/namespace.c:3064
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 27122:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
destroy_super_work+0x40/0x50 fs/super.c:147
process_one_work+0x831/0x15f0 kernel/workqueue.c:2092
worker_thread+0xd6/0x1140 kernel/workqueue.c:2226
kthread+0x26d/0x300 kernel/kthread.c:211
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
The buggy address belongs to the object at ffff8801875b5500
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 248 bytes inside of
4096-byte region [ffff8801875b5500, ffff8801875b6500)
The buggy address belongs to the page:
page:ffffea00061d6c00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801875b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801875b5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801875b5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801875b5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801875b5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1766a733400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=86876657b7b7291f1b25
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+868766...@syzkaller.appspotmail.com
binder_alloc: binder_alloc_mmap_handler: 6256 20001000-20004000 already
mapped failed -16
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
binder: 6256:6264 got transaction to invalid handle
binder: 6256:6264 transaction failed 29201/-22, size 0-0 line 3013
==================================================================
BUG: KASAN: use-after-free in inode_free_security
security/selinux/hooks.c:330 [inline]
BUG: KASAN: use-after-free in selinux_inode_free_security+0x219/0x2b0
security/selinux/hooks.c:2830
Read of size 8 at addr ffff8801875b55f8 by task syz-executor3/6255
CPU: 0 PID: 6255 Comm: syz-executor3 Not tainted 4.9.141+ #1
ffff8801ca7df870 ffffffff81b42e79 ffffea00061d6c00 ffff8801875b55f8
0000000000000000 ffff8801875b55f8 ffffffff82af3de0 ffff8801ca7df8a8
ffffffff815009b8 ffff8801875b55f8 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff81a07049>] inode_free_security security/selinux/hooks.c:330
[inline]
[<ffffffff81a07049>] selinux_inode_free_security+0x219/0x2b0
security/selinux/hooks.c:2830
[<ffffffff819e3c96>] security_inode_free+0x56/0x90 security/security.c:356
[<ffffffff8155ff6e>] __destroy_inode+0x2e/0x220 fs/inode.c:235
[<ffffffff8156236e>] destroy_inode+0x4e/0x120 fs/inode.c:262
[<ffffffff81562816>] evict+0x3d6/0x620 fs/inode.c:570
[<ffffffff81563a01>] iput_final fs/inode.c:1516 [inline]
[<ffffffff81563a01>] iput+0x371/0x900 fs/inode.c:1543
[<ffffffff815e4868>] fsnotify_detach_mark+0x2c8/0x410 fs/notify/mark.c:170
[<ffffffff815e608c>] fsnotify_detach_group_marks+0x5c/0xd0
fs/notify/mark.c:506
[<ffffffff815e34f2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
[<ffffffff815e7967>] inotify_release+0x37/0x50
fs/notify/inotify/inotify_user.c:282
[<ffffffff81510293>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff815107b5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8113dc4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8110f6c2>] get_signal+0x1042/0x1460 kernel/signal.c:2151
[<ffffffff81052aa5>] do_signal+0x95/0x1b00 arch/x86/kernel/signal.c:807
[<ffffffff81003e2e>] exit_to_usermode_loop+0x10e/0x150
arch/x86/entry/common.c:158
[<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194
[inline]
[<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263
[inline]
[<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 6254:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
kmem_cache_alloc_trace+0x117/0x2e0 mm/slub.c:2742
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:636 [inline]
alloc_super fs/super.c:187 [inline]
sget_userns+0xf1/0xc40 fs/super.c:503
sget+0xd6/0x120 fs/super.c:559
mount_nodev+0x37/0x100 fs/super.c:1141
ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243
mount_fs+0x28c/0x370 fs/super.c:1206
vfs_kern_mount.part.8+0xd1/0x4b0 fs/namespace.c:1000
vfs_kern_mount fs/namespace.c:982 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x3c9/0x28a0 fs/namespace.c:2871
SYSC_mount fs/namespace.c:3087 [inline]
SyS_mount+0xea/0x100 fs/namespace.c:3064
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 27122:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
destroy_super_work+0x40/0x50 fs/super.c:147
process_one_work+0x831/0x15f0 kernel/workqueue.c:2092
worker_thread+0xd6/0x1140 kernel/workqueue.c:2226
kthread+0x26d/0x300 kernel/kthread.c:211
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
The buggy address belongs to the object at ffff8801875b5500
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 248 bytes inside of
4096-byte region [ffff8801875b5500, ffff8801875b6500)
The buggy address belongs to the page:
page:ffffea00061d6c00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801875b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801875b5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801875b5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801875b5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801875b5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 26, 2019, 11:59:03 PM5/26/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages