Oh, I also reproduced it in 6.13-rc1, but it is more difficult to have this problem than in 6.12. ZachWade <zachwade.k@xxxxxxxxx> 于2024年12月3日周二 12:03写道: > > Hi,linux kernel crypto maintainers > I encountered a report from UAF kasan on the 6.12 kernel, > It happened when executing the ltp example (./testcases/bin/pcrypt_aead01) > https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/crypto/pcrypt_aead01.c > This problem is very easy to reproduce in v6.12 > > While I was trying to solve it, I pulled the latest code, and now I am > on 6.13-rc1. > > This problem no longer occurs, I don't know what happened, and I didn't see any > commits that solved my problem when I looked at the commits. I am > curious whether > this problem has been solved. > > Attached is the kasan report: > [ 50.449417] ================================================================== > [ 50.449427] BUG: KASAN: slab-use-after-free in padata_find_next+0x2d6/0x3f0 > [ 50.449443] Read of size 4 at addr ffff88881b726424 by task > kworker/u157:1/775 > [ 50.449451] > [ 50.449457] CPU: 28 UID: 0 PID: 775 Comm: kworker/u157:1 Kdump: > loaded Tainted: G E 6.12.0+ #35 > [ 50.449470] Tainted: [E]=UNSIGNED_MODULE > [ 50.449474] Hardware name: VMware, Inc. VMware20,1/440BX Desktop > Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 > [ 50.449481] Workqueue: pdecrypt_parallel padata_parallel_worker > [ 50.449492] Call Trace: > [ 50.449496] <TASK> > [ 50.449501] dump_stack_lvl+0x5d/0x80 > [ 50.449513] ? padata_find_next+0x2d6/0x3f0 > [ 50.449520] print_report+0x174/0x505 > [ 50.449532] ? __pfx_rt_spin_lock+0x10/0x10 > [ 50.449542] ? padata_find_next+0x2d6/0x3f0 > [ 50.449548] kasan_report+0xe0/0x160 > [ 50.449559] ? padata_find_next+0x2d6/0x3f0 > [ 50.449566] padata_find_next+0x2d6/0x3f0 > [ 50.449572] ? queue_work_on+0x4c/0x80 > [ 50.449585] padata_reorder+0x1cc/0x400 > [ 50.449593] padata_parallel_worker+0x70/0x160 > [ 50.449600] process_one_work+0x646/0xeb0 > [ 50.449609] worker_thread+0x619/0x10e0 > [ 50.449617] ? __kthread_parkme+0x86/0x140 > [ 50.449626] ? __pfx_worker_thread+0x10/0x10 > [ 50.449633] kthread+0x28d/0x350 > [ 50.449640] ? recalc_sigpending+0x12e/0x1b0 > [ 50.449651] ? __pfx_kthread+0x10/0x10 > [ 50.449658] ret_from_fork+0x31/0x70 > [ 50.449668] ? __pfx_kthread+0x10/0x10 > [ 50.449675] ret_from_fork_asm+0x1a/0x30 > [ 50.449686] </TASK> > [ 50.449690] > [ 50.449692] Allocated by task 12827: > [ 50.449698] kasan_save_stack+0x30/0x50 > [ 50.449705] kasan_save_track+0x14/0x30 > [ 50.449711] __kasan_kmalloc+0xaa/0xb0 > [ 50.449717] padata_alloc_pd+0x69/0x9f0 > [ 50.449722] padata_alloc_shell+0x82/0x210 > [ 50.449728] pcrypt_create+0x13b/0x7a0 [pcrypt] > [ 50.449738] cryptomgr_probe+0x8d/0x230 > [ 50.449747] kthread+0x28d/0x350 > [ 50.449753] ret_from_fork+0x31/0x70 > [ 50.449760] ret_from_fork_asm+0x1a/0x30 > [ 50.449766] > [ 50.449768] Freed by task 154: > [ 50.449772] kasan_save_stack+0x30/0x50 > [ 50.449778] kasan_save_track+0x14/0x30 > [ 50.449784] kasan_save_free_info+0x3b/0x70 > [ 50.449793] __kasan_slab_free+0x4f/0x70 > [ 50.449800] kfree+0x119/0x440 > [ 50.449808] padata_free_shell+0x262/0x320 > [ 50.449814] pcrypt_free+0x43/0x90 [pcrypt] > [ 50.449821] crypto_destroy_instance_workfn+0x79/0xc0 > [ 50.449832] process_one_work+0x646/0xeb0 > [ 50.449837] worker_thread+0x619/0x10e0 > [ 50.449842] kthread+0x28d/0x350 > [ 50.449848] ret_from_fork+0x31/0x70 > [ 50.449855] ret_from_fork_asm+0x1a/0x30 > [ 50.449862] > [ 50.449863] The buggy address belongs to the object at ffff88881b726400 > which belongs to the cache kmalloc-192 of size 192 > [ 50.449870] The buggy address is located 36 bytes inside of > freed 192-byte region [ffff88881b726400, ffff88881b7264c0) > [ 50.449878] > [ 50.449880] The buggy address belongs to the physical page: > [ 50.449884] page: refcount:1 mapcount:0 mapping:0000000000000000 > index:0x0 pfn:0x81b726 > [ 50.449892] head: order:1 mapcount:0 entire_mapcount:0 > nr_pages_mapped:0 pincount:0 > [ 50.449898] flags: 0x50000000000040(head|node=1|zone=2) > [ 50.449906] page_type: f5(slab) > [ 50.449914] raw: 0050000000000040 ffff88810004c3c0 dead000000000122 > 0000000000000000 > [ 50.449922] raw: 0000000000000000 0000000080200020 00000001f5000000 > 0000000000000000 > [ 50.449928] head: 0050000000000040 ffff88810004c3c0 > dead000000000122 0000000000000000 > [ 50.449934] head: 0000000000000000 0000000080200020 > 00000001f5000000 0000000000000000 > [ 50.449939] head: 0050000000000001 ffffea00206dc981 > ffffffffffffffff 0000000000000000 > [ 50.449945] head: 0000000000000002 0000000000000000 > 00000000ffffffff 0000000000000000 > [ 50.449948] page dumped because: kasan: bad access detected > [ 50.449951] > [ 50.449953] Memory state around the buggy address: > [ 50.449957] ffff88881b726300: fa fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 50.449963] ffff88881b726380: fb fb fb fb fb fb fb fb fc fc fc fc > fc fc fc fc > [ 50.449967] >ffff88881b726400: fa fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 50.449971] ^ > [ 50.449975] ffff88881b726480: fb fb fb fb fb fb fb fb fc fc fc fc > fc fc fc fc > [ 50.449979] ffff88881b726500: fa fb fb fb fb fb fb fb fb fb fb fb > fb fb fb fb > [ 50.449982] ==================================================================
