Use-after-free in ata_qc_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

I am working on AddressSanitizer -- a tool that detects use-after-free
and out-of-bounds bugs
(https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
Below is one of the bug reports that I got while running trinity
syscall fuzzer. Kernel is built on revision
d8efd82eece89f8a5790b0febf17522affe9e1f1.
The report was followed by a bunch of similar use-after-free reports,
and later the kernel crashed somewhere in ata subsystem. I've attached
the full log.


ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
ffff880034fce000 is located 0 bytes inside of 256-byte region
[ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce000 by thread T3645:
  #0      inlined     (asan_report_error+0x3e7/0x500)
asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
  #0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500)
./arch/x86/mm/asan/report.c:309
  #1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230)
./arch/x86/mm/asan/asan.c:263
  #2      inlined     (__tsan_read8+0x28/0x30) asan_check_region
./arch/x86/mm/asan/asan.c:276
  #2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
  #3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
  #4      inlined     (ata_qc_issue+0x2b4/0x740) dma_map_sg_attrs
./include/asm-generic/dma-mapping-common.h:50
  #4      inlined     (ata_qc_issue+0x2b4/0x740) ata_sg_setup
./drivers/ata/libata-core.c:4707
  #4 ffffffff816574b4 (ata_qc_issue+0x2b4/0x740)
./drivers/ata/libata-core.c:5082
  #5      inlined     (ata_scsi_queuecmd+0x249/0x620)
ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
  #5      inlined     (ata_scsi_queuecmd+0x249/0x620)
__ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
  #5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620)
./drivers/ata/libata-scsi.c:3475
  #6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
  #7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20)
./drivers/scsi/scsi_lib.c:1638
  #8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
  #9      inlined     (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued
./block/cfq-iosched.c:3908
  #9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60)
./block/cfq-iosched.c:3925
  #10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
  #11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
  #12 ffffffff81487087 (generic_make_request+0x187/0x210)
./block/blk-core.c:1831
  #13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
  #14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
  #15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
  #16      inlined     (generic_file_aio_read+0x546/0xa70)
do_generic_file_read ./mm/filemap.c:1248
  #16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
  #17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
  #18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
  #19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
  #20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a)
./arch/x86/ia32/ia32entry.S:163

freed by thread T1095 here:
  #0      inlined     (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
  #0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
  #1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
  #2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
  #3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
  #4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
  #5      inlined     (__scsi_release_buffers+0x164/0x170)
scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
  #5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170)
./drivers/scsi/scsi_lib.c:658
  #6      inlined     (scsi_io_completion+0x827/0x8e0)
scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
  #6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0)
./drivers/scsi/scsi_lib.c:995
  #7 ffffffff815edda6 (scsi_finish_command+0x176/0x210)
./drivers/scsi/scsi.c:847
  #8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
  #9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
  #10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
  #11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
  #12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
  #13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0)
./arch/x86/kernel/entry_64.S:569

previously allocated by thread T3645 here:
  #0      inlined     (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
  #0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
  #1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
  #2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
  #3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
  #4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
  #5      inlined     (scsi_init_sgtable+0x4c/0x100)
scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
  #5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100)
./drivers/scsi/scsi_lib.c:1036
  #6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
  #7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0)
./drivers/scsi/scsi_lib.c:1219
  #8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
  #9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
  #10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20)
./drivers/scsi/scsi_lib.c:1568
  #11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
  #12      inlined     (cfq_insert_request+0x60c/0xb60)
cfq_rq_enqueued ./block/cfq-iosched.c:3908
  #12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60)
./block/cfq-iosched.c:3925
  #13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
  #14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
  #15 ffffffff81487087 (generic_make_request+0x187/0x210)
./block/blk-core.c:1831

Shadow bytes around the buggy address:
  ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap redzone:          fa
  Heap kmalloc redzone:  fb
  Freed heap region:     fd
  Shadow gap:            fe

Attachment: asan1-131-1379512967.log_symb
Description: Binary data

[Index of Archives]     [Linux Filesystems]     [Linux SCSI]     [Linux RAID]     [Git]     [Kernel Newbies]     [Linux Newbie]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Samba]     [Device Mapper]

  Powered by Linux