
Debian GNU/Linux 7 syzkaller ttyS0

2017/08/16 09:27:54 parsed 1 programs
2017/08/16 09:27:54 executed programs: 0
syzkaller login: [   35.204123] ==================================================================
[   35.205670] BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150
[   35.206490] Read of size 4 at addr ffff88003e149548 by task syz-executor6/3081
[   35.207215] 
[   35.207370] CPU: 3 PID: 3081 Comm: syz-executor6 Not tainted 4.13.0-rc5-next-20170816+ #4
[   35.208960] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   35.210307] Call Trace:
[   35.210555]  dump_stack+0x194/0x257
[   35.210914]  ? arch_local_irq_restore+0x53/0x53
[   35.211368]  ? show_regs_print_info+0x65/0x65
[   35.211803]  ? __perf_event_task_sched_out+0x268/0x1360
[   35.212578]  ? free_ldt_struct.part.2+0x10a/0x150
[   35.213117]  print_address_description+0x73/0x250
[   35.214088]  ? free_ldt_struct.part.2+0x10a/0x150
[   35.215830]  kasan_report+0x24e/0x340
[   35.216552]  __asan_report_load4_noabort+0x14/0x20
[   35.217535]  free_ldt_struct.part.2+0x10a/0x150
[   35.218328]  destroy_context_ldt+0x60/0x80
[   35.219135]  __mmdrop+0xe9/0x530
[   35.219781]  ? sighand_ctor+0x50/0x50
[   35.220530]  ? finish_task_switch+0x1d3/0x740
[   35.221117]  ? lock_downgrade+0x990/0x990
[   35.221530]  ? rcu_sched_qs+0xe/0x140
[   35.221899]  ? do_raw_spin_trylock+0x190/0x190
[   35.222355]  ? lock_release+0xa40/0xa40
[   35.222752]  ? compat_start_thread+0x80/0x80
[   35.223210]  ? __schedule+0x8b7/0x2070
[   35.223606]  finish_task_switch+0x456/0x740
[   35.224031]  ? preempt_notifier_dec+0x20/0x20
[   35.224469]  ? sched_clock_cpu+0x1b/0x170
[   35.224896]  __schedule+0x8f0/0x2070
[   35.225268]  ? __sched_text_start+0x8/0x8
[   35.225678]  ? hrtimer_start_range_ns+0x687/0xeb0
[   35.226167]  ? lock_downgrade+0x990/0x990
[   35.226574]  ? do_raw_spin_trylock+0x190/0x190
[   35.227029]  ? __remove_hrtimer+0x190/0x190
[   35.227464]  ? lock_hrtimer_base.isra.21+0x75/0x130
[   35.227984]  ? trace_hardirqs_on+0xd/0x10
[   35.228402]  schedule+0x108/0x440
[   35.228749]  ? __schedule+0x2070/0x2070
[   35.229309]  ? do_wait+0x50a/0xa90
[   35.230027]  ? wait_consider_task+0x33c0/0x33c0
[   35.230925]  ? __might_sleep+0x95/0x190
[   35.231692]  do_nanosleep+0x215/0x6f0
[   35.232447]  ? schedule_timeout_idle+0x90/0x90
[   35.233350]  ? lock_acquire+0x1d5/0x580
[   35.234093]  ? __might_fault+0x110/0x1d0
[   35.234855]  ? memset+0x31/0x40
[   35.235470]  hrtimer_nanosleep+0x2b2/0x860
[   35.237929]  ? SyS_waitid+0x50/0x50
[   35.238655]  ? nanosleep_copyout+0x100/0x100
[   35.239536]  ? __might_sleep+0x95/0x190
[   35.240331]  ? kasan_check_write+0x14/0x20
[   35.241115]  ? _copy_from_user+0x99/0x110
[   35.241518]  ? __hrtimer_init+0x140/0x140
[   35.241922]  SyS_nanosleep+0x175/0x1f0
[   35.242296]  ? hrtimer_nanosleep+0x860/0x860
[   35.242713]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.243196]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.243701] RIP: 0033:0x4704d0
