On Tue, Dec 11, 2018 at 12:45 AM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). Looking at the reproducer this looks like a bug in sg ioctl. +block/scsi_ioctl.c maintainers > On Mon, 10 Dec 2018 10:56:31 +0000 bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote: > > > https://bugzilla.kernel.org/show_bug.cgi?id=201949 > > > > Bug ID: 201949 > > Summary: KASAN: use-after-free Read in __handle_mm_fault > > Product: Memory Management > > Version: 2.5 > > Kernel Version: 4.19-rc2,4.20-rc5,4.20-rc6 > > Hardware: All > > OS: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: Other > > Assignee: akpm@xxxxxxxxxxxxxxxxxxxx > > Reporter: jaguo2014@xxxxxxxxxxx > > Regression: No > > > > Created attachment 279915 > > --> https://bugzilla.kernel.org/attachment.cgi?id=279915&action=edit > > poc.c > > > > Syzkaller hit 'KASAN: use-after-free Read in __handle_mm_fault' bug. > > > > ================================================================== > > BUG: KASAN: use-after-free in handle_pte_fault mm/memory.c:3744 [inline] > > BUG: KASAN: use-after-free in __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889 > > Read of size 8 at addr ffff888000048008 by task syz-executor666/2067 > > > > CPU: 0 PID: 2067 Comm: syz-executor666 Not tainted 4.20.0-rc5+ #1 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x75/0xae lib/dump_stack.c:113 > > print_address_description+0x65/0x270 mm/kasan/report.c:256 > > kasan_report_error mm/kasan/report.c:354 [inline] > > kasan_report+0x25b/0x380 mm/kasan/report.c:412 > > handle_pte_fault mm/memory.c:3744 [inline] > > __handle_mm_fault+0x1b5d/0x1d20 mm/memory.c:3889 > > handle_mm_fault+0xfc/0x350 mm/memory.c:3926 > > do_user_addr_fault arch/x86/mm/fault.c:1423 [inline] > > __do_page_fault+0x4f4/0xaa0 arch/x86/mm/fault.c:1489 > > async_page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142 > > RIP: 0033:0x4014fd > > Code: Bad RIP value. > > RSP: 002b:00007ffdaac075f0 EFLAGS: 00010246 > > RAX: 0000000000000000 RBX: 00007ffdaac07790 RCX: 00007f6df4bee2f0 > > RDX: 0000000000000001 RSI: 00007f6df4bea270 RDI: 00007f6df4e08ae0 > > RBP: 0000000000000000 R08: 00007f6df4e08800 R09: 00007f6df4bea270 > > R10: 00007f6df4e08800 R11: 0000000000000202 R12: 0000000000000000 > > R13: 00007ffdaac07920 R14: 0000000000000000 R15: 0000000000000000 > > > > The buggy address belongs to the page: > > page:ffffea0000001200 count:0 mapcount:0 mapping:0000000000000000 index:0x0 > > flags: 0x0() > > raw: 0000000000000000 ffffea0000001208 ffffea0000001208 0000000000000000 > > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff888000047f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ffff888000047f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > >ffff888000048000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ^ > > ffff888000048080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ffff888000048100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > ================================================================== > > > > > > Syzkaller reproducer: > > # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:8 Sandbox: > > Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true > > EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:true > > Repro:false Trace:false} > > r0 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0) > > ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000080)={0x1, 0x0, 0x8, "ae"}) > > > > -- > > You are receiving this mail because: > > You are the assignee for the bug. > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@xxxxxxxxxxxxxxxx. > To post to this group, send email to kasan-dev@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20181210154550.03bf3fe93944a7c786ba924d%40linux-foundation.org. > For more options, visit https://groups.google.com/d/optout.
