KASAN: use-after-free Read in unmap_page_range
16 views
Skip to first unread message
syzbot
Oct 30, 2017, 3:37:24 PM10/30/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
5d51332f20b270812376cf8751987e283f30de4a
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
CC: [ak...@linux-foundation.org ja...@suse.cz kirill....@linux.intel.com
ross.z...@linux.intel.com mho...@suse.com lsto...@gmail.com
aneesh...@linux.vnet.ibm.com dave....@intel.com wi...@linux.intel.com
hu...@google.com linu...@kvack.org linux-...@vger.kernel.org]
==================================================================
BUG: KASAN: use-after-free in unmap_page_range+0x1dc7/0x22a0
mm/memory.c:1413
Read of size 8 at addr ffff880039dd0358 by task syz-executor6/12544
CPU: 0 PID: 12544 Comm: syz-executor6 Not tainted 4.13.0-rc5-next-20170816+
#4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
unmap_page_range+0x1dc7/0x22a0 mm/memory.c:1413
unmap_single_vma+0x15f/0x2d0 mm/memory.c:1463
unmap_vmas+0xf1/0x1b0 mm/memory.c:1493
exit_mmap+0x22a/0x560 mm/mmap.c:3004
__mmput kernel/fork.c:905 [inline]
mmput+0x223/0x6e0 kernel/fork.c:927
copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
copy_process kernel/fork.c:1546 [inline]
_do_fork+0x1ef/0xfb0 kernel/fork.c:2025
SYSC_clone kernel/fork.c:2135 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2129
do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x448ad9
RSP: 002b:00007ffd934b69c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000448ad9
RDX: 000000000000f8f8 RSI: 0000000000a5ffb0 RDI: 0000000074000000
RBP: 0000000000000006 R08: 00007ffd934b6920 R09: 00007ffd934b6920
R10: 000000000040d950 R11: 0000000000000202 R12: 0000000000000000
R13: 000000000040d8c0 R14: 000000000040d950 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0000e77400 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea0000f625a0 ffffea0000ee6c60 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880039dd0200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff880039dd0280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff880039dd0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff880039dd0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff880039dd0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
5d51332f20b270812376cf8751987e283f30de4a
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
CC: [ak...@linux-foundation.org ja...@suse.cz kirill....@linux.intel.com
ross.z...@linux.intel.com mho...@suse.com lsto...@gmail.com
aneesh...@linux.vnet.ibm.com dave....@intel.com wi...@linux.intel.com
hu...@google.com linu...@kvack.org linux-...@vger.kernel.org]
==================================================================
BUG: KASAN: use-after-free in unmap_page_range+0x1dc7/0x22a0
mm/memory.c:1413
Read of size 8 at addr ffff880039dd0358 by task syz-executor6/12544
CPU: 0 PID: 12544 Comm: syz-executor6 Not tainted 4.13.0-rc5-next-20170816+
#4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
unmap_page_range+0x1dc7/0x22a0 mm/memory.c:1413
unmap_single_vma+0x15f/0x2d0 mm/memory.c:1463
unmap_vmas+0xf1/0x1b0 mm/memory.c:1493
exit_mmap+0x22a/0x560 mm/mmap.c:3004
__mmput kernel/fork.c:905 [inline]
mmput+0x223/0x6e0 kernel/fork.c:927
copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
copy_process kernel/fork.c:1546 [inline]
_do_fork+0x1ef/0xfb0 kernel/fork.c:2025
SYSC_clone kernel/fork.c:2135 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2129
do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x448ad9
RSP: 002b:00007ffd934b69c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000448ad9
RDX: 000000000000f8f8 RSI: 0000000000a5ffb0 RDI: 0000000074000000
RBP: 0000000000000006 R08: 00007ffd934b6920 R09: 00007ffd934b6920
R10: 000000000040d950 R11: 0000000000000202 R12: 0000000000000000
R13: 000000000040d8c0 R14: 000000000040d950 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0000e77400 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea0000f625a0 ffffea0000ee6c60 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880039dd0200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff880039dd0280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff880039dd0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff880039dd0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff880039dd0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Oct 30, 2017, 3:42:16 PM10/30/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Happened once on Aug 16, no reproducer, probably was fixed by something.
#syz invalid
On Mon, Oct 30, 2017 at 10:37 PM, syzbot
<bot+697ff43218dc577cc7...@syzkaller.appspotmail.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113edf36511af3055cc8c424%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
On Mon, Oct 30, 2017 at 10:37 PM, syzbot
<bot+697ff43218dc577cc7...@syzkaller.appspotmail.com>
wrote:
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113edf36511af3055cc8c424%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages