syzbot


KASAN: use-after-free Read in vma_interval_tree_insert

Status: auto-obsoleted due to no activity on 2023/04/11 01:52
Reported-by: syzbot+a6d488e2c7617407d044@syzkaller.appspotmail.com
First crash: 738d, last: 711d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in vma_interval_tree_insert (2) 1 380d 380d 0/2 auto-obsoleted due to no activity on 2024/02/21 22:06

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __rb_insert lib/rbtree.c:115 [inline]
BUG: KASAN: use-after-free in __rb_insert_augmented+0xaa/0x670 lib/rbtree.c:459
Read of size 8 at addr ffff8881c0000008 by task syz-executor.0/17308

CPU: 0 PID: 17308 Comm: syz-executor.0 Tainted: G        W         5.15.75-syzkaller-00546-gd9d889009b78 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3d0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 __rb_insert lib/rbtree.c:115 [inline]
 __rb_insert_augmented+0xaa/0x670 lib/rbtree.c:459
 rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline]
 rb_insert_augmented_cached include/linux/rbtree_augmented.h:60 [inline]
 vma_interval_tree_insert+0x2f3/0x310 mm/interval_tree.c:23
 __vma_link_file mm/mmap.c:674 [inline]
 vma_link+0x18a/0x1f0 mm/mmap.c:700
 mmap_region+0x16dd/0x1af0 mm/mmap.c:1853
 do_mmap+0x785/0xe40 mm/mmap.c:1584
 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554
 vm_mmap+0x8d/0xb0 mm/util.c:574
 elf_map+0x1b1/0x310 fs/binfmt_elf.c:392
 load_elf_binary+0x101c/0x27c0 fs/binfmt_elf.c:1141
 search_binary_handler fs/exec.c:1739 [inline]
 exec_binprm+0x2a8/0xbc0 fs/exec.c:1780
 bprm_execve+0x4f0/0x7f0 fs/exec.c:1849
 do_execveat_common+0xa92/0xc80 fs/exec.c:1954
 do_execve fs/exec.c:2024 [inline]
 __do_sys_execve fs/exec.c:2100 [inline]
 __se_sys_execve fs/exec.c:2095 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2095
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x4ae0d6
Code: Unable to access opcode bytes at RIP 0x4ae0ac.
RSP: 002b:000000c00336b288 EFLAGS: 00000206 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004ae0d6
RDX: 000000c01319c960 RSI: 000000c00b5e6048 RDI: 000000c01bcbe318
RBP: 000000c00336b430 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004a4aef
R13: 0000000000000001 R14: 000000c0004bb040 R15: ffffffffffffffff
 </TASK>

The buggy address belongs to the page:
page:ffffea0007000000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1c0000
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0007010008 ffffea0006ff0008 0000000000000000
raw: 0000000000000000 000000000000000a 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881bfffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881bfffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881c0000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8881c0000080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881c0000100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/11/30 17:19 android13-5.15-lts d9d889009b78 4c2a66e8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in vma_interval_tree_insert
2022/12/27 21:28 android13-5.15-lts c73b4619ad86 44712fbc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 general protection fault in vma_interval_tree_insert
* Struck through repros no longer work on HEAD.