Hi,
We use our modified Syzkaller to fuzz the Linux kernel and found the following issue.
Head Commit: 4c893ff55907c61456bcb917781c0dd687a1e123
Git Tree: stable
Kernel config: https://pastebin.com/raw/BiggLxRg
We use our modified Syzkaller to fuzz the Linux kernel and found the following issue.
Head Commit: 4c893ff55907c61456bcb917781c0dd687a1e123
Git Tree: stable
Kernel config: https://pastebin.com/raw/BiggLxRg
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: lanyang0908@xxxxxxxxx
Reported-by: lanyang0908@xxxxxxxxx
I guess that it is possible incurred by race condition?
Firstly, fb_videomode_to_var+0x2fc is corresponding to the field "xres" in the struct fb_videomode. Although before converting fb_videomode to fb_var_screeninfo, the system already checks whether the object mode is NULL, this object has possibility to be freed by other threads at this moment?
How do you think?
Related source code:
static int fbcon_resize(struct vc_data *vc, unsigned int width,
unsigned int height, unsigned int user)
{ ...
mode = fb_find_best_mode(&var, &info->modelist);
if (mode == NULL)
return -EINVAL;
display_to_var(&var, p);
fb_videomode_to_var(&var, mode);
...
}
unsigned int height, unsigned int user)
{ ...
mode = fb_find_best_mode(&var, &info->modelist);
if (mode == NULL)
return -EINVAL;
display_to_var(&var, p);
fb_videomode_to_var(&var, mode);
...
}
void fb_videomode_to_var(struct fb_var_screeninfo *var,
const struct fb_videomode *mode)
{
var->xres = mode->xres;
...
}
const struct fb_videomode *mode)
{
var->xres = mode->xres;
...
}
Crash log:
==================================================================
BUG: KASAN: use-after-free in fb_videomode_to_var+0x2fc/0x5d0
Read of size 4 at addr ffff8880495c661c by task syz-executor.4/16705
CPU: 1 PID: 16705 Comm: syz-executor.4 Not tainted 5.10.180+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x172/0x21e
? stack_trace_save+0x107/0x1e0
? show_regs_print_info+0x12/0x12
? printk+0xc0/0x103
print_address_description+0x66/0x640
? log_buf_vmcoreinfo_setup+0x45d/0x45d
? _raw_spin_lock_irqsave+0xbf/0x100
? stack_trace_save+0x107/0x1e0
? stack_trace_snprint+0xe0/0xe0
kasan_report+0x141/0x1f0
? fb_videomode_to_var+0x2fc/0x5d0
? fb_videomode_to_var+0x2fc/0x5d0
? fbcon_resize+0x627/0x17f0
? fbcon_copy_font+0x130/0x130
? __kmalloc+0x224/0x300
? kzalloc+0x1d/0x40
? fbcon_copy_font+0x130/0x130
? vc_do_resize+0x7b7/0x18f0
? vc_resize+0x50/0x50
? _raw_spin_unlock_irqrestore+0x2e/0x60
? lockdep_hardirqs_on+0x90/0x140
? vt_ioctl+0x32f1/0x3ff0
? mark_lock+0x1ac/0x1dc0
? __vt_event_wait+0x230/0x230
? __bfs+0x660/0x660
? __bfs+0x660/0x660
? trace_lock_acquire+0x1a0/0x1a0
? rcu_read_lock_sched_held+0x87/0x110
? __bpf_trace_rcu_utilization+0x10/0x10
? __lock_acquire+0x1264/0x2b10
? __lock_acquire+0x1264/0x2b10
? trace_lock_acquire+0x1a0/0x1a0
? tty_ioctl+0xf2a/0x1700
? tty_do_resize+0x180/0x180
? rcu_lock_release+0x9/0x20
? __lock_acquire+0x2b10/0x2b10
? __fget_files+0x37c/0x3b0
? __fdget+0x18f/0x210
? tty_do_resize+0x180/0x180
? __x64_sys_ioctl+0x119/0x190
? do_syscall_64+0x74/0xc0
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 7679:
__kasan_kmalloc+0x102/0x140
__kmalloc_node+0x262/0x380
kvmalloc_node+0x81/0x110
alloc_fdtable+0x151/0x260
dup_fd+0x880/0xd00
copy_process+0x1b66/0x5e80
The buggy address belongs to the object at ffff8880495c6600
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 28 bytes inside of
96-byte region [ffff8880495c6600, ffff8880495c6660)
The buggy address belongs to the page:
page:0000000005617347 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880495c6c80 pfn:0x495c6
flags: 0x4fff00000000200(slab)
