syzbot


KASAN: use-after-free Read in task_is_descendant

Status: fixed on 2019/03/06 07:43
Subsystems: lsm
[Documentation on labels]
Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
Fix commit: 9474f4e7cd71 Yama: Check for pid death before checking ancestry
First crash: 2043d, last: 1956d
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/202] 3.16.66-rc1 review 205 (205) 2019/04/28 15:45
[PATCH 4.19 00/99] 4.19.17-stable review 109 (109) 2019/04/22 19:40
[PATCH 4.4 000/104] 4.4.172-stable review 111 (111) 2019/01/30 07:30
[PATCH 3.18 00/52] 3.18.133-stable review 55 (55) 2019/01/25 23:16
[PATCH 4.14 00/59] 4.14.95-stable review 65 (65) 2019/01/23 12:55
[PATCH 4.9 00/51] 4.9.152-stable review 56 (56) 2019/01/23 09:06
[PATCH 4.20 000/111] 4.20.4-stable review 120 (120) 2019/01/23 06:43
[PATCH] Yama: Check for pid death before checking ancestry 3 (3) 2019/01/16 20:02
KASAN: use-after-free Read in task_is_descendant 28 (31) 2019/01/16 17:40

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:182 [inline]
BUG: KASAN: use-after-free in task_is_descendant.part.3+0x610/0x670 security/yama/yama_lsm.c:295
Read of size 8 at addr ffff8801ae718560 by task syz-executor198/4607

CPU: 1 PID: 4607 Comm: syz-executor198 Not tainted 4.20.0-rc1+ #232
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __read_once_size include/linux/compiler.h:182 [inline]
 task_is_descendant.part.3+0x610/0x670 security/yama/yama_lsm.c:295
 task_is_descendant security/yama/yama_lsm.c:282 [inline]
 yama_ptrace_access_check+0x215/0x10fc security/yama/yama_lsm.c:371
 security_ptrace_access_check+0x54/0xb0 security/security.c:271
 __ptrace_may_access+0x5c8/0x980 kernel/ptrace.c:336
 ptrace_attach+0x1fa/0x640 kernel/ptrace.c:389
 __do_compat_sys_ptrace kernel/ptrace.c:1284 [inline]
 __se_compat_sys_ptrace kernel/ptrace.c:1266 [inline]
 __ia32_compat_sys_ptrace+0x1d2/0x260 kernel/ptrace.c:1266
 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
 do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7feba29
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f7fe71ec EFLAGS: 00000296 ORIG_RAX: 000000000000001a
RAX: ffffffffffffffda RBX: 0000000000004206 RCX: 00000000000014b5
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 5668:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
 alloc_task_struct_node kernel/fork.c:158 [inline]
 dup_task_struct kernel/fork.c:843 [inline]
 copy_process+0x2026/0x87a0 kernel/fork.c:1751
 _do_fork+0x1cb/0x11d0 kernel/fork.c:2216
 __do_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline]
 __se_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:236 [inline]
 __ia32_compat_sys_x86_clone+0xbc/0x140 arch/x86/ia32/sys_ia32.c:236
 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
 do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 16:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3760
 free_task_struct kernel/fork.c:163 [inline]
 free_task+0x16e/0x1f0 kernel/fork.c:457
 __put_task_struct+0x2e6/0x620 kernel/fork.c:730
 put_task_struct include/linux/sched/task.h:96 [inline]
 delayed_put_task_struct+0x2ff/0x4c0 kernel/exit.c:181
 __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
 rcu_do_batch kernel/rcu/tree.c:2437 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline]
 rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697
 __do_softirq+0x308/0xb7e kernel/softirq.c:292

The buggy address belongs to the object at ffff8801ae718080
 which belongs to the cache task_struct of size 6080
The buggy address is located 1248 bytes inside of
 6080-byte region [ffff8801ae718080, ffff8801ae719840)
The buggy address belongs to the page:
page:ffffea0006b9c600 count:1 mapcount:0 mapping:ffff8801da970180 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 ffffea0006b99488 ffffea0006b9c688 ffff8801da970180
raw: 0000000000000000 ffff8801ae718080 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ae718400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ae718480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801ae718500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8801ae718580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ae718600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (27):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/11/10 11:45 upstream aa4330e15c26 f9815aaf .config console log report syz C ci-upstream-kasan-gce-386
2018/11/10 03:28 upstream 3541833fd1f2 f9815aaf .config console log report syz ci-upstream-kasan-gce
2018/11/10 03:24 upstream 3541833fd1f2 f9815aaf .config console log report syz ci-upstream-kasan-gce-selinux-root
2018/11/10 03:26 upstream 3541833fd1f2 f9815aaf .config console log report syz ci-upstream-kasan-gce-386
2019/01/11 15:48 upstream 1bdbe2274920 c3f3344c .config console log report ci-upstream-kasan-gce-smack-root
2019/01/05 07:14 upstream 3fed6ae4b027 53be0a37 .config console log report ci-upstream-kasan-gce-root
2019/01/03 03:44 upstream 85f78456f286 06a2b89f .config console log report ci-upstream-kasan-gce-smack-root
2019/01/02 22:06 upstream 8e143b90e4d4 f0491811 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/29 04:49 upstream f346b0becb1b e33ad0f1 .config console log report ci-upstream-kasan-gce-smack-root
2018/12/27 12:11 upstream fc2fd5f0f1aa 43cf01dd .config console log report ci-upstream-kasan-gce-root
2018/12/23 07:12 upstream 9105b8aa50c1 e3bd7ab8 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/16 12:22 upstream 6531e115b7ab def91db3 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/12 13:29 upstream f5d582777bcb c3b10a5d .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/09 11:42 upstream 8214bdf7d3e6 979179d6 .config console log report ci-upstream-kasan-gce-smack-root
2018/12/09 02:31 upstream 8214bdf7d3e6 c7918378 .config console log report ci-upstream-kasan-gce-selinux-root
2018/12/08 23:24 upstream 8214bdf7d3e6 c7918378 .config console log report ci-upstream-kasan-gce
2018/12/01 12:29 upstream b6839ef26e54 d8988561 .config console log report ci-upstream-kasan-gce-root
2018/11/22 18:12 upstream edeca3a769ad 2ee77802 .config console log report ci-upstream-kasan-gce-smack-root
2018/11/16 08:35 upstream da5322e65940 f5e275d1 .config console log report ci-upstream-kasan-gce-root
2018/11/15 05:50 upstream d41217aac0a5 5f5f6d14 .config console log report ci-upstream-kasan-gce-smack-root
2018/11/04 18:21 upstream 71e56028173b 8bd6bd63 .config console log report ci-upstream-kasan-gce-smack-root
2018/10/20 16:44 upstream 270b77a0f30e ecb386fe .config console log report ci-upstream-kasan-gce-smack-root
2019/01/14 20:05 upstream 1c7fc5cbc339 95485883 .config console log report ci-upstream-kasan-gce-386
2019/01/16 09:25 linux-next cbeb3db684f7 b47fa78d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/10 10:42 linux-next 6cab33afc3dd 45c0c1b1 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/06 20:40 linux-next a4983672f9ca 94f8adb5 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/05 14:08 linux-next a4983672f9ca 53be0a37 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.