[   35.244010] RSP: 002b:00007ffc9e141458 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
[   35.244675] RAX: ffffffffffffffda RBX: 000000000000895e RCX: 00000000004704d0
[   35.245206] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc9e141460
[   35.245732] RBP: 00007ffc9e141470 R08: 0000000000000c09 R09: 0000000000000000
[   35.246284] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc9e141430
[   35.246954] R13: 000000000000136a R14: 0000000000000019 R15: 0000000000008910
[   35.247601] 
[   35.247922] Allocated by task 4995:
[   35.248640]  save_stack_trace+0x16/0x20
[   35.249498]  save_stack+0x43/0xd0
[   35.250134]  kasan_kmalloc+0xad/0xe0
[   35.250856]  kmem_cache_alloc_trace+0x136/0x750
[   35.251788]  alloc_ldt_struct+0x52/0x140
[   35.252509]  write_ldt+0x3ea/0xab0
[   35.253165]  sys_modify_ldt+0x1ef/0x240
[   35.253897]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.254502] 
[   35.254795] Freed by task 5004:
[   35.255355]  save_stack_trace+0x16/0x20
[   35.256133]  save_stack+0x43/0xd0
[   35.256811]  kasan_slab_free+0x71/0xc0
[   35.257567]  kfree+0xca/0x250
[   35.259059]  free_ldt_struct.part.2+0xdd/0x150
[   35.259997]  destroy_context_ldt+0x60/0x80
[   35.260843]  __mmdrop+0xe9/0x530
[   35.261508]  mmput+0x541/0x6e0
[   35.262124]  copy_process.part.36+0x22e1/0x4af0
[   35.262986]  _do_fork+0x1ef/0xfb0
[   35.263647]  SyS_clone+0x37/0x50
[   35.264277]  do_syscall_64+0x26c/0x8c0
[   35.265056]  return_from_SYSCALL_64+0x0/0x7a
[   35.265949] 
[   35.266287] The buggy address belongs to the object at ffff88003e149540
[   35.266287]  which belongs to the cache kmalloc-32 of size 32
[   35.268685] The buggy address is located 8 bytes inside of
[   35.268685]  32-byte region [ffff88003e149540, ffff88003e149560)
[   35.270923] The buggy address belongs to the page:
[   35.271865] page:ffffea0000f85240 count:1 mapcount:0 mapping:ffff88003e149000 index:0xffff88003e149fc1
[   35.273396] flags: 0x100000000000100(slab)
[   35.273779] raw: 0100000000000100 ffff88003e149000 ffff88003e149fc1 000000010000003d
[   35.274609] raw: ffffea0000e5f760 ffffea0000f609e0 ffff88003e8001c0 0000000000000000
[   35.275446] page dumped because: kasan: bad access detected
[   35.275944] 
[   35.276098] Memory state around the buggy address:
[   35.276545]  ffff88003e149400: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   35.277194]  ffff88003e149480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.277826] >ffff88003e149500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.278468]                                               ^
[   35.279557]  ffff88003e149580: 00 00 00 fc fc fc fc fc 00 fc fc fc fc fc fc fc
[   35.280730]  ffff88003e149600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   35.282041] ==================================================================
[   35.283370] Kernel panic - not syncing: panic_on_warn set ...
[   35.283370] 
[   35.284714] CPU: 3 PID: 3081 Comm: syz-executor6 Tainted: G    B           4.13.0-rc5-next-20170816+ #4
[   35.286133] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   35.287663] Call Trace:
[   35.288159]  dump_stack+0x194/0x257
[   35.288845]  ? arch_local_irq_restore+0x53/0x53
[   35.289706]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.290583]  ? free_ldt_struct.part.2+0xf0/0x150
[   35.291471]  panic+0x1e4/0x417
[   35.292068]  ? __warn+0x1d9/0x1d9
[   35.292729]  ? free_ldt_struct.part.2+0x10a/0x150
[   35.293611]  kasan_end_report+0x50/0x50
[   35.294347]  kasan_report+0x137/0x340
[   35.295054]  __asan_report_load4_noabort+0x14/0x20
[   35.295977]  free_ldt_struct.part.2+0x10a/0x150
[   35.296838]  destroy_context_ldt+0x60/0x80
[   35.297631]  __mmdrop+0xe9/0x530
[   35.298240]  ? sighand_ctor+0x50/0x50
[   35.298937]  ? finish_task_switch+0x1d3/0x740
[   35.299771]  ? lock_downgrade+0x990/0x990
[   35.300721]  ? rcu_sched_qs+0xe/0x140
[   35.301062]  ? do_raw_spin_trylock+0x190/0x190
[   35.301500]  ? lock_release+0xa40/0xa40
[   35.301883]  ? compat_start_thread+0x80/0x80
[   35.302304]  ? __schedule+0x8b7/0x2070
[   35.302676]  finish_task_switch+0x456/0x740
[   35.303083]  ? preempt_notifier_dec+0x20/0x20
[   35.303507]  ? sched_clock_cpu+0x1b/0x170
[   35.303925]  __schedule+0x8f0/0x2070
[   35.304285]  ? __sched_text_start+0x8/0x8
[   35.304682]  ? hrtimer_start_range_ns+0x687/0xeb0
[   35.305518]  ? lock_downgrade+0x990/0x990
[   35.305920]  ? do_raw_spin_trylock+0x190/0x190
[   35.306354]  ? __remove_hrtimer+0x190/0x190
[   35.306780]  ? lock_hrtimer_base.isra.21+0x75/0x130
[   35.307575]  ? trace_hardirqs_on+0xd/0x10
[   35.308353]  schedule+0x108/0x440
[   35.308999]  ? __schedule+0x2070/0x2070
[   35.309754]  ? do_wait+0x50a/0xa90
[   35.310131]  ? wait_consider_task+0x33c0/0x33c0
[   35.310999]  ? __might_sleep+0x95/0x190
[   35.311610]  do_nanosleep+0x215/0x6f0
[   35.312153]  ? schedule_timeout_idle+0x90/0x90
[   35.312790]  ? lock_acquire+0x1d5/0x580
[   35.313395]  ? __might_fault+0x110/0x1d0
[   35.313936]  ? memset+0x31/0x40
[   35.314312]  hrtimer_nanosleep+0x2b2/0x860
[   35.314692]  ? SyS_waitid+0x50/0x50
[   35.315018]  ? nanosleep_copyout+0x100/0x100
[   35.315441]  ? __might_sleep+0x95/0x190
[   35.315853]  ? kasan_check_write+0x14/0x20
[   35.316315]  ? _copy_from_user+0x99/0x110
[   35.316739]  ? __hrtimer_init+0x140/0x140
[   35.317177]  SyS_nanosleep+0x175/0x1f0
[   35.317526]  ? hrtimer_nanosleep+0x860/0x860
[   35.317894]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.318305]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.318695] RIP: 0033:0x4704d0
[   35.318985] RSP: 002b:00007ffc9e141458 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
[   35.319700] RAX: ffffffffffffffda RBX: 000000000000895e RCX: 00000000004704d0
[   35.320378] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc9e141460
[   35.321101] RBP: 00007ffc9e141470 R08: 0000000000000c09 R09: 0000000000000000
[   35.322125] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc9e141430
[   35.322739] R13: 000000000000136a R14: 0000000000000019 R15: 0000000000008910
[   35.323335] Dumping ftrace buffer:
[   35.323636]    (ftrace buffer empty)
[   35.323966] Kernel Offset: disabled
[   35.324304] Rebooting in 86400 seconds..