Re: fuse: use afer free reading/writing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ping? I still see this in -next.

On 04/19/2016 10:08 AM, Sasha Levin wrote:
> Hi all,
> 
> I've hit the following while fuzzing with syzkaller inside a KVM tools guest
> running the latest -next kernel:
> 
> [ 1065.365235] BUG: KASAN: use-after-free in fuse_dev_do_read.constprop.5+0xfb0/0x1290 at addr ffff8800bad3fbf0
> [ 1065.365256] Read of size 8 by task syz-executor/2448
> [ 1065.365272] =============================================================================
> [ 1065.365289] BUG fuse_request (Not tainted): kasan: bad access detected
> [ 1065.365295] -----------------------------------------------------------------------------
> [ 1065.365295]
> [ 1065.365304] Disabling lock debugging due to kernel taint
> [ 1065.365337] INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446733319112207795 cpu=2751490774 pid=-1
> [ 1065.365359]  __fuse_request_alloc+0x2b/0xf0
> [ 1065.365397]  ___slab_alloc+0x7af/0x870
> [ 1065.365419]  __slab_alloc.isra.22+0xf4/0x130
> [ 1065.365440]  kmem_cache_alloc+0x188/0x2b0
> [ 1065.365467]  __fuse_request_alloc+0x2b/0xf0
> [ 1065.365496]  __fuse_get_req+0x3f4/0x5b0
> [ 1065.365520]  fuse_get_req_for_background+0x22/0x30
> [ 1065.365546]  cuse_channel_open+0x210/0x830
> [ 1065.365590]  misc_open+0x42f/0x460
> [ 1065.365616]  chrdev_open+0x412/0x500
> [ 1065.365641]  do_dentry_open+0x6cc/0xba0
> [ 1065.365667]  vfs_open+0x1da/0x1f0
> [ 1065.365694]  path_openat+0x3291/0x3d10
> [ 1065.365716]  do_filp_open+0x1df/0x280
> [ 1065.365732]  do_sys_open+0x25c/0x440
> [ 1065.365745]  SyS_open+0x2d/0x40
> [ 1065.365759] INFO: Freed in 0x1000bad60 age=18446733319112207795 cpu=0 pid=0
> [ 1065.365772]  fuse_request_free+0xa8/0xb0
> [ 1065.365784]  __slab_free+0x6a/0x2f0
> [ 1065.365796]  kmem_cache_free+0x257/0x2c0
> [ 1065.365809]  fuse_request_free+0xa8/0xb0
> [ 1065.365823]  fuse_put_request+0x2a3/0x310
> [ 1065.365836]  request_end+0x66a/0x6b0
> [ 1065.365849]  fuse_dev_do_write+0xa9d/0xc00
> [ 1065.365862]  fuse_dev_write+0x195/0x1f0
> [ 1065.365875]  __vfs_write+0x44b/0x520
> [ 1065.365888]  vfs_write+0x225/0x4a0
> [ 1065.365901]  SyS_write+0xe5/0x1b0
> [ 1065.365935]  do_syscall_64+0x2a6/0x4a0
> [ 1065.365991]  return_from_SYSCALL_64+0x0/0x6a
> [ 1065.366010] INFO: Slab 0xffffea0002eb4f00 objects=22 used=1 fp=0xffff8800bad3fbc0 flags=0x1fffff80004080
> [ 1065.366019] INFO: Object 0xffff8800bad3fbb8 @offset=15288 fp=0xbbbbbbbbbbbbbbbb
> [ 1065.366019]
> [ 1065.366019] Redzone ffff8800bad3fbb0: f0 8e 01 00 00 00 00 00                          ........
> [ 1065.366019] Object ffff8800bad3fbb8: bb bb bb bb bb bb bb bb e8 f8 d3 ba 00 88 ff ff  ................
> [ 1065.366019] Object ffff8800bad3fbc8: c0 fb d3 ba 00 88 ff ff d0 fb d3 ba 00 88 ff ff  ................
