LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* KASAN: use-after-free Write in check_noncircular
@ 2019-07-17  8:58 syzbot
  2019-07-17 10:13 ` Tetsuo Handa
  0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2019-07-17  8:58 UTC (permalink / raw)
  To: ast, daniel, jmorris, john.fastabend, linux-kernel,
	linux-security-module, netdev, penguin-kernel, serge,
	syzkaller-bugs, takedakn

Hello,

syzbot found the following crash on:

HEAD commit:    9637d517 Merge tag 'for-linus-20190715' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12f42e1fa00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=88095c4f62402bcd
dashboard link: https://syzkaller.appspot.com/bug?extid=f5ceb7c55f59455035ca
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12cfbe1fa00000

The bug was bisected to:

commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date:   Sat Jun 30 13:17:47 2018 +0000

     bpf: sockhash fix omitted bucket lock in sock_close

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=109c3078600000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=129c3078600000
console output: https://syzkaller.appspot.com/x/log.txt?x=149c3078600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5ceb7c55f59455035ca@syzkaller.appspotmail.com
Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")

==================================================================
BUG: KASAN: use-after-free in check_noncircular+0x91/0x560  
kernel/locking/lockdep.c:1722
Write of size 56 at addr ffff888089815160 by task syz-executor.4/8772

CPU: 1 PID: 8772 Comm: syz-executor.4 Not tainted 5.2.0+ #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:

Allocated by task 8457:
  save_stack mm/kasan/common.c:69 [inline]
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:487
  kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501
  kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550
  kmalloc include/linux/slab.h:552 [inline]
  tomoyo_print_header security/tomoyo/audit.c:156 [inline]
  tomoyo_init_log+0x176/0x1f20 security/tomoyo/audit.c:255
  tomoyo_supervisor+0x39c/0x13f0 security/tomoyo/common.c:2095
  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
  tomoyo_path_permission security/tomoyo/file.c:587 [inline]
  tomoyo_check_open_permission+0x488/0x9e0 security/tomoyo/file.c:777
  tomoyo_file_open+0x141/0x190 security/tomoyo/tomoyo.c:319
  security_file_open+0x65/0x2f0 security/security.c:1457
  do_dentry_open+0x397/0x1060 fs/open.c:765
  vfs_open+0x73/0x80 fs/open.c:887
  do_last fs/namei.c:3416 [inline]
  path_openat+0x136d/0x4400 fs/namei.c:3533
  do_filp_open+0x1f7/0x430 fs/namei.c:3563
  do_sys_open+0x343/0x620 fs/open.c:1070
  __do_sys_open fs/open.c:1088 [inline]
  __se_sys_open fs/open.c:1083 [inline]
  __x64_sys_open+0x87/0x90 fs/open.c:1083
  do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8457:
  save_stack mm/kasan/common.c:69 [inline]
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:449
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:457
  __cache_free mm/slab.c:3425 [inline]
  kfree+0x115/0x200 mm/slab.c:3756
  tomoyo_init_log+0x1bf7/0x1f20 security/tomoyo/audit.c:294
  tomoyo_supervisor+0x39c/0x13f0 security/tomoyo/common.c:2095
  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
  tomoyo_path_permission security/tomoyo/file.c:587 [inline]
  tomoyo_check_open_permission+0x488/0x9e0 security/tomoyo/file.c:777
  tomoyo_file_open+0x141/0x190 security/tomoyo/tomoyo.c:319
  security_file_open+0x65/0x2f0 security/security.c:1457
  do_dentry_open+0x397/0x1060 fs/open.c:765
  vfs_open+0x73/0x80 fs/open.c:887
  do_last fs/namei.c:3416 [inline]
  path_openat+0x136d/0x4400 fs/namei.c:3533
  do_filp_open+0x1f7/0x430 fs/namei.c:3563
  do_sys_open+0x343/0x620 fs/open.c:1070
  __do_sys_open fs/open.c:1088 [inline]
  __se_sys_open fs/open.c:1083 [inline]
  __x64_sys_open+0x87/0x90 fs/open.c:1083
  do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880898146c0
  which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2720 bytes inside of
  4096-byte region [ffff8880898146c0, ffff8880898156c0)
The buggy address belongs to the page:
page:ffffea0002260500 refcount:1 mapcount:0 mapping:ffff8880aa402000  
index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002263b08 ffffea0002916d08 ffff8880aa402000
raw: 0000000000000000 ffff8880898146c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff888089815000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888089815080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888089815100: fb fb fb fb f1 f1 f1 f1 00 f2 f2 f2 fb fb fb fb
                                                        ^
  ffff888089815180: fb fb fb f3 f3 f3 f3 f3 fb fb fb fb fb fb fb fb
  ffff888089815200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: KASAN: use-after-free Write in check_noncircular
  2019-07-17  8:58 KASAN: use-after-free Write in check_noncircular syzbot
@ 2019-07-17 10:13 ` Tetsuo Handa
  0 siblings, 0 replies; 2+ messages in thread
From: Tetsuo Handa @ 2019-07-17 10:13 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: syzbot, ast, daniel, john.fastabend, linux-kernel, netdev,
	syzkaller-bugs

This is not a TOMOYO's bug. But

On 2019/07/17 17:58, syzbot wrote:
> ==================================================================
> BUG: KASAN: use-after-free in check_noncircular+0x91/0x560 kernel/locking/lockdep.c:1722
> Write of size 56 at addr ffff888089815160 by task syz-executor.4/8772
> 
> CPU: 1 PID: 8772 Comm: syz-executor.4 Not tainted 5.2.0+ #31
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> 

what happened here? No trace was printed to console output?

> Allocated by task 8457:

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-07-17 10:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-17  8:58 KASAN: use-after-free Write in check_noncircular syzbot
2019-07-17 10:13 ` Tetsuo Handa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).