KASAN: use-after-free Read in __fget
32 views
Skip to first unread message
syzbot
Dec 28, 2017, 7:02:04 AM12/28/17
to linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzkaller hit the following crash on
464e1d5f23cca236b930ef068c328a64cab78fb1
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3657e9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device gre0 entered promiscuous mode
kasan: CONFIG_KASAN_INLINE enabled
==================================================================
BUG: KASAN: use-after-free in __fcheck_files include/linux/fdtable.h:85
[inline]
BUG: KASAN: use-after-free in fcheck_files include/linux/fdtable.h:95
[inline]
BUG: KASAN: use-after-free in __fget+0x547/0x570 fs/file.c:690
Read of size 4 at addr ffff8801d4302f00 by task syz-executor4/22370
CPU: 0 PID: 22370 Comm: syz-executor4 Not tainted 4.15.0-rc5+ #147
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
__fcheck_files include/linux/fdtable.h:85 [inline]
fcheck_files include/linux/fdtable.h:95 [inline]
__fget+0x547/0x570 fs/file.c:690
__fget_light+0x2eb/0x380 fs/file.c:745
__fdget+0x18/0x20 fs/file.c:753
fdget include/linux/file.h:57 [inline]
sockfd_lookup_light+0x21/0x150 net/socket.c:495
SYSC_sendto+0x144/0x5c0 net/socket.c:1709
SyS_sendto+0x40/0x50 net/socket.c:1695
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f53c79
RSP: 002b:00000000f772e08c EFLAGS: 00000296 ORIG_RAX: 0000000000000171
RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000020ab7000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000020ab8000
RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 22368:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3708 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3717
kmalloc include/linux/slab.h:504 [inline]
kzalloc include/linux/slab.h:688 [inline]
ext4_htree_store_dirent+0x8b/0x580 fs/ext4/dir.c:451
htree_dirblock_to_tree+0x4e8/0xa00 fs/ext4/namei.c:1019
ext4_htree_fill_tree+0x2bb/0xcb0 fs/ext4/namei.c:1096
ext4_dx_readdir fs/ext4/dir.c:575 [inline]
ext4_readdir+0x1d03/0x3050 fs/ext4/dir.c:122
iterate_dir+0x1ca/0x530 fs/readdir.c:51
SYSC_getdents fs/readdir.c:231 [inline]
SyS_getdents+0x225/0x450 fs/readdir.c:212
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 22368:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xd6/0x260 mm/slab.c:3803
free_rb_tree_fname+0x85/0xe0 fs/ext4/dir.c:403
ext4_htree_free_dir_info fs/ext4/dir.c:425 [inline]
ext4_release_dir+0x44/0x60 fs/ext4/dir.c:623
__fput+0x327/0x7e0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801d4302f00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff8801d4302f00, ffff8801d4302f40)
The buggy address belongs to the page:
page:0000000089700587 count:1 mapcount:0 mapping:00000000159189cf
index:0xffff8801d4302400
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d4302000 ffff8801d4302400 000000010000001b
raw: ffffea00070cfda0 ffffea0006cb16e0 ffff8801db000340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d4302e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801d4302e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8801d4302f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8801d4302f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801d4303000: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
464e1d5f23cca236b930ef068c328a64cab78fb1
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3657e9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device gre0 entered promiscuous mode
kasan: CONFIG_KASAN_INLINE enabled
==================================================================
BUG: KASAN: use-after-free in __fcheck_files include/linux/fdtable.h:85
[inline]
BUG: KASAN: use-after-free in fcheck_files include/linux/fdtable.h:95
[inline]
BUG: KASAN: use-after-free in __fget+0x547/0x570 fs/file.c:690
Read of size 4 at addr ffff8801d4302f00 by task syz-executor4/22370
CPU: 0 PID: 22370 Comm: syz-executor4 Not tainted 4.15.0-rc5+ #147
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
__fcheck_files include/linux/fdtable.h:85 [inline]
fcheck_files include/linux/fdtable.h:95 [inline]
__fget+0x547/0x570 fs/file.c:690
__fget_light+0x2eb/0x380 fs/file.c:745
__fdget+0x18/0x20 fs/file.c:753
fdget include/linux/file.h:57 [inline]
sockfd_lookup_light+0x21/0x150 net/socket.c:495
SYSC_sendto+0x144/0x5c0 net/socket.c:1709
SyS_sendto+0x40/0x50 net/socket.c:1695
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f53c79
RSP: 002b:00000000f772e08c EFLAGS: 00000296 ORIG_RAX: 0000000000000171
RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000020ab7000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000020ab8000
RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 22368:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3708 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3717
kmalloc include/linux/slab.h:504 [inline]
kzalloc include/linux/slab.h:688 [inline]
ext4_htree_store_dirent+0x8b/0x580 fs/ext4/dir.c:451
htree_dirblock_to_tree+0x4e8/0xa00 fs/ext4/namei.c:1019
ext4_htree_fill_tree+0x2bb/0xcb0 fs/ext4/namei.c:1096
ext4_dx_readdir fs/ext4/dir.c:575 [inline]
ext4_readdir+0x1d03/0x3050 fs/ext4/dir.c:122
iterate_dir+0x1ca/0x530 fs/readdir.c:51
SYSC_getdents fs/readdir.c:231 [inline]
SyS_getdents+0x225/0x450 fs/readdir.c:212
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 22368:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xd6/0x260 mm/slab.c:3803
free_rb_tree_fname+0x85/0xe0 fs/ext4/dir.c:403
ext4_htree_free_dir_info fs/ext4/dir.c:425 [inline]
ext4_release_dir+0x44/0x60 fs/ext4/dir.c:623
__fput+0x327/0x7e0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801d4302f00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff8801d4302f00, ffff8801d4302f40)
The buggy address belongs to the page:
page:0000000089700587 count:1 mapcount:0 mapping:00000000159189cf
index:0xffff8801d4302400
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d4302000 ffff8801d4302400 000000010000001b
raw: ffffea00070cfda0 ffffea0006cb16e0 ffff8801db000340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d4302e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801d4302e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8801d4302f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8801d4302f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801d4303000: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Dmitry Vyukov
Dec 28, 2017, 7:32:04 AM12/28/17
to syzbot, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com, Al Viro
previous silent memory corruption. So just in case you see something
obvious in the code.
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzk...@googlegroups.com.
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a113f711a9a1eb10561654867%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Dmitry Vyukov
Feb 14, 2018, 10:01:09 AM2/14/18
to syzbot, syzkall...@googlegroups.com
old bug bankruptcy
#syz invalid
#syz invalid
Reply all
Reply to author
Forward
0 new messages