fs: use-after-free in link_path_walk

From: Dmitry Vyukov
Date: Fri Jan 22 2016 - 17:33:49 EST

Next message: Rob Herring: "Re: [PATCH v5 3/4] Input: cyttsp - switch to using device properties"
Previous message: Andi Kleen: "Re: suspicious RCU usage in msr tracing."
Next in thread: Al Viro: "Re: fs: use-after-free in link_path_walk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The following program triggers a use-after-free in link_path_walk:
https://gist.githubusercontent.com/dvyukov/fc0da4b914d607ba8129/raw/b761243c44106d74f2173745132c82d179cbdc58/gistfile1.txt

==================================================================
BUG: KASAN: use-after-free in link_path_walk+0xe13/0x1030 at addr
ffff88005f29d6e2
Read of size 1 by task syz-executor/29494
=============================================================================
BUG kmalloc-16 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in shmem_symlink+0x18c/0x600 age=2 cpu=2 pid=29504
[< none >] __kmalloc_track_caller+0x28e/0x320 mm/slub.c:4068
[< none >] kmemdup+0x24/0x50 mm/util.c:113
[< none >] shmem_symlink+0x18c/0x600 mm/shmem.c:2548
[< none >] vfs_symlink+0x218/0x3a0 fs/namei.c:3997
[< inline >] SYSC_symlinkat fs/namei.c:4024
[< none >] SyS_symlinkat+0x1ab/0x230 fs/namei.c:4004
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Freed in shmem_evict_inode+0xa6/0x420 age=12 cpu=2 pid=29504
[< none >] kfree+0x2b7/0x2e0 mm/slub.c:3664
[< none >] shmem_evict_inode+0xa6/0x420 mm/shmem.c:705
[< none >] evict+0x22c/0x500 fs/inode.c:542
[< inline >] iput_final fs/inode.c:1477
[< none >] iput+0x45f/0x860 fs/inode.c:1504
[< none >] do_unlinkat+0x3c0/0x830 fs/namei.c:3939
[< inline >] SYSC_unlink fs/namei.c:3980
[< none >] SyS_unlink+0x1a/0x20 fs/namei.c:3978
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Slab 0xffffea00017ca700 objects=16 used=12 fp=0xffff88005f29d6e0
flags=0x5fffc0000004080
INFO: Object 0xffff88005f29d6e0 @offset=5856 fp=0xffff88005f29d310
CPU: 3 PID: 29494 Comm: syz-executor Tainted: G B 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88000056fa08 ffffffff82999e2d ffff88003e807900
ffff88005f29d6e0 ffff88005f29c000 ffff88000056fa38 ffffffff81757354
ffff88003e807900 ffffea00017ca700 ffff88005f29d6e0 ffff88005f29d6e2

Call Trace:
[<ffffffff8176092e>] __asan_report_load1_noabort+0x3e/0x40
mm/kasan/report.c:292
[<ffffffff817deb33>] link_path_walk+0xe13/0x1030 fs/namei.c:1913
[<ffffffff817df049>] path_lookupat+0x1a9/0x450 fs/namei.c:2120
[<ffffffff817e6aad>] filename_lookup+0x18d/0x370 fs/namei.c:2155
[<ffffffff817e6dd0>] user_path_at_empty+0x40/0x50 fs/namei.c:2393
[< inline >] user_path_at include/linux/namei.h:52
[<ffffffff8185ab29>] do_utimes+0x209/0x280 fs/utimes.c:169
[< inline >] SYSC_utimensat fs/utimes.c:200
[<ffffffff8185ada3>] SyS_utimensat+0xd3/0x130 fs/utimes.c:185
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================

On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20).

Next message: Rob Herring: "Re: [PATCH v5 3/4] Input: cyttsp - switch to using device properties"
Previous message: Andi Kleen: "Re: suspicious RCU usage in msr tracing."
Next in thread: Al Viro: "Re: fs: use-after-free in link_path_walk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]