tty,net: use-after-free in x25_asy_open_tty

65 views
Skip to first unread message

Sasha Levin

unread,
Nov 20, 2015, 8:57:02 AM11/20/15
to gre...@linuxfoundation.org, Jiri Slaby, LKML, syzk...@googlegroups.com, net...@vger.kernel.org, Peter Hurley
Hi all,

While fuzzing with syzkaller inside a kvmtools guest running latest -next kernel, I've hit:

[ 634.336761] ==================================================================
[ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
[ 634.339558] Read of size 4 by task syzkaller_execu/8981
[ 634.340359] =============================================================================
[ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 634.342605] -----------------------------------------------------------------------------
[ 634.342605]
[ 634.344196] Disabling lock debugging due to kernel taint
[ 634.345046] INFO: Allocated in r3964_open+0x55/0x590 age=3 cpu=0 pid=8981
[ 634.346165] ___slab_alloc+0x434/0x5b0
[ 634.346912] __slab_alloc.isra.37+0x79/0xd0
[ 634.347642] kmem_cache_alloc_trace+0xf5/0x350
[ 634.348398] r3964_open+0x55/0x590
[ 634.348952] tty_ldisc_open.isra.2+0x8a/0xd0
[ 634.349616] tty_set_ldisc+0x344/0x910
[ 634.350202] tty_ioctl+0x1534/0x1d70
[ 634.350762] do_vfs_ioctl+0xc90/0xd40
[ 634.351349] SyS_ioctl+0x6d/0xb0
[ 634.351890] entry_SYSCALL_64_fastpath+0x35/0x9e
[ 634.352548] INFO: Freed in r3964_close+0x23b/0x280 age=10 cpu=0 pid=8981
[ 634.353599] __slab_free+0x64/0x260
[ 634.354151] kfree+0x281/0x2f0
[ 634.354641] r3964_close+0x23b/0x280
[ 634.355219] tty_ldisc_close.isra.1+0xc2/0xd0
[ 634.355890] tty_set_ldisc+0x2bd/0x910
[ 634.356559] tty_ioctl+0x1534/0x1d70
[ 634.357121] do_vfs_ioctl+0xc90/0xd40
[ 634.357614] SyS_ioctl+0x6d/0xb0
[ 634.358133] entry_SYSCALL_64_fastpath+0x35/0x9e
[ 634.358853] INFO: Slab 0xffffea00029d0f00 objects=20 used=10 fp=0xffff8800a743efd0 flags=0x1fffff80004080
[ 634.360308] INFO: Object 0xffff8800a743efd0 @offset=12240 fp=0xffff8800a743f300
[ 634.360308]
[ 634.361652] Bytes b4 ffff8800a743efc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.363048] Object ffff8800a743efd0: 00 f3 43 a7 00 88 ff ff ff ff ff ff 00 00 00 00 ..C.............
[ 634.364424] Object ffff8800a743efe0: ff ff ff ff ff ff ff ff a0 7d 41 ab ff ff ff ff .........}A.....
[ 634.365835] Object ffff8800a743eff0: a0 cf a8 a9 ff ff ff ff 00 00 00 00 00 00 00 00 ................
[ 634.367346] Object ffff8800a743f000: 00 e8 33 a4 ff ff ff ff 03 00 00 00 00 00 00 00 ..3.............
[ 634.368721] Object ffff8800a743f010: 3e a2 5b 9c ff ff ff ff 80 c9 d6 b4 00 88 ff ff >.[.............
[ 634.370139] Object ffff8800a743f020: 00 79 7a 6b 61 6c 6c 65 00 80 50 a7 00 88 ff ff .yzkalle..P.....
[ 634.371635] Object ffff8800a743f030: 20 e7 50 a7 00 88 ff ff 00 00 00 00 00 00 00 00 .P.............
[ 634.373000] Object ffff8800a743f040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.374418] Object ffff8800a743f050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.375843] Object ffff8800a743f060: 00 00 00 00 00 00 00 00 01 00 00 00 67 6d c1 1b ............gm..
[ 634.377339] Object ffff8800a743f070: 00 00 00 00 ad 4e ad de ff ff ff ff ad 4e ad de .....N.......N..
[ 634.378747] Object ffff8800a743f080: ff ff ff ff ff ff ff ff a0 48 2c a9 ff ff ff ff .........H,.....
[ 634.380174] Object ffff8800a743f090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.381584] Object ffff8800a743f0a0: c0 21 cd a3 ff ff ff ff 03 00 00 00 00 00 00 00 .!..............
[ 634.382949] Object ffff8800a743f0b0: 00 00 00 00 01 00 00 00 b8 f0 43 a7 00 88 ff ff ..........C.....
[ 634.384365] Object ffff8800a743f0c0: b8 f0 43 a7 00 88 ff ff 00 00 00 00 00 00 00 00 ..C.............
