Re: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Apr 16, 2019 at 01:29:59PM -0700, Zubin Mithra wrote:

Hello,

Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace.

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc8/0x129 lib/dump_stack.c:113
print_address_description+0x67/0x230 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x24e/0x28c mm/kasan/report.c:412
get_link fs/namei.c:1152 [inline]
trailing_symlink+0x593/0x677 fs/namei.c:2326
path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382
filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411
filename_lookup fs/namei.c:2405 [inline]
user_path_at_empty+0x59/0x6c fs/namei.c:2677
user_path include/linux/namei.h:62 [inline]
do_mount+0x15c/0x17a4 fs/namespace.c:2773
ksys_mount+0x98/0xcc fs/namespace.c:3052
__do_sys_mount fs/namespace.c:3066 [inline]
__se_sys_mount fs/namespace.c:3063 [inline]
__x64_sys_mount+0xd0/0xdb fs/namespace.c:3063
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Allocated by task 8112:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553
slab_post_alloc_hook+0x31/0x55 mm/slab.h:444
slab_alloc_node mm/slub.c:2706 [inline]
slab_alloc mm/slub.c:2714 [inline]
__kmalloc_track_caller+0x100/0x148 mm/slub.c:4290
kstrdup+0x39/0x63 mm/util.c:56
bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356
vfs_symlink2+0xfc/0x12b fs/namei.c:4238
do_symlinkat+0x14a/0x1d5 fs/namei.c:4271
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8116:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521
slab_free_hook mm/slub.c:1371 [inline]
slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398
slab_free mm/slub.c:2953 [inline]
kfree+0x177/0x212 mm/slub.c:3906
bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565
evict+0x30b/0x4ce fs/inode.c:558
iput_final fs/inode.c:1550 [inline]
iput+0x541/0x551 fs/inode.c:1576
do_unlinkat+0x2fc/0x403 fs/namei.c:4180
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Could the following patch be applied to 4.19.y?
1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")

Tests run:
* Chrome OS tryjobs
* Syzkaller reproducer


I've queued it up, thanks again for all these tests!

--
Thanks,
Sasha
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux