KASAN: use-after-free Write in check_noncircular

syzbot syzbot+f5ceb7c55f59455035ca at syzkaller.appspotmail.com
Wed Jul 17 08:58:07 UTC 2019


Hello,

syzbot found the following crash on:

HEAD commit:    9637d517 Merge tag 'for-linus-20190715' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12f42e1fa00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=88095c4f62402bcd
dashboard link: https://syzkaller.appspot.com/bug?extid=f5ceb7c55f59455035ca
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12cfbe1fa00000

The bug was bisected to:

commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend at gmail.com>
Date:   Sat Jun 30 13:17:47 2018 +0000

     bpf: sockhash fix omitted bucket lock in sock_close

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=109c3078600000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=129c3078600000
console output: https://syzkaller.appspot.com/x/log.txt?x=149c3078600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5ceb7c55f59455035ca at syzkaller.appspotmail.com
Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")

==================================================================
BUG: KASAN: use-after-free in check_noncircular+0x91/0x560  
kernel/locking/lockdep.c:1722
Write of size 56 at addr ffff888089815160 by task syz-executor.4/8772

CPU: 1 PID: 8772 Comm: syz-executor.4 Not tainted 5.2.0+ #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:

Allocated by task 8457:
  save_stack mm/kasan/common.c:69 [inline]
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:487
  kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501
  kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550
  kmalloc include/linux/slab.h:552 [inline]
  tomoyo_print_header security/tomoyo/audit.c:156 [inline]
  tomoyo_init_log+0x176/0x1f20 security/tomoyo/audit.c:255
  tomoyo_supervisor+0x39c/0x13f0 security/tomoyo/common.c:2095
  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
  tomoyo_path_permission security/tomoyo/file.c:587 [inline]
  tomoyo_check_open_permission+0x488/0x9e0 security/tomoyo/file.c:777
  tomoyo_file_open+0x141/0x190 security/tomoyo/tomoyo.c:319
  security_file_open+0x65/0x2f0 security/security.c:1457
  do_dentry_open+0x397/0x1060 fs/open.c:765
  vfs_open+0x73/0x80 fs/open.c:887
  do_last fs/namei.c:3416 [inline]
  path_openat+0x136d/0x4400 fs/namei.c:3533
  do_filp_open+0x1f7/0x430 fs/namei.c:3563
  do_sys_open+0x343/0x620 fs/open.c:1070
  __do_sys_open fs/open.c:1088 [inline]
  __se_sys_open fs/open.c:1083 [inline]
  __x64_sys_open+0x87/0x90 fs/open.c:1083
  do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8457:
  save_stack mm/kasan/common.c:69 [inline]
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:449
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:457
  __cache_free mm/slab.c:3425 [inline]
  kfree+0x115/0x200 mm/slab.c:3756
  tomoyo_init_log+0x1bf7/0x1f20 security/tomoyo/audit.c:294
  tomoyo_supervisor+0x39c/0x13f0 security/tomoyo/common.c:2095
  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
  tomoyo_path_permission security/tomoyo/file.c:587 [inline]
  tomoyo_check_open_permission+0x488/0x9e0 security/tomoyo/file.c:777
  tomoyo_file_open+0x141/0x190 security/tomoyo/tomoyo.c:319
  security_file_open+0x65/0x2f0 security/security.c:1457
  do_dentry_open+0x397/0x1060 fs/open.c:765
  vfs_open+0x73/0x80 fs/open.c:887
  do_last fs/namei.c:3416 [inline]
  path_openat+0x136d/0x4400 fs/namei.c:3533
  do_filp_open+0x1f7/0x430 fs/namei.c:3563
  do_sys_open+0x343/0x620 fs/open.c:1070
  __do_sys_open fs/open.c:1088 [inline]
  __se_sys_open fs/open.c:1083 [inline]
  __x64_sys_open+0x87/0x90 fs/open.c:1083
  do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880898146c0
  which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2720 bytes inside of
  4096-byte region [ffff8880898146c0, ffff8880898156c0)
The buggy address belongs to the page:
page:ffffea0002260500 refcount:1 mapcount:0 mapping:ffff8880aa402000  
index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002263b08 ffffea0002916d08 ffff8880aa402000
raw: 0000000000000000 ffff8880898146c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff888089815000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888089815080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888089815100: fb fb fb fb f1 f1 f1 f1 00 f2 f2 f2 fb fb fb fb
                                                        ^
  ffff888089815180: fb fb fb f3 f3 f3 f3 f3 fb fb fb fb fb fb fb fb
  ffff888089815200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller at googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches



More information about the Linux-security-module-archive mailing list