fs: use-after-free in link_path_walk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

The following program triggers a use-after-free in link_path_walk:
https://gist.githubusercontent.com/dvyukov/fc0da4b914d607ba8129/raw/b761243c44106d74f2173745132c82d179cbdc58/gistfile1.txt

==================================================================
BUG: KASAN: use-after-free in link_path_walk+0xe13/0x1030 at addr
ffff88005f29d6e2
Read of size 1 by task syz-executor/29494
=============================================================================
BUG kmalloc-16 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in shmem_symlink+0x18c/0x600 age=2 cpu=2 pid=29504
[<      none      >] __kmalloc_track_caller+0x28e/0x320 mm/slub.c:4068
[<      none      >] kmemdup+0x24/0x50 mm/util.c:113
[<      none      >] shmem_symlink+0x18c/0x600 mm/shmem.c:2548
[<      none      >] vfs_symlink+0x218/0x3a0 fs/namei.c:3997
[<     inline     >] SYSC_symlinkat fs/namei.c:4024
[<      none      >] SyS_symlinkat+0x1ab/0x230 fs/namei.c:4004
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Freed in shmem_evict_inode+0xa6/0x420 age=12 cpu=2 pid=29504
[<      none      >] kfree+0x2b7/0x2e0 mm/slub.c:3664
[<      none      >] shmem_evict_inode+0xa6/0x420 mm/shmem.c:705
[<      none      >] evict+0x22c/0x500 fs/inode.c:542
[<     inline     >] iput_final fs/inode.c:1477
[<      none      >] iput+0x45f/0x860 fs/inode.c:1504
[<      none      >] do_unlinkat+0x3c0/0x830 fs/namei.c:3939
[<     inline     >] SYSC_unlink fs/namei.c:3980
[<      none      >] SyS_unlink+0x1a/0x20 fs/namei.c:3978
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Slab 0xffffea00017ca700 objects=16 used=12 fp=0xffff88005f29d6e0
flags=0x5fffc0000004080
INFO: Object 0xffff88005f29d6e0 @offset=5856 fp=0xffff88005f29d310
CPU: 3 PID: 29494 Comm: syz-executor Tainted: G    B           4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff88000056fa08 ffffffff82999e2d ffff88003e807900
 ffff88005f29d6e0 ffff88005f29c000 ffff88000056fa38 ffffffff81757354
 ffff88003e807900 ffffea00017ca700 ffff88005f29d6e0 ffff88005f29d6e2

Call Trace:
 [<ffffffff8176092e>] __asan_report_load1_noabort+0x3e/0x40
mm/kasan/report.c:292
 [<ffffffff817deb33>] link_path_walk+0xe13/0x1030 fs/namei.c:1913
 [<ffffffff817df049>] path_lookupat+0x1a9/0x450 fs/namei.c:2120
 [<ffffffff817e6aad>] filename_lookup+0x18d/0x370 fs/namei.c:2155
 [<ffffffff817e6dd0>] user_path_at_empty+0x40/0x50 fs/namei.c:2393
 [<     inline     >] user_path_at include/linux/namei.h:52
 [<ffffffff8185ab29>] do_utimes+0x209/0x280 fs/utimes.c:169
 [<     inline     >] SYSC_utimensat fs/utimes.c:200
 [<ffffffff8185ada3>] SyS_utimensat+0xd3/0x130 fs/utimes.c:185
 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================

On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20).

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]