KASAN: use-after-free Read in mntput

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

syzbot found the following crash on:

HEAD commit:    d1fdb6d8 Linux 5.2-rc4
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12b30acaa00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fa9f7e1b6a8bb586
dashboard link: https://syzkaller.appspot.com/bug?extid=99de05d099a170867f22
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1114dc46a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17eade6aa00000

The bug was bisected to:

commit 9c8ad7a2ff0bfe58f019ec0abc1fb965114dde7d
Author: David Howells <dhowells@xxxxxxxxxx>
Date:   Thu May 16 11:52:27 2019 +0000

    uapi, x86: Fix the syscall numbering of the mount API syscalls [ver #2]

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15c9f91ea00000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=17c9f91ea00000
console output: https://syzkaller.appspot.com/x/log.txt?x=13c9f91ea00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+99de05d099a170867f22@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 9c8ad7a2ff0b ("uapi, x86: Fix the syscall numbering of the mount API syscalls [ver #2]")

==================================================================
BUG: KASAN: use-after-free in mntput+0x91/0xa0 fs/namespace.c:1207
Read of size 4 at addr ffff88808f661124 by task syz-executor817/8955

CPU: 1 PID: 8955 Comm: syz-executor817 Not tainted 5.2.0-rc4 #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 mntput+0x91/0xa0 fs/namespace.c:1207
 path_put+0x50/0x70 fs/namei.c:483
 free_fs_struct+0x25/0x70 fs/fs_struct.c:91
 exit_fs+0xf0/0x130 fs/fs_struct.c:108
 do_exit+0x8e0/0x2fa0 kernel/exit.c:873
 do_group_exit+0x135/0x370 kernel/exit.c:981
 __do_sys_exit_group kernel/exit.c:992 [inline]
 __se_sys_exit_group kernel/exit.c:990 [inline]
 __ia32_sys_exit_group+0x44/0x50 kernel/exit.c:990
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x27b/0xd7d arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f16849
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffe4f85c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080ed2b8
RDX: 0000000000000000 RSI: 00000000080d71fc RDI: 00000000080ed2c0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8955:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3326 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488
 kmem_cache_zalloc include/linux/slab.h:732 [inline]
 alloc_vfsmnt+0x28/0x780 fs/namespace.c:182
 vfs_create_mount+0x96/0x500 fs/namespace.c:961
 __do_sys_fsmount fs/namespace.c:3423 [inline]
 __se_sys_fsmount fs/namespace.c:3340 [inline]
 __ia32_sys_fsmount+0x584/0xc80 fs/namespace.c:3340
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x27b/0xd7d arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 16:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3698
 free_vfsmnt+0x6f/0x90 fs/namespace.c:559
 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:564
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2092 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline]
 rcu_core+0xba5/0x1500 kernel/rcu/tree.c:2291
 __do_softirq+0x25c/0x94c kernel/softirq.c:292

The buggy address belongs to the object at ffff88808f661000
 which belongs to the cache mnt_cache of size 432
The buggy address is located 292 bytes inside of
 432-byte region [ffff88808f661000, ffff88808f6611b0)
The buggy address belongs to the page:
page:ffffea00023d9840 refcount:1 mapcount:0 mapping:ffff8880aa594940 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002a35e08 ffffea00022a3f08 ffff8880aa594940
raw: 0000000000000000 ffff88808f661000 0000000100000008 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808f661000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808f661080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808f661100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88808f661180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff88808f661200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux