syzbot

 sign-in | mailing list | source | docs
🐞 Open [142]
🐞 Fixed [16]
🐞 Invalid [163]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in binder_release_work

Status: public: reported C repro on 2019/04/11 08:44
Reported-by: syzbot+618ce369cc83afc770fe@syzkaller.appspotmail.com
First crash: 2415d, last: 2402d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in binder_release_work C 36 2d02h 9d06h 0/2 upstream: reported C repro on 2024/11/12 10:57
upstream KASAN: use-after-free Read in binder_release_work kernel C 6 2402d 2423d 5/28 fixed on 2018/05/08 18:30
android-49 KASAN: use-after-free Read in binder_release_work C 132 2402d 2416d 3/3 fixed on 2018/05/22 16:58
android-5-15 KASAN: use-after-free Read in binder_release_work origin:upstream C 49 7h47m 52d 0/2 upstream: reported C repro on 2024/09/30 05:16

Sample crash report:
binder: 3769:3770 IncRefs 0 refcount change on invalid ref 3 ret -22
binder: 3769:3770 BC_INCREFS_DONE u0000000000000000 node 6 cookie mismatch 0000000000000004 != 0000000000000000
binder: 3769:3770 BC_FREE_BUFFER u0000000000000000 no match
binder: 3769:3770 got transaction to invalid handle
binder: 3769:3770 transaction failed 29201/-22, size 0-0 line 3011
BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
Read of size 8 at addr ffff8801d4fa5310 by task kworker/u4:3/404

CPU: 1 PID: 404 Comm: kworker/u4:3 Not tainted 4.4.125-g38f41ec #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: binder binder_deferred_func
 0000000000000000 7476bc1b901d62ac ffff8800bb11fa58 ffffffff81d067bd
 ffffea000753e940 ffff8801d4fa5310 0000000000000000 ffff8801d4fa5310
 ffffed0016b348f9 ffff8800bb11fa90 ffffffff814fea83 ffff8801d4fa5310
Call Trace:
 [<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fea83>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814ff0f4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81d66b16>] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
 [<ffffffff82c7c34e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff82c7c34e>] binder_dequeue_work_head_ilocked drivers/android/binder.c:914 [inline]
 [<ffffffff82c7c34e>] binder_dequeue_work_head drivers/android/binder.c:934 [inline]
 [<ffffffff82c7c34e>] binder_release_work+0x6e/0x260 drivers/android/binder.c:4362
 [<ffffffff82c7c965>] binder_thread_release+0x425/0x600 drivers/android/binder.c:4570
 [<ffffffff82c815d8>] binder_deferred_release drivers/android/binder.c:5111 [inline]
 [<ffffffff82c815d8>] binder_deferred_func+0x438/0xd10 drivers/android/binder.c:5183
 [<ffffffff811800f7>] process_one_work+0x7d7/0x16e0 kernel/workqueue.c:2064
 [<ffffffff811810d9>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81190b48>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff83779d95>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510

Allocated by task 3768:
 [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fddbd>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fddbd>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814f9d40>] kmem_cache_alloc_trace+0x100/0x2b0 mm/slub.c:2642
 [<ffffffff82c8c72c>] kmalloc include/linux/slab.h:476 [inline]
 [<ffffffff82c8c72c>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff82c8c72c>] binder_transaction+0x103c/0x7290 drivers/android/binder.c:3063
 [<ffffffff82c9319f>] binder_thread_write+0x81f/0x33e0 drivers/android/binder.c:3686
 [<ffffffff82c95f2f>] binder_ioctl_write_read.isra.55+0x1cf/0xbc0 drivers/android/binder.c:4625
 [<ffffffff82c97570>] binder_ioctl+0xc50/0x12e0 drivers/android/binder.c:4764
 [<ffffffff8155a71a>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff8155a71a>] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607
 [<ffffffff8155aedf>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff8155aedf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
 [<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e

Freed by task 404:
 [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fe412>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fe412>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814faeac>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814faeac>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814faeac>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814faeac>] kfree+0xfc/0x300 mm/slub.c:3749
 [<ffffffff82c71aca>] binder_free_transaction+0x6a/0x90 drivers/android/binder.c:2123
 [<ffffffff82c7bfe9>] binder_send_failed_reply+0x1c9/0x380 drivers/android/binder.c:2162
 [<ffffffff82c7c953>] binder_thread_release+0x413/0x600 drivers/android/binder.c:4569
 [<ffffffff82c815d8>] binder_deferred_release drivers/android/binder.c:5111 [inline]
 [<ffffffff82c815d8>] binder_deferred_func+0x438/0xd10 drivers/android/binder.c:5183
 [<ffffffff811800f7>] process_one_work+0x7d7/0x16e0 kernel/workqueue.c:2064
 [<ffffffff811810d9>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81190b48>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff83779d95>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510

The buggy address belongs to the object at ffff8801d4fa5300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff8801d4fa5300, ffff8801d4fa53c0)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3763 Comm: syzkaller363232 Not tainted 4.4.125-g38f41ec #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8800adbc9800 task.stack: ffff8801d0f90000
RIP: 0010:[<ffffffff81d24038>]  [<ffffffff81d24038>] timerqueue_add+0xb8/0x2a0 lib/timerqueue.c:51
RSP: 0018:ffff8801db207d70  EFLAGS: 00010806
RAX: ffffed003b64338b RBX: ffff8801db219c40 RCX: ffffffff81d2401c
RDX: 1d1a89b13fffffe7 RSI: ffff8801db219c40 RDI: e8d44d89ffffff39
RBP: ffff8801db207db0 R08: ffffffff8580ef08 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003b640f62 R12: dffffc0000000000
R13: e8d44d89ffffff21 R14: 0000000768061480 R15: ffffffff81491309
FS:  000000000199e880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006e0194 CR3: 00000001c812e000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801db219c58 ffff8801db219710 ffffed003b64338b ffff8801db219700
 ffff8801db219c40 ffff8801db219640 0000000000000001 0000000000000000
 ffff8801db207de8 ffffffff812ac208 ffff8801db219c40 0000000000000001
Call Trace:
 <IRQ> 
 [<ffffffff812ac208>] enqueue_hrtimer+0x168/0x450 kernel/time/hrtimer.c:892
 [<ffffffff812ae2d2>] __run_hrtimer kernel/time/hrtimer.c:1275 [inline]
 [<ffffffff812ae2d2>] __hrtimer_run_queues+0x732/0xfe0 kernel/time/hrtimer.c:1324
 [<ffffffff812b0386>] hrtimer_interrupt+0x1a6/0x440 kernel/time/hrtimer.c:1358
 [<ffffffff810b0e5a>] local_apic_timer_interrupt+0x6a/0xb0 arch/x86/kernel/apic/apic.c:901
 [<ffffffff8377c576>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:925
 [<ffffffff8377b4d0>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741
 <EOI> 
 [<ffffffff812e491d>] smp_call_function_many+0x47d/0x720 kernel/smp.c:435
 [<ffffffff810eda3e>] native_flush_tlb_others+0xfe/0x710 arch/x86/mm/tlb.c:292
 [<ffffffff810ee153>] flush_tlb_others arch/x86/include/asm/paravirt.h:338 [inline]
 [<ffffffff810ee153>] flush_tlb_mm_range+0x103/0x560 arch/x86/mm/tlb.c:358
 [<ffffffff8112a836>] dup_mmap kernel/fork.c:528 [inline]
 [<ffffffff8112a836>] dup_mm kernel/fork.c:983 [inline]
 [<ffffffff8112a836>] copy_mm kernel/fork.c:1037 [inline]
 [<ffffffff8112a836>] copy_process+0x5266/0x6120 kernel/fork.c:1503
 [<ffffffff8112bb11>] _do_fork+0x151/0xe00 kernel/fork.c:1784
 [<ffffffff8112c897>] SYSC_clone kernel/fork.c:1893 [inline]
 [<ffffffff8112c897>] SyS_clone+0x37/0x50 kernel/fork.c:1887
 [<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 
------------[ cut here ]------------
WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 pagefault_disabled_dec include/linux/uaccess.h:15 [inline]()
WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 pagefault_enable include/linux/uaccess.h:42 [inline]()
WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 __probe_kernel_read+0x1b9/0x200 mm/maccess.c:35()

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/11 18:21 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 8b8de427 .config console log report syz C ci-android-44-kasan-gce
2018/04/13 18:55 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 0a0c5db6 .config console log report syz ci-android-44-kasan-gce-386
2018/04/11 18:14 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 8b8de427 .config console log report syz ci-android-44-kasan-gce-386
2018/04/25 02:50 https://android.googlesource.com/kernel/common android-4.4 bd23e3af1765 37e76fe2 .config console log report ci-android-44-kasan-gce
2018/04/25 02:51 https://android.googlesource.com/kernel/common android-4.4 bd23e3af1765 37e76fe2 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.