Title | Replies (including bot) | Last reply |
---|---|---|
[PATCH] umh: fix UAF when the process is being killed | 17 (17) | 2023/01/24 17:39 |
[PATCH v2] umh: fix out of scope usage when the process is being killed | 3 (3) | 2022/12/15 05:11 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
[PATCH] umh: fix UAF when the process is being killed | 17 (17) | 2023/01/24 17:39 |
[PATCH v2] umh: fix out of scope usage when the process is being killed | 3 (3) | 2022/12/15 05:11 |
================================================================== BUG: KASAN: slab-out-of-bounds in swake_up_locked kernel/sched/swait.c:29 [inline] BUG: KASAN: slab-out-of-bounds in complete+0xa8/0x1c0 kernel/sched/completion.c:36 Read of size 8 at addr ffff88801ffcba78 by task kworker/u4:32/11940 CPU: 0 PID: 11940 Comm: kworker/u4:32 Not tainted 6.1.0-rc2-syzkaller-00078-g98555239e4c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Workqueue: events_unbound call_usermodehelper_exec_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x220 mm/kasan/report.c:395 kasan_report+0x139/0x170 mm/kasan/report.c:495 swake_up_locked kernel/sched/swait.c:29 [inline] complete+0xa8/0x1c0 kernel/sched/completion.c:36 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] kmem_cache_alloc_node+0x1ca/0x340 mm/slub.c:3443 alloc_task_struct_node kernel/fork.c:171 [inline] dup_task_struct+0x4e/0x490 kernel/fork.c:966 copy_process+0x637/0x3fc0 kernel/fork.c:2084 kernel_clone+0x227/0x640 kernel/fork.c:2671 kernel_thread+0x150/0x1d0 kernel/fork.c:2731 create_kthread kernel/kthread.c:399 [inline] kthreadd+0x5bc/0x790 kernel/kthread.c:746 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff88801ffc9d40 which belongs to the cache task_struct of size 7232 The buggy address is located 248 bytes to the right of 7232-byte region [ffff88801ffc9d40, ffff88801ffcb980) The buggy address belongs to the physical page: page:ffffea00007ff200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ffc8 head:ffffea00007ff200 order:3 compound_mapcount:0 compound_pincount:0 memcg:ffff888076124f01 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000001 ffff8881400073c0 raw: 0000000000000000 0000000000040004 00000001ffffffff ffff888076124f01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 9, tgid 9 (kworker/u4:0), ts 6883003803, free_ts 0 prep_new_page mm/page_alloc.c:2538 [inline] get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4287 __alloc_pages+0x259/0x560 mm/page_alloc.c:5554 alloc_slab_page+0x70/0xf0 mm/slub.c:1794 allocate_slab+0x5e/0x4b0 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0x7f4/0xeb0 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] kmem_cache_alloc_node+0x283/0x340 mm/slub.c:3443 alloc_task_struct_node kernel/fork.c:171 [inline] dup_task_struct+0x4e/0x490 kernel/fork.c:966 copy_process+0x637/0x3fc0 kernel/fork.c:2084 kernel_clone+0x227/0x640 kernel/fork.c:2671 user_mode_thread+0x12d/0x190 kernel/fork.c:2747 call_usermodehelper_exec_work+0x57/0x220 kernel/umh.c:175 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 page_owner free stack trace missing Memory state around the buggy address: ffff88801ffcb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88801ffcb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801ffcba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88801ffcba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88801ffcbb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2022/10/27 20:05 | upstream | 98555239e4c3 | 86777b7f | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-out-of-bounds Read in process_one_work |