raw: 04fff00000000200 ffffea0000629680 0000000200000002 ffff88800ec41780
raw: ffff8880495c6c80 000000008020001c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY)
prep_new_page+0x16/0xa0
get_page_from_freelist+0xa3d/0xcb0
__alloc_pages_nodemask+0x225/0x580
allocate_slab+0xb4/0x520
___slab_alloc+0x1df/0x330
kmem_cache_alloc_trace+0x288/0x2c0
__hw_addr_sync+0x3c0/0xb30
dev_mc_sync+0xdb/0x1a0
vlan_dev_set_rx_mode+0x47/0x70
__dev_mc_add+0x3ed/0x510
igmp6_group_added+0x1a0/0x880
__ipv6_dev_mc_inc+0x8c1/0xb60
addrconf_dad_work+0x3f2/0x2040
process_one_work+0x83b/0x10a0
worker_thread+0xa94/0x1440
kthread+0x3af/0x3d0
page last free stack trace:
free_pcp_prepare+0x1dc/0x410
free_unref_page+0x6a/0x220
tlb_remove_table_rcu+0x78/0xf0
rcu_core+0x81a/0x1190
__do_softirq+0x376/0x72b
asm_call_irq_on_stack+0xf/0x20
Memory state around the buggy address:
ffff8880495c6500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff8880495c6580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8880495c6600: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8880495c6680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
ffff8880495c6700: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 16705 Comm: syz-executor.4 Tainted: G B 5.10.180+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x172/0x21e
? log_buf_vmcoreinfo_setup+0x45d/0x45d
? show_regs_print_info+0x12/0x12
? __irq_exit_rcu+0xc5/0x260
? irq_exit_rcu+0x20/0x20
panic+0x2b6/0x7d0
? schedule_preempt_disabled+0x20/0x20
? trace_hardirqs_on+0x32/0x80
? nmi_panic+0x80/0x80
? preempt_schedule_thunk+0x16/0x18
? trace_hardirqs_on+0x32/0x80
kasan_report+0x1e5/0x1f0
? fb_videomode_to_var+0x2fc/0x5d0
? fb_videomode_to_var+0x2fc/0x5d0
? fbcon_resize+0x627/0x17f0
? fbcon_copy_font+0x130/0x130
? __kmalloc+0x224/0x300
? kzalloc+0x1d/0x40
? fbcon_copy_font+0x130/0x130
? vc_do_resize+0x7b7/0x18f0
? vc_resize+0x50/0x50
? _raw_spin_unlock_irqrestore+0x2e/0x60
? lockdep_hardirqs_on+0x90/0x140
? vt_ioctl+0x32f1/0x3ff0
? mark_lock+0x1ac/0x1dc0
? __vt_event_wait+0x230/0x230
? __bfs+0x660/0x660
? __bfs+0x660/0x660
? trace_lock_acquire+0x1a0/0x1a0
? rcu_read_lock_sched_held+0x87/0x110
? __bpf_trace_rcu_utilization+0x10/0x10
? __lock_acquire+0x1264/0x2b10
? __lock_acquire+0x1264/0x2b10
? trace_lock_acquire+0x1a0/0x1a0
? tty_ioctl+0xf2a/0x1700
? tty_do_resize+0x180/0x180
? rcu_lock_release+0x9/0x20
? __lock_acquire+0x2b10/0x2b10
? __fget_files+0x37c/0x3b0
? __fdget+0x18f/0x210
? tty_do_resize+0x180/0x180
? __x64_sys_ioctl+0x119/0x190
? do_syscall_64+0x74/0xc0
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Kernel Offset: disabled
Rebooting in 86400 seconds..
BUG: KASAN: use-after-free in fb_videomode_to_var+0x2fc/0x5d0
Read of size 4 at addr ffff8880495c661c by task syz-executor.4/16705
CPU: 1 PID: 16705 Comm: syz-executor.4 Not tainted 5.10.180+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x172/0x21e
? stack_trace_save+0x107/0x1e0
? show_regs_print_info+0x12/0x12
? printk+0xc0/0x103
print_address_description+0x66/0x640
? log_buf_vmcoreinfo_setup+0x45d/0x45d
? _raw_spin_lock_irqsave+0xbf/0x100
? stack_trace_save+0x107/0x1e0
? stack_trace_snprint+0xe0/0xe0
kasan_report+0x141/0x1f0
? fb_videomode_to_var+0x2fc/0x5d0
? fb_videomode_to_var+0x2fc/0x5d0
? fbcon_resize+0x627/0x17f0
? fbcon_copy_font+0x130/0x130
? __kmalloc+0x224/0x300
? kzalloc+0x1d/0x40
? fbcon_copy_font+0x130/0x130
? vc_do_resize+0x7b7/0x18f0
? vc_resize+0x50/0x50
? _raw_spin_unlock_irqrestore+0x2e/0x60
? lockdep_hardirqs_on+0x90/0x140
? vt_ioctl+0x32f1/0x3ff0
? mark_lock+0x1ac/0x1dc0
? __vt_event_wait+0x230/0x230
? __bfs+0x660/0x660
? __bfs+0x660/0x660
? trace_lock_acquire+0x1a0/0x1a0