> [ 1065.366019] Object ffff8800bad3fbd8: d0 fb d3 ba 00 88 ff ff 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fbe8: 00 00 00 00 00 00 00 00 01 03 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fbf8: 38 00 00 00 00 10 00 00 01 00 00 00 00 00 00 00  8...............
> [ 1065.366019] Object ffff8800bad3fc08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fc18: c9 09 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fc28: 10 00 00 00 00 00 00 00 a8 fc d3 ba 00 88 ff ff  ................
> [ 1065.366019] Object ffff8800bad3fc38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fc48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fc58: 18 00 00 00 fb ff ff ff 01 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fc68: 03 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00  ........H.......
> [ 1065.366019] Object ffff8800bad3fc78: 98 90 2f b3 01 88 ff ff 00 10 00 00 00 00 00 00  ../.............
> [ 1065.366019] Object ffff8800bad3fc88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fc98: 98 fc d3 ba 00 88 ff ff 98 fc d3 ba 00 88 ff ff  ................
> [ 1065.366019] Object ffff8800bad3fca8: 07 00 00 00 18 00 00 00 00 00 00 00 01 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fcb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fcc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fcd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fce8: 00 fd d3 ba 00 88 ff ff 08 fd d3 ba 00 88 ff ff  ................
> [ 1065.366019] Object ffff8800bad3fcf8: 01 00 00 00 00 00 00 00 80 d4 ec 02 00 ea ff ff  ................
> [ 1065.366019] Object ffff8800bad3fd08: 00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fd18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fd28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [ 1065.366019] Object ffff8800bad3fd38: 00 00 00 00 00 00 00 00 a0 e7 21 a5 ff ff ff ff  ..........!.....
> [ 1065.366019] Redzone ffff8800bad3fd48: 00 00 00 00 00 00 00 00                          ........
> [ 1065.366019] Padding ffff8800bad3fe80: b2 ad 0b 00 01 00 00 00                          ........
> [ 1065.366019] CPU: 1 PID: 2448 Comm: syz-executor Tainted: G    B           4.6.0-rc3-next-20160412-sasha-00024-geaec67e-dirty #3002
> [ 1065.366019]  0000000000000000 0000000014efd39a ffff8801add078b0 ffffffffa5fcce01
> [ 1065.366019]  ffffffff00000001 fffffbfff61ad290 0000000041b58ab3 ffffffffb0660568
> [ 1065.366019]  ffffffffa5fccc88 0000000014efd39a ffff8801b2bf4000 ffffffffb067e58e
> [ 1065.366019] Call Trace:
> [ 1065.366019] dump_stack (lib/dump_stack.c:53)
> [ 1065.366019] print_trailer (mm/slub.c:668)
> [ 1065.366019] object_err (mm/slub.c:675)
> [ 1065.366019] kasan_report_error (mm/kasan/report.c:180 mm/kasan/report.c:276)
> [ 1065.366019] __asan_report_load8_noabort (mm/kasan/report.c:319)
> [ 1065.366019] fuse_dev_do_read.constprop.5 (./arch/x86/include/asm/bitops.h:311 fs/fuse/dev.c:1320)
> [ 1065.366019] fuse_dev_read (fs/fuse/dev.c:1362)
> [ 1065.366019] __vfs_read (fs/read_write.c:467 fs/read_write.c:478)
> [ 1065.366019] vfs_read (fs/read_write.c:499)
> [ 1065.366019] SyS_pread64 (fs/read_write.c:651 fs/read_write.c:638)
> [ 1065.366019] do_syscall_64 (arch/x86/entry/common.c:350)
> [ 1065.366019] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251)
> [ 1065.366019] Memory state around the buggy address:
> [ 1065.366019]  ffff8800bad3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 1065.366019]  ffff8800bad3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 1065.366019] >ffff8800bad3fb80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> [ 1065.366019]                                                              ^
> [ 1065.366019]  ffff8800bad3fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 1065.366019]  ffff8800bad3fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux