KASAN: use-after-free Read in __lock_acquire (2)

3,326 views
Skip to first unread message

syzbot

unread,
Nov 18, 2017, 10:24:05 AM11/18/17
to dan.ca...@oracle.com, gre...@linuxfoundation.org, hdeg...@redhat.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, mate...@fastmail.fm, mi...@kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, vskr...@codeaurora.org, yamada....@socionext.com
Hello,

syzkaller hit the following crash on
d9e0e63d9a6f88440eb201e1491fcf730272c706
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

Unfortunately, I don't have any reproducer for this bug yet.


==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x41a5/0x4770
kernel/locking/lockdep.c:3378
Read of size 8 at addr ffff8800277eba78 by task syz-executor5/4581

CPU: 1 PID: 4581 Comm: syz-executor5 Not tainted 4.14.0-rc8-next-20171110+
#12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__lock_acquire+0x41a5/0x4770 kernel/locking/lockdep.c:3378
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:159
destroy_async_on_interface+0x136/0x530 drivers/usb/core/devio.c:656
driver_disconnect+0xdd/0x140 drivers/usb/core/devio.c:702
usb_unbind_interface+0x229/0xb00 drivers/usb/core/driver.c:423
__device_release_driver drivers/base/dd.c:870 [inline]
device_release_driver_internal+0x52a/0x600 drivers/base/dd.c:903
device_release_driver+0x19/0x20 drivers/base/dd.c:928
usb_driver_release_interface+0x138/0x160 drivers/usb/core/driver.c:604
proc_disconnect_claim+0x221/0x380 drivers/usb/core/devio.c:2283
usbdev_do_ioctl+0x16a5/0x3670 drivers/usb/core/devio.c:2525
usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2553
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x447c99
RSP: 002b:00007f79b3b23bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f79b3b246cc RCX: 0000000000447c99
RDX: 000000002021c000 RSI: 000000008108551b RDI: 0000000000000013
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000008670 R14: 00000000006ec710 R15: 00007f79b3b24700

Allocated by task 4505:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3614
kmalloc include/linux/slab.h:514 [inline]
kzalloc include/linux/slab.h:703 [inline]
alloc_perf_context+0x4c/0xe0 kernel/events/core.c:3726
find_get_context.isra.83+0x16f/0x670 kernel/events/core.c:3815
SYSC_perf_event_open+0xd38/0x2f10 kernel/events/core.c:9991
SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9822
entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 0:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3492 [inline]
kfree+0xca/0x250 mm/slab.c:3807
free_ctx+0x47/0x60 kernel/events/core.c:1160
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2676 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2935 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2902 [inline]
rcu_process_callbacks+0xd74/0x17d0 kernel/rcu/tree.c:2919
__do_softirq+0x29d/0xbb2 kernel/softirq.c:285

The buggy address belongs to the object at ffff8800277eba40
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 56 bytes inside of
512-byte region [ffff8800277eba40, ffff8800277ebc40)
The buggy address belongs to the page:
page:ffffea00009dfac0 count:1 mapcount:0 mapping:ffff8800277eb040
index:0xffff8800277ebcc0
flags: 0x100000000000100(slab)
raw: 0100000000000100 ffff8800277eb040 ffff8800277ebcc0 0000000100000004
raw: ffffea0000b59c60 ffffea0000b488e0 ffff88002dc00940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8800277eb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800277eb980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8800277eba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8800277eba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800277ebb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
config.txt
raw.log

syzbot

unread,
Dec 2, 2017, 11:08:02 AM12/2/17
to dan.ca...@oracle.com, gre...@linuxfoundation.org, hdeg...@redhat.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, mate...@fastmail.fm, mi...@kernel.org, mi...@redhat.com, pet...@infradead.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, vskr...@codeaurora.org, yamada....@socionext.com
syzkaller has found reproducer for the following crash on
2db767d9889cef087149a5eaa35c1497671fa40f
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x465e/0x47f0
kernel/locking/lockdep.c:3378
Read of size 8 at addr ffff8801cd8e13f0 by task syzkaller236979/3086

CPU: 1 PID: 3086 Comm: syzkaller236979 Not tainted 4.15.0-rc1+ #115
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__lock_acquire+0x465e/0x47f0 kernel/locking/lockdep.c:3378
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:159
remove_wait_queue+0x81/0x350 kernel/sched/wait.c:50
ep_remove_wait_queue fs/eventpoll.c:595 [inline]
ep_unregister_pollwait.isra.7+0x18c/0x590 fs/eventpoll.c:613
ep_free+0x13f/0x320 fs/eventpoll.c:830
ep_eventpoll_release+0x44/0x60 fs/eventpoll.c:862
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ae0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:977
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f97c79
RSP: 002b:00000000ffcb51bc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
RDX: 0000000000000000 RSI: 00000000080d9b18 RDI: 00000000080f02a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3086:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613
kmalloc include/linux/slab.h:499 [inline]
kzalloc include/linux/slab.h:688 [inline]
binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4184
binder_poll+0x8c/0x390 drivers/android/binder.c:4286
ep_item_poll.isra.10+0xec/0x320 fs/eventpoll.c:884
ep_insert+0x6a3/0x1b10 fs/eventpoll.c:1455
SYSC_epoll_ctl fs/eventpoll.c:2106 [inline]
SyS_epoll_ctl+0x12e4/0x1ab0 fs/eventpoll.c:1992
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125

Freed by task 3086:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3491 [inline]
kfree+0xca/0x250 mm/slab.c:3806
binder_free_thread drivers/android/binder.c:4211 [inline]
binder_thread_dec_tmpref+0x27f/0x310 drivers/android/binder.c:1808
binder_thread_release+0x27d/0x540 drivers/android/binder.c:4275
binder_ioctl+0xc05/0x141a drivers/android/binder.c:4492
C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125

The buggy address belongs to the object at ffff8801cd8e1340
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 176 bytes inside of
512-byte region [ffff8801cd8e1340, ffff8801cd8e1540)
The buggy address belongs to the page:
page:000000005245354e count:1 mapcount:0 mapping:000000001b93048b
index:0xffff8801cd8e1840
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801cd8e10c0 ffff8801cd8e1840 0000000100000005
raw: ffffea00073404e0 ffffea0007340920 ffff8801db000940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8801cd8e1280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801cd8e1300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801cd8e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cd8e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cd8e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

config.txt
raw.log
repro.txt
repro.c

Eric Biggers

unread,
Dec 12, 2017, 7:04:08 PM12/12/17
to syzbot, dan.ca...@oracle.com, gre...@linuxfoundation.org, hdeg...@redhat.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, mate...@fastmail.fm, mi...@kernel.org, mi...@redhat.com, pet...@infradead.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, vskr...@codeaurora.org, yamada....@socionext.com
This is a bug in the "binder" driver: binder_poll() tells the poll system to use
a waitqueue which can be freed before the file is closed. I'll send this to the
binder maintainers and take lockdep maintainers, USB maintainers, etc. off Cc.

Eric

Eric Biggers

unread,
Dec 12, 2017, 7:05:21 PM12/12/17
to syzbot, gre...@linuxfoundation.org, ar...@android.com, tk...@android.com, ma...@android.com, de...@driverdev.osuosl.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
[+Cc binder maintainers and list]
[-Cc lockdep maintainers, USB maintainers, and other random people]

On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote:
This is a bug in the binder driver. binder_poll() tells the poll system to use
the wait queue embedded in the 'struct binder_thread', but then the
BINDER_THREAD_EXIT ioctl will free the 'struct binder_thread' out from under it.

Perhaps either the waitqueue should be associated with the 'struct binder_proc'
rather than the 'struct binder_thread', or binder_poll() should take a reference
to the 'struct binder_thread'. But I'm not too familiar with binder or epoll,
so I don't know which solution is best.

Here is a program which reproduces the bug, assuming /dev/binder0 exists:

#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define BINDER_THREAD_EXIT 0x40046208ul

int main()
{
int fd, epfd;
struct epoll_event event = { .events = EPOLLIN };

fd = open("/dev/binder0", O_RDONLY);
epfd = epoll_create(1000);
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
ioctl(fd, BINDER_THREAD_EXIT, NULL);
}

Eric Biggers

unread,
Jan 30, 2018, 4:07:35 PM1/30/18
to syzbot, gre...@linuxfoundation.org, ar...@android.com, tk...@android.com, ma...@android.com, de...@driverdev.osuosl.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
No longer occurring on linux-next, probably fixed by the following commit:

#syz fix: ANDROID: binder: remove waitqueue when thread exits.
Reply all
Reply to author
Forward
0 new messages