KASAN: use-after-free Read in vc_do_resize

164 views
Skip to first unread message

Zekun Shen

unread,
Feb 16, 2020, 4:10:32 PM2/16/20
to gre...@linuxfoundation.org, jsl...@suse.com, syzk...@googlegroups.com
I found the following crash with syzkaller. I searched through the mail list and found something similar from Jan 2020. Since they are in version 5.0, it was not prioritized. Therefore, I post the bug report here.

Linux version: 0bf999f9c5e74c7ecf9dafb527146601e5c848b9
File: drivers/tty/vt/vt.c

I have attached my config file and all the files from crash directory.

Hope it is helpful.


==================================================================
BUG: KASAN: use-after-free in vc_do_resize+0x880/0x1220
Read of size 65534 at addr ffff8880000f7ff8 by task syz-executor.0/867

CPU: 0 PID: 867 Comm: syz-executor.0 Not tainted 5.6.0-rc1+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 dump_stack+0x94/0xce
 print_address_description.constprop.5+0x16/0x310
 __kasan_report+0x158/0x1c0
 kasan_report+0xe/0x20
 check_memory_region+0x15d/0x1b0
 memcpy+0x1f/0x50
 vc_do_resize+0x880/0x1220
 vt_ioctl+0x21ae/0x2500
 tty_ioctl+0x27d/0x1370
 ksys_ioctl+0xee/0x120
 __x64_sys_ioctl+0x6f/0xb0
 do_syscall_64+0x9c/0x390
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4674a9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3ea236cc48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 00000000004674a9
RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003
RBP: 00007f3ea236d6bc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000666 R14: 00000000004c79cf R15: 0000000000700b40

The buggy address belongs to the page:
page:ffffea0000003dc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1000(reserved)
raw: 0000000000001000 ffffea0000003dc8 ffffea0000003dc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Extracting prog: 7m18.88360928s
Minimizing prog: 3m14.095585207s
Simplifying prog options: 1m19.428043371s
Extracting C: 22.548129419s
Simplifying C: 0s
opts: {Threaded:true Collide:true Repeat:false RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:true UseTmpDir:true HandleSegv:true Repro:false Trace:false} crepro: false

r0 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$VT_RESIZEX(r0, 0x560a, &(0x7f0000000080)={0x0, 0x7fff, 0x8, 0x1, 0x4})
ioctl$VT_RESIZEX(0xffffffffffffffff, 0x560a, &(0x7f0000000080)={0x9, 0x0, 0x8, 0x0, 0x4})
description
report0
repro.log
repro.prog
repro.report
log0
repro.stats
my.cfg

Dmitry Vyukov

unread,
Feb 16, 2020, 11:23:49 PM2/16/20
to Zekun Shen, Greg Kroah-Hartman, Jiri Slaby, syzkaller
On Sun, Feb 16, 2020 at 10:10 PM Zekun Shen <zs1...@nyu.edu> wrote:
>
> I found the following crash with syzkaller. I searched through the mail list and found something similar from Jan 2020. Since they are in version 5.0, it was not prioritized. Therefore, I post the bug report here.
>
> Linux version: 0bf999f9c5e74c7ecf9dafb527146601e5c848b9
> File: drivers/tty/vt/vt.c
>
> I have attached my config file and all the files from crash directory.
>
> Hope it is helpful.

FTR there is a number of bugs mentioning vc_do_resize on syzbot:
https://groups.google.com/forum/#!searchin/syzkaller-bugs/vc_do_resize%7Csort:date
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/CAF3Ky7VRLQYcteN-ff%2B13C48wsy4O5zOZq9UaoEGGtugzebkJA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages