KASAN: use-after-free Read in do_set_interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version
of syzkaller).

The bug happened when accessing a freed instance of struct fsg_dev
(i.e., fsg->bulk_in) in do_set_interface() (line 2245).

==================================================================
BUG: KASAN: use-after-free in do_set_interface.part.7+0xa6b/0xd90
drivers/usb/gadget/function/f_mass_storage.c:2245
Read of size 8 at addr ffff88806bc940f8 by task file-storage/2063

CPU: 3 PID: 2063 Comm: file-storage Not tainted 5.8.13 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xa7/0xea lib/dump_stack.c:118
 print_address_description.constprop.8+0x3f/0x60 mm/kasan/report.c:383
 kasan_report.cold.11+0x20/0x37 mm/kasan/report.c:513
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:146
 do_set_interface.part.7+0xa6b/0xd90
drivers/usb/gadget/function/f_mass_storage.c:2245
 do_set_interface drivers/usb/gadget/function/f_mass_storage.c:2202 [inline]
 handle_exception drivers/usb/gadget/function/f_mass_storage.c:2426 [inline]
 fsg_main_thread+0x12c7/0x59f1 drivers/usb/gadget/function/f_mass_storage.c:2466
 kthread+0x374/0x480 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 1910:
 save_stack+0x21/0x50 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc mm/kasan/common.c:494 [inline]
 __kasan_kmalloc.constprop.6+0xc7/0xd0 mm/kasan/common.c:467
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:508
 kmem_cache_alloc_trace+0x139/0x330 mm/slub.c:2851
 kzalloc ./include/linux/slab.h:555 [inline]
 fsg_alloc+0x77/0x290 drivers/usb/gadget/function/f_mass_storage.c:3417
 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
 config_usb_cfg_link+0x1ed/0x3a0 drivers/usb/gadget/configfs.c:435
 configfs_symlink+0x4f5/0xf10 fs/configfs/symlink.c:202
 vfs_symlink fs/namei.c:3953 [inline]
 vfs_symlink+0x304/0x540 fs/namei.c:3939
 do_symlinkat+0x104/0x1a0 fs/namei.c:3980
 __do_sys_symlinkat fs/namei.c:3994 [inline]
 __se_sys_symlinkat fs/namei.c:3991 [inline]
 __x64_sys_symlinkat+0x6e/0xb0 fs/namei.c:3991
 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 2072:
 save_stack+0x21/0x50 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0x139/0x190 mm/kasan/common.c:455
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:464
 slab_free_hook mm/slub.c:1474 [inline]
 slab_free_freelist_hook mm/slub.c:1507 [inline]
 slab_free mm/slub.c:3072 [inline]
 kfree+0xef/0x3d0 mm/slub.c:4052
 fsg_free+0x84/0xa0 drivers/usb/gadget/function/f_mass_storage.c:3408
 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87
 config_usb_cfg_unlink+0x2e9/0x3a0 drivers/usb/gadget/configfs.c:476
 configfs_unlink+0x379/0x77e fs/configfs/symlink.c:250
 vfs_unlink+0x241/0x550 fs/namei.c:3825
 do_unlinkat+0x3e7/0x610 fs/namei.c:3889
 __do_sys_unlink fs/namei.c:3936 [inline]
 __se_sys_unlink fs/namei.c:3934 [inline]
 __x64_sys_unlink+0x3d/0x50 fs/namei.c:3934
 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88806bc94000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 248 bytes inside of
 512-byte region [ffff88806bc94000, ffff88806bc94200)
The buggy address belongs to the page:
page:ffffea0001af2500 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 head:ffffea0001af2500 order:2 compound_mapcount:0
compound_pincount:0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c40e580
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88806bc93f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806bc94000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806bc94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff88806bc94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806bc94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Regards,
Kyungtae Kim
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux