Syzkaller found a bug: KASAN: use-after-free Write in put_pmu_ctx

From: Sanan Hasanov
Date: Thu Dec 22 2022 - 12:40:20 EST

Next message: Maxime Ripard: "Re: [PATCH] drm: override detected status for connectors which are forced on"
Previous message: srinivas pandruvada: "Re: [PATCH v2 2/4] powercap: idle_inject: Add prepare/complete callbacks"
Next in thread: Alexander Potapenko: "Re: Syzkaller found a bug: KASAN: use-after-free Write in put_pmu_ctx"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel branch: 6.1.0-rc7-next-20221201

Config file: https://drive.google.com/file/d/1JutR21cgcf28flJVyLqDniNyrExMsSn_/view?usp=sharing

Reproducer file: https://drive.google.com/file/d/1X31x8w4ULrtP_YnkD7_RCyW7FlwGewMR/view?usp=sharing

Thank you!

==================================================================
BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x7d/0xf0
Write of size 4 at addr ffff88810327d800 by task syz-executor.0/24706

CPU: 2 PID: 24706 Comm: syz-executor.0 Not tainted 6.1.0-rc7-next-20221201 #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x6a
print_report+0x16f/0x4a6
kasan_report+0xb7/0x130
kasan_check_range+0x143/0x1d0
_raw_spin_lock_irqsave+0x7d/0xf0
put_pmu_ctx+0x9d/0x360
_free_event+0x2b5/0xfb0
free_event+0x42/0xa0
__do_sys_perf_event_open+0x4c3/0x1c90
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fd03b442dcd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd03abb2bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007fd03b56ff80 RCX: 00007fd03b442dcd
RDX: 0000000000000000 RSI: 000000000000082a RDI: 0000000020000140
RBP: 00007fd03b4b059c R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcf64779df R14: 00007ffcf6477b80 R15: 00007fd03abb2d80
</TASK>

Allocated by task 24706:
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
__kasan_kmalloc+0x82/0x90
alloc_perf_context+0x43/0x350
find_get_context+0xaf/0x5d0
__do_sys_perf_event_open+0x6ce/0x1c90
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc

Freed by task 4352:
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
__kasan_slab_free+0x10e/0x1a0
__kmem_cache_free+0x7a/0x1a0
rcu_core+0x59e/0x17f0
__do_softirq+0x195/0x57b

Last potentially related work creation:
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
__call_rcu_common.constprop.0+0x6a/0x820
put_ctx+0xe9/0x190
perf_event_exit_task+0x3ce/0x540
do_exit+0x8a5/0x2680
do_group_exit+0xb7/0x260
get_signal+0x1a0a/0x1b00
arch_do_signal_or_restart+0x79/0x6b0
exit_to_user_mode_prepare+0xd8/0x120
syscall_exit_to_user_mode+0x21/0x50
do_syscall_64+0x4c/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc

Second to last potentially related work creation:
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
kvfree_call_rcu+0x2f/0x780
drop_sysctl_table+0x27e/0x340
unregister_sysctl_table+0xa7/0x180
neigh_sysctl_unregister+0x5f/0x80
inetdev_event+0x47f/0x1280
raw_notifier_call_chain+0xa6/0xf0
call_netdevice_notifiers_info+0x97/0x100
unregister_netdevice_many_notify+0x884/0x13b0
default_device_exit_batch+0x3f4/0x530
ops_exit_list.isra.0+0x102/0x150
cleanup_net+0x443/0x840
process_one_work+0x861/0x11c0
worker_thread+0x54d/0x1140
kthread+0x28e/0x340
ret_from_fork+0x2c/0x50

The buggy address belongs to the object at ffff88810327d800
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
256-byte region [ffff88810327d800, ffff88810327d900)

The buggy address belongs to the physical page:
page:00000000427018d3 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810327ca00 pfn:0x10327c
head:00000000427018d3 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
anon flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 ffff888100042b40 ffffea00042bda00 dead000000000003
raw: ffff88810327ca00 000000008020001a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88810327d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810327d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810327d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810327d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810327d900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Best regards,
Sanan Hasanov.

Next message: Maxime Ripard: "Re: [PATCH] drm: override detected status for connectors which are forced on"
Previous message: srinivas pandruvada: "Re: [PATCH v2 2/4] powercap: idle_inject: Add prepare/complete callbacks"
Next in thread: Alexander Potapenko: "Re: Syzkaller found a bug: KASAN: use-after-free Write in put_pmu_ctx"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]