[ 634.385637] Object ffff8800a743f0d0: 68 f0 43 a7 00 88 ff ff 60 7d 41 ab ff ff ff ff h.C.....`}A.....
[ 634.387138] Object ffff8800a743f0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.388563] Object ffff8800a743f0f0: 40 e8 33 a4 ff ff ff ff 01 00 00 00 00 00 00 00 @.3.............
[ 634.389977] Object ffff8800a743f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.391396] Object ffff8800a743f110: 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 ................
[ 634.392868] Object ffff8800a743f120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.393649] Object ffff8800a743f130: c0 73 5b 9c ff ff ff ff d0 ef 43 a7 00 88 ff ff .s[.......C.....
[ 634.394483] Object ffff8800a743f140: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................
[ 634.395281] Object ffff8800a743f150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.396081] Object ffff8800a743f160: 00 00 00 00 00 00 00 00 20 7d 41 ab ff ff ff ff ........ }A.....
[ 634.396928] Object ffff8800a743f170: b0 cd a8 a9 ff ff ff ff 00 00 00 00 00 00 00 00 ................
[ 634.397714] Object ffff8800a743f180: 80 e8 33 a4 ff ff ff ff 00 00 00 00 00 00 00 00 ..3.............
[ 634.398511] Object ffff8800a743f190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.399314] Object ffff8800a743f1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.400128] Object ffff8800a743f1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.401006] Object ffff8800a743f1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 634.401785] CPU: 0 PID: 8981 Comm: syzkaller_execu Tainted: G B 4.4.0-rc1-next-20151119-sasha-00042-g10467c3 #2643
[ 634.402861] 0000000000000000 0000000058ca1c30 ffff8800a4d87970 ffffffff9be4f37b
[ 634.403518] ffff88012f605040 ffff8800a743efd0 ffff8800a743c000 ffff8800a4d879a0
[ 634.404198] ffffffff9a79bf5a ffff88012f605040 ffffea00029d0f00 ffff8800a743efd0
[ 634.405018] Call Trace:
[ 634.405277] dump_stack (lib/dump_stack.c:52)
[ 634.405775] print_trailer (mm/slub.c:655)
[ 634.406361] object_err (mm/slub.c:662)
[ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
[ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
[ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
[ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
[ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
[ 634.428475] Memory state around the buggy address:
[ 634.428900] ffff8800a743ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 634.429500] ffff8800a743ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 634.430138] >ffff8800a743ef80: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 634.430780] ^
[ 634.431309] ffff8800a743f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 634.431945] ffff8800a743f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 634.432726] ==================================================================

Peter Hurley

unread,
Nov 20, 2015, 2:59:19 PM11/20/15
to Sasha Levin, gre...@linuxfoundation.org, Jiri Slaby, David Miller, LKML, syzk...@googlegroups.com, net...@vger.kernel.org
[ + David Miller ]

On 11/20/2015 08:56 AM, Sasha Levin wrote:
> Hi all,
>
> While fuzzing with syzkaller inside a kvmtools guest running latest -next kernel, I've hit:
>
> [ 634.336761] ==================================================================
> [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
> [ 634.339558] Read of size 4 by task syzkaller_execu/8981
> [ 634.340359] =============================================================================
> [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected

Thanks for the report, Sasha.
Would you please test the patch below?