? rcu_read_lock_sched_held+0x87/0x110
? __bpf_trace_rcu_utilization+0x10/0x10
? __lock_acquire+0x1264/0x2b10
? __lock_acquire+0x1264/0x2b10
? trace_lock_acquire+0x1a0/0x1a0
? tty_ioctl+0xf2a/0x1700
? tty_do_resize+0x180/0x180
? rcu_lock_release+0x9/0x20
? __lock_acquire+0x2b10/0x2b10
? __fget_files+0x37c/0x3b0
? __fdget+0x18f/0x210
? tty_do_resize+0x180/0x180
? __x64_sys_ioctl+0x119/0x190
? do_syscall_64+0x74/0xc0
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 7679:
__kasan_kmalloc+0x102/0x140
__kmalloc_node+0x262/0x380
kvmalloc_node+0x81/0x110
alloc_fdtable+0x151/0x260
dup_fd+0x880/0xd00
copy_process+0x1b66/0x5e80
The buggy address belongs to the object at ffff8880495c6600
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 28 bytes inside of
96-byte region [ffff8880495c6600, ffff8880495c6660)
The buggy address belongs to the page:
page:0000000005617347 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880495c6c80 pfn:0x495c6
flags: 0x4fff00000000200(slab)
raw: 04fff00000000200 ffffea0000629680 0000000200000002 ffff88800ec41780
raw: ffff8880495c6c80 000000008020001c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY)
prep_new_page+0x16/0xa0
get_page_from_freelist+0xa3d/0xcb0
__alloc_pages_nodemask+0x225/0x580
allocate_slab+0xb4/0x520
___slab_alloc+0x1df/0x330
kmem_cache_alloc_trace+0x288/0x2c0
__hw_addr_sync+0x3c0/0xb30
dev_mc_sync+0xdb/0x1a0
vlan_dev_set_rx_mode+0x47/0x70
__dev_mc_add+0x3ed/0x510
igmp6_group_added+0x1a0/0x880
__ipv6_dev_mc_inc+0x8c1/0xb60
addrconf_dad_work+0x3f2/0x2040
process_one_work+0x83b/0x10a0
worker_thread+0xa94/0x1440
kthread+0x3af/0x3d0
page last free stack trace:
free_pcp_prepare+0x1dc/0x410
free_unref_page+0x6a/0x220
tlb_remove_table_rcu+0x78/0xf0
rcu_core+0x81a/0x1190
__do_softirq+0x376/0x72b
asm_call_irq_on_stack+0xf/0x20
Memory state around the buggy address:
ffff8880495c6500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff8880495c6580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8880495c6600: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8880495c6680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
ffff8880495c6700: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 16705 Comm: syz-executor.4 Tainted: G B 5.10.180+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x172/0x21e
? log_buf_vmcoreinfo_setup+0x45d/0x45d
? show_regs_print_info+0x12/0x12
? __irq_exit_rcu+0xc5/0x260
? irq_exit_rcu+0x20/0x20
panic+0x2b6/0x7d0
? schedule_preempt_disabled+0x20/0x20
? trace_hardirqs_on+0x32/0x80
? nmi_panic+0x80/0x80
? preempt_schedule_thunk+0x16/0x18
? trace_hardirqs_on+0x32/0x80
kasan_report+0x1e5/0x1f0
? fb_videomode_to_var+0x2fc/0x5d0
? fb_videomode_to_var+0x2fc/0x5d0
? fbcon_resize+0x627/0x17f0
? fbcon_copy_font+0x130/0x130
? __kmalloc+0x224/0x300
? kzalloc+0x1d/0x40
? fbcon_copy_font+0x130/0x130
? vc_do_resize+0x7b7/0x18f0
? vc_resize+0x50/0x50
? _raw_spin_unlock_irqrestore+0x2e/0x60
? lockdep_hardirqs_on+0x90/0x140
? vt_ioctl+0x32f1/0x3ff0
? mark_lock+0x1ac/0x1dc0
? __vt_event_wait+0x230/0x230
? __bfs+0x660/0x660
? __bfs+0x660/0x660
? trace_lock_acquire+0x1a0/0x1a0
? rcu_read_lock_sched_held+0x87/0x110
? __bpf_trace_rcu_utilization+0x10/0x10
? __lock_acquire+0x1264/0x2b10
? __lock_acquire+0x1264/0x2b10
? trace_lock_acquire+0x1a0/0x1a0
? tty_ioctl+0xf2a/0x1700
? tty_do_resize+0x180/0x180
? rcu_lock_release+0x9/0x20
? __lock_acquire+0x2b10/0x2b10
? __fget_files+0x37c/0x3b0
? __fdget+0x18f/0x210
? tty_do_resize+0x180/0x180
? __x64_sys_ioctl+0x119/0x190
? do_syscall_64+0x74/0xc0
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Kernel Offset: disabled
Rebooting in 86400 seconds..
Best regards,
Yang
