Re: KASAN: use-after-free Read in seccomp_notify_release (2)

From: Kees Cook
Date: Tue Apr 23 2019 - 17:47:47 EST

Next message: Stephen Boyd: "Re: [RFC 00/19] clk: imx: Switch the imx6 and imx7 to clk_hw based API"
Previous message: Daniel Gomez: "[PATCH v2] iio: temperature: maxim_thermocouple: declare missing of table"
Next in thread: Tycho Andersen: "Re: KASAN: use-after-free Read in seccomp_notify_release (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 25, 2019 at 1:02 AM syzbot
<syzbot+b562969adb2e04af3442@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 1bdd3dbf Merge tag 'io_uring-20190323' of git://git.kernel..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12ae5b93200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9a31fb246de2a622
> dashboard link: https://syzkaller.appspot.com/bug?extid=b562969adb2e04af3442
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162ca25d200000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1733b53b200000
>
> The bug was bisected to:
>
> commit a799aea0988ea0d1b1f263e996fdad2f6133c680
> Author: wenxu <wenxu@xxxxxxxxx>
> Date: Wed Jan 9 02:40:11 2019 +0000
>
> netfilter: nft_flow_offload: Fix reverse route lookup

This bisection looks bogus?

However, I _can_ trigger the problem on this kernel version with this
config. (And not with Linus's latest tree.)

The PoC is identical to the prior report[1] that we thought was fixed.
Perhaps the fix didn't actually fix it? (I mean
a811dc61559e0c8003f1086c2a4dc8e4d5ae4cb8) But it's been silent for 29
days now, so I'm not sure what's going on.

Tycho are you able to reproduce this on the older tree?

-Kees

[1] https://groups.google.com/forum/#!msg/syzkaller-bugs/BPWo-3V1M2k/0keafXgOCQAJ

>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10dcc517200000
> final crash: https://syzkaller.appspot.com/x/report.txt?x=12dcc517200000
> console output: https://syzkaller.appspot.com/x/log.txt?x=14dcc517200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b562969adb2e04af3442@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: a799aea0988e ("netfilter: nft_flow_offload: Fix reverse route
> lookup")
>
> ==================================================================
> BUG: KASAN: use-after-free in __lock_acquire+0x2d5e/0x3fb0
> kernel/locking/lockdep.c:3573
> Read of size 8 at addr ffff8880a621d080 by task syz-executor365/8267
>
> CPU: 0 PID: 8267 Comm: syz-executor365 Not tainted 5.1.0-rc1+ #35
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
> kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
> __lock_acquire+0x2d5e/0x3fb0 kernel/locking/lockdep.c:3573
> lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
> __mutex_lock_common kernel/locking/mutex.c:925 [inline]
> __mutex_lock+0xf7/0x1310 kernel/locking/mutex.c:1072
> mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
> seccomp_notify_release+0x62/0x280 kernel/seccomp.c:984
> __fput+0x2e5/0x8d0 fs/file_table.c:278
> ____fput+0x16/0x20 fs/file_table.c:309
> task_work_run+0x14a/0x1c0 kernel/task_work.c:113
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
> prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
> syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
> do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x405621
> Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
> 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
> 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
> RSP: 002b:00007ffe1ebba1e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
> RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000405621
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
> RBP: 0000000000000064 R08: 00007f28ae4ca700 R09: 0000000000000000
> R10: 00007ffe1ebba1f0 R11: 0000000000000293 R12: 00000000006dbc30
> R13: 0000000000000002 R14: 00000000006dbc3c R15: 000000000000002d
>
> Allocated by task 8278:
> save_stack+0x45/0xd0 mm/kasan/common.c:75
> set_track mm/kasan/common.c:87 [inline]
> __kasan_kmalloc mm/kasan/common.c:497 [inline]
> __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
> kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
> kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3621
> kmalloc include/linux/slab.h:545 [inline]
> kzalloc include/linux/slab.h:740 [inline]
> seccomp_prepare_filter kernel/seccomp.c:453 [inline]
> seccomp_prepare_user_filter kernel/seccomp.c:493 [inline]
> seccomp_set_mode_filter kernel/seccomp.c:1262 [inline]
> do_seccomp+0x743/0x2250 kernel/seccomp.c:1376
> __do_sys_seccomp kernel/seccomp.c:1395 [inline]
> __se_sys_seccomp kernel/seccomp.c:1392 [inline]
> __x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
> do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 8278:
> save_stack+0x45/0xd0 mm/kasan/common.c:75
> set_track mm/kasan/common.c:87 [inline]
> __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
> kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
> __cache_free mm/slab.c:3498 [inline]
> kfree+0xcf/0x230 mm/slab.c:3821
> seccomp_filter_free kernel/seccomp.c:567 [inline]
> seccomp_filter_free kernel/seccomp.c:563 [inline]
> seccomp_set_mode_filter kernel/seccomp.c:1317 [inline]
> do_seccomp+0xb00/0x2250 kernel/seccomp.c:1376
> __do_sys_seccomp kernel/seccomp.c:1395 [inline]
> __se_sys_seccomp kernel/seccomp.c:1392 [inline]
> __x64_sys_seccomp+0x73/0xb0 kernel/seccomp.c:1392
> do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> The buggy address belongs to the object at ffff8880a621d000
> which belongs to the cache kmalloc-192 of size 192
> The buggy address is located 128 bytes inside of
> 192-byte region [ffff8880a621d000, ffff8880a621d0c0)
> The buggy address belongs to the page:
> page:ffffea0002988740 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0
> flags: 0x1fffc0000000200(slab)
> raw: 01fffc0000000200 ffffea0002981048 ffffea0002988048 ffff88812c3f0040
> raw: 0000000000000000 ffff8880a621d000 0000000100000010 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8880a621cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a621d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8880a621d080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ^
> ffff8880a621d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880a621d180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

--
Kees Cook

Next message: Stephen Boyd: "Re: [RFC 00/19] clk: imx: Switch the imx6 and imx7 to clk_hw based API"
Previous message: Daniel Gomez: "[PATCH v2] iio: temperature: maxim_thermocouple: declare missing of table"
Next in thread: Tycho Andersen: "Re: KASAN: use-after-free Read in seccomp_notify_release (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]