The ldisc api should really prevent these kinds of errors. I'll prepare
a patch to the tty core which should address the api weakness.

Regards,
Peter Hurley

--->% ---
Subject: [PATCH] wan/x25: Fix use-after-free in x25_asy_open_tty()

The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1] Report by Sasha Levin <sasha...@oracle.com>
[ 634.336761] ==================================================================
[ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
[ 634.339558] Read of size 4 by task syzkaller_execu/8981
[ 634.340359] =============================================================================
[ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
...
[ 634.405018] Call Trace:
[ 634.405277] dump_stack (lib/dump_stack.c:52)
[ 634.405775] print_trailer (mm/slub.c:655)
[ 634.406361] object_err (mm/slub.c:662)
[ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
[ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
[ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
[ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
[ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Reported-by: Sasha Levin <sasha...@oracle.com>
Signed-off-by: Peter Hurley <pe...@hurleysoftware.com>
---
drivers/net/wan/x25_asy.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
index 5c47b01..cd39025 100644
--- a/drivers/net/wan/x25_asy.c
+++ b/drivers/net/wan/x25_asy.c
@@ -549,16 +549,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty,

static int x25_asy_open_tty(struct tty_struct *tty)
{
- struct x25_asy *sl = tty->disc_data;
+ struct x25_asy *sl;
int err;

if (tty->ops->write == NULL)
return -EOPNOTSUPP;

- /* First make sure we're not already connected. */
- if (sl && sl->magic == X25_ASY_MAGIC)
- return -EEXIST;
-
/* OK. Find a free X.25 channel to use. */
sl = x25_asy_alloc();
if (sl == NULL)
--
2.6.3


Dmitry Vyukov

unread,
Nov 20, 2015, 3:10:27 PM11/20/15
to Sasha Levin, syzkaller
-most

Hi Sasha,

How do you enable and make fuzzer use these weird drivers (r3964,
x25_asy) in your (virtualized?) test setup?
I would like to cover such drivers too. I guess the first thing is to
enable them in config. But then how do you provide an actual device
for e.g. wan/x25? And how to you route tty into this driver?..
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To post to this group, send email to syzk...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/564F26A5.4050905%40oracle.com.
> For more options, visit https://groups.google.com/d/optout.

Sasha Levin

unread,
Nov 23, 2015, 9:51:23 AM11/23/15
to Dmitry Vyukov, syzkaller
On 11/20/2015 03:10 PM, Dmitry Vyukov wrote:
> -most
>
> Hi Sasha,
>
> How do you enable and make fuzzer use these weird drivers (r3964,
> x25_asy) in your (virtualized?) test setup?
> I would like to cover such drivers too. I guess the first thing is to
> enable them in config. But then how do you provide an actual device
> for e.g. wan/x25? And how to you route tty into this driver?..

No magic, just compile it built in so the init code will run. It'll fail
on things that require an actual hardware, but most things do *some*
functionality even without hardware, which is what I'm stumbling on.


Thanks,
Sasha

Dmitry Vyukov

unread,
Nov 23, 2015, 2:36:05 PM11/23/15
to Sasha Levin, syzkaller
I see. Thanks!

Sasha Levin

unread,
Nov 26, 2015, 11:27:12 PM11/26/15
to Peter Hurley, gre...@linuxfoundation.org, Jiri Slaby, David Miller, LKML, syzk...@googlegroups.com, net...@vger.kernel.org
On 11/20/2015 02:59 PM, Peter Hurley wrote:
> Thanks for the report, Sasha.
> Would you please test the patch below?

Fixes it for me, thanks!


Thanks,
Sasha
Reply all
Reply to author
Forward
0 new messages