Re: KASAN: use-after-free Write in config_item_get

[Greg KH]

On Mon, May 11, 2020 at 05:52:16AM +0000, Kyungtae Kim wrote:
> We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version
> of syzkaller)
>
> kernel config: https://kt0755.github.io/etc/config_v5.6.8
>
>
> This bug happened when accessing a configfs_item instance right after being
> deallocated.
> Specifically, config_item_get() tries to access ci_kref element in a config_item instance.
> But this led to memory access violation because that instance (held by a fsg_opts structure)
> had been freed by fsg_free_inst() in another thread (PID: 2603).
>
> To fix, it needs to check if the config_item instance is still in use
> when trying to deallocate it.

Great, can you create a patch to fix this now that you have a solid test
for it?

thanks,

greg k-h

[Kyungtae Kim]

We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version
of syzkaller)

kernel config: https://kt0755.github.io/etc/config_v5.6.8


This bug happened when accessing a configfs_item instance right after being
deallocated.
Specifically, config_item_get() tries to access ci_kref element in a config_item instance.
But this led to memory access violation because that instance (held by a fsg_opts structure)
had been freed by fsg_free_inst() in another thread (PID: 2603).

To fix, it needs to check if the config_item instance is still in use
when trying to deallocate it.

==================================================================
BUG: KASAN: use-after-free in atomic_fetch_add include/asm-generic/atomic-instrumented.h:111 [inline]
BUG: KASAN: use-after-free in refcount_add include/linux/refcount.h:188 [inline]
BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:228 [inline]
BUG: KASAN: use-after-free in kref_get include/linux/kref.h:45 [inline]
BUG: KASAN: use-after-free in config_item_get+0x34/0xb0 fs/configfs/item.c:106
Write of size 4 at addr ffff88805838fc24 by task syz-executor.6/2609

CPU: 2 PID: 2609 Comm: syz-executor.6 Not tainted 5.6.8 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xce/0x128 lib/dump_stack.c:118
print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
__kasan_report+0x131/0x1b0 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192
__kasan_check_write+0x14/0x20 mm/kasan/common.c:101
atomic_fetch_add include/asm-generic/atomic-instrumented.h:111 [inline]
refcount_add include/linux/refcount.h:188 [inline]
refcount_inc include/linux/refcount.h:228 [inline]
kref_get include/linux/kref.h:45 [inline]
config_item_get+0x34/0xb0 fs/configfs/item.c:106
configfs_get_config_item fs/configfs/configfs_internal.h:128 [inline]
get_target fs/configfs/symlink.c:127 [inline]
configfs_symlink+0x381/0x11d0 fs/configfs/symlink.c:192
vfs_symlink+0x33d/0x5b0 fs/namei.c:4201
do_symlinkat+0x11b/0x1d0 fs/namei.c:4228
__do_sys_symlinkat fs/namei.c:4242 [inline]
__se_sys_symlinkat fs/namei.c:4239 [inline]
__x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239
do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x452e7a
Code: b8 58 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ed 63 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 63 f6 b8 0a 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 02 f3 c3 48 c7 c2 d4 ff ff ff f7 d8 64 89 02
RSP: 002b:00007fb11ba95b98 EFLAGS: 00000203 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000452e7a
RDX: 00000000004b5512 RSI: 0000000000000003 RDI: 00000000004b54ea
RBP: 0000000000000003 R08: 00000000004ed760 R09: 0000000000000000
R10: 00007fb11ba969d0 R11: 0000000000000203 R12: 00000000004bfc36
R13: 00000000004d7540 R14: 00007fb11ba966d4 R15: 00000000ffffffff

Allocated by task 2609:
save_stack+0x21/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813
kzalloc include/linux/slab.h:555 [inline]
fsg_alloc_inst+0xce/0x830 drivers/usb/gadget/function/f_mass_storage.c:3351
try_get_usb_function_instance+0xf8/0x1c0 drivers/usb/gadget/functions.c:28
usb_get_function_instance+0x17/0x80 drivers/usb/gadget/functions.c:44
function_make+0xfa/0x3c0 drivers/usb/gadget/configfs.c:597
configfs_mkdir+0x458/0xaf0 fs/configfs/dir.c:1344
vfs_mkdir+0x3aa/0x660 fs/namei.c:3889
do_mkdirat+0x12b/0x220 fs/namei.c:3912
__do_sys_mkdir fs/namei.c:3928 [inline]
__se_sys_mkdir fs/namei.c:3926 [inline]
__x64_sys_mkdir+0x5c/0x80 fs/namei.c:3926
do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2603:
save_stack+0x21/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x135/0x190 mm/kasan/common.c:476
kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xf7/0x410 mm/slub.c:3995
fsg_free_inst+0x207/0x280 drivers/usb/gadget/function/f_mass_storage.c:3342
usb_put_function_instance+0x86/0xb0 drivers/usb/gadget/functions.c:77
fsg_attr_release+0x15/0x20 drivers/usb/gadget/function/f_mass_storage.c:3228
config_item_cleanup fs/configfs/item.c:130 [inline]
config_item_release fs/configfs/item.c:139 [inline]
kref_put include/linux/kref.h:65 [inline]
config_item_put.part.0+0x191/0x250 fs/configfs/item.c:151
config_item_put+0x1f/0x30 fs/configfs/item.c:150
configfs_rmdir+0x58e/0x860 fs/configfs/dir.c:1554
vfs_rmdir+0x16d/0x480 fs/namei.c:3952
do_rmdir+0x2f2/0x3a0 fs/namei.c:4014
__do_sys_rmdir fs/namei.c:4032 [inline]
__se_sys_rmdir fs/namei.c:4030 [inline]
__x64_sys_rmdir+0x36/0x40 fs/namei.c:4030
do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88805838fc00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 36 bytes inside of
512-byte region [ffff88805838fc00, ffff88805838fe00)
The buggy address belongs to the page:
page:ffffea000160e300 refcount:1 mapcount:0 mapping:ffff88806c00e580 index:0x0 compound_mapcount: 0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c00e580
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88805838fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805838fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805838fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805838fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805838fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================