[syzbot] [lsm?] KASAN: slab-use-after-free Read in smk_access

Paul Moore paul at paul-moore.com
Fri Sep 20 16:58:31 UTC 2024


On Fri, Sep 20, 2024 at 10:15 AM syzbot
<syzbot+a95cf48b5daf4bb16c29 at syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    a430d95c5efa Merge tag 'lsm-pr-20240911' of git://git.kern..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10469d00580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d9ab5893ec5191eb
> dashboard link: https://syzkaller.appspot.com/bug?extid=a95cf48b5daf4bb16c29
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=110e6a77980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10cee207980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c27c9d8c6782/disk-a430d95c.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/73c62c975a0c/vmlinux-a430d95c.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/56164e51e333/bzImage-a430d95c.xz
>
> The issue was bisected to:
>
> commit 5f8d28f6d7d568dbbc8c5bce94894474c07afd4f
> Author: Casey Schaufler <casey at schaufler-ca.com>
> Date:   Wed Jul 10 21:32:26 2024 +0000
>
>     lsm: infrastructure management of the key security blob
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10293fc7980000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=12293fc7980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=14293fc7980000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a95cf48b5daf4bb16c29 at syzkaller.appspotmail.com
> Fixes: 5f8d28f6d7d5 ("lsm: infrastructure management of the key security blob")
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in smk_access+0xae/0x4e0 security/smack/smack_access.c:147
> Read of size 8 at addr ffff8880202b03c0 by task syz-executor367/5216
>
> CPU: 0 UID: 60928 PID: 5216 Comm: syz-executor367 Not tainted 6.11.0-syzkaller-02574-ga430d95c5efa #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:93 [inline]
>  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
>  print_address_description mm/kasan/report.c:377 [inline]
>  print_report+0x169/0x550 mm/kasan/report.c:488
>  kasan_report+0x143/0x180 mm/kasan/report.c:601
>  smk_access+0xae/0x4e0 security/smack/smack_access.c:147
>  smack_watch_key+0x2f4/0x3a0 security/smack/smack_lsm.c:4656
>  security_watch_key+0x86/0x250 security/security.c:4448
>  keyctl_watch_key+0x2b7/0x480 security/keys/keyctl.c:1813
>  __do_sys_keyctl security/keys/keyctl.c:2021 [inline]
>  __se_sys_keyctl+0x106/0xa50 security/keys/keyctl.c:1874
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fbebbbc2fe9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 1d 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fbebbb74238 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
> RAX: ffffffffffffffda RBX: 00007fbebbc463e8 RCX: 00007fbebbbc2fe9
> RDX: 0000000000000004 RSI: 0000000016bf1cf5 RDI: 0000000000000020
> RBP: 00007fbebbc463e0 R08: 0000000000000000 R09: 00007fbebbb746c0
> R10: 0000000000000000 R11: 0000000000000246 R12: 00676e697279656b
> R13: 0000000000000002 R14: 00007ffe798160c0 R15: 00007ffe798161a8
>  </TASK>

...

> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report

#syz dup: [syzbot] [audit?] general protection fault in smack_log_callback

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list