Re: [Bug 201949] New: KASAN: use-after-free Read in __handle_mm_fault

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 11, 2018 at 12:45 AM Andrew Morton
<akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).

Looking at the reproducer this looks like a bug in sg ioctl.
+block/scsi_ioctl.c maintainers

> On Mon, 10 Dec 2018 10:56:31 +0000 bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote:
>
> > https://bugzilla.kernel.org/show_bug.cgi?id=201949
> >
> >             Bug ID: 201949
> >            Summary: KASAN: use-after-free Read in __handle_mm_fault
> >            Product: Memory Management
> >            Version: 2.5
> >     Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6
> >           Hardware: All
> >                 OS: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: Other
> >           Assignee: akpm@xxxxxxxxxxxxxxxxxxxx
> >           Reporter: jaguo2014@xxxxxxxxxxx
> >         Regression: No
> >
> > Created attachment 279915
> >   --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit
> > poc.c
> >
> > Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug.
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline]
> > BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> > Read of size 8 at addr ffff888000048008 by task syz-executor666/2067
> >
> > CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0x75/0xae lib/dump_stack.c:113
> >  print_address_description+0x65/0x270 mm/kasan/report.c:256
> >  kasan_report_error mm/kasan/report.c:354 [inline]
> >  kasan_report+0x25b/0x380 mm/kasan/report.c:412
> >  handle_pte_fault mm/memory.c:3744 [inline]
> >  __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889
> >  handle_mm_fault+0xfc/0x350 mm/memory.c:3926
> >  do_user_addr_fault arch/x86/mm/fault.c:1423 [inline]
> >  __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489
> >  async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142
> > RIP: 0033:0x4014fd
> > Code: Bad RIP value.
> > RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0
> > RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0
> > RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270
> > R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000
> > R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000
> >
> > The buggy address belongs to the page:
> > page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> > flags: 0x0()
> > raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000
> > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> >  ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >  ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >                       ^
> >  ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >  ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > ==================================================================
> >
> >
> > Syzkaller reproducer:
> > # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox:
> > Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true
> > EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true
> > Repro:false Trace:false}
> > r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0)
> > ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, "ae"})
> >
> > --
> > You are receiving this mail because:
> > You are the assignee for the bug.
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@xxxxxxxxxxxxxxxx.
> To post to this group, send email to kasan-dev@xxxxxxxxxxxxxxxx.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20181210154550.03bf3fe93944a7c786ba924d%40linux-foundation.org.
> For more options, visit https://groups.google.com/d/optout.



[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux