syzbot


KASAN: use-after-free Read in n_tty_receive_buf_common

Status: fixed on 2020/04/07 16:31
Reported-by: syzbot+f3bc55221079c0047ca2@syzkaller.appspotmail.com
Fix commit: b4492f1e7456 vt: selection, push sel_lock up
First crash: 1629d, last: 1535d
Fix bisection: fixed by (bisect log) :
commit b4492f1e7456bd162714c0ec2815c2749d930844
Author: Jiri Slaby <jslaby@suse.cz>
Date: Fri Feb 28 11:54:06 2020 +0000

  vt: selection, push sel_lock up

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in n_tty_receive_buf_common C done 68 1551d 1627d 15/26 fixed on 2020/04/15 17:19
linux-4.14 KASAN: use-after-free Read in n_tty_receive_buf_common C done 25 1540d 1629d 1/1 fixed on 2020/04/02 14:59

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in n_tty_check_throttle drivers/tty/n_tty.c:264 [inline]
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x26a4/0x2ab0 drivers/tty/n_tty.c:1759
Read of size 1 at addr ffff8880a5a54301 by task syz-executor899/8162

CPU: 0 PID: 8162 Comm: syz-executor899 Not tainted 4.19.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 n_tty_check_throttle drivers/tty/n_tty.c:264 [inline]
 n_tty_receive_buf_common+0x26a4/0x2ab0 drivers/tty/n_tty.c:1759
 n_tty_receive_buf2+0x34/0x40 drivers/tty/n_tty.c:1775
 tty_ldisc_receive_buf+0xad/0x1c0 drivers/tty/tty_buffer.c:456
 paste_selection+0x1ff/0x443 drivers/tty/vt/selection.c:359
 tioclinux+0x133/0x470 drivers/tty/vt/vt.c:3019
 vt_ioctl+0x19ab/0x2530 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441329
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdb6721268 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441329
RDX: 0000000020000040 RSI: 000000000000541c RDI: 0000000000000004
RBP: 000000000000d496 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020a0
R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8162:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15d/0x750 mm/slab.c:3736
 kmalloc_array include/linux/slab.h:637 [inline]
 set_selection+0x7e4/0x1370 drivers/tty/vt/selection.c:293
 tioclinux+0x11c/0x470 drivers/tty/vt/vt.c:3015
 vt_ioctl+0x19ab/0x2530 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8163:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 set_selection+0x801/0x1370 drivers/tty/vt/selection.c:300
 tioclinux+0x11c/0x470 drivers/tty/vt/vt.c:3015
 vt_ioctl+0x19ab/0x2530 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a5a54300
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 1 bytes inside of
 512-byte region [ffff8880a5a54300, ffff8880a5a54500)
The buggy address belongs to the page:
page:ffffea0002969500 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000241c6c8 ffffea0002961d08 ffff88812c31c940
raw: 0000000000000000 ffff8880a5a54080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a5a54200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a5a54280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a5a54300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880a5a54380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a5a54400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (40):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/14 20:16 linux-4.19.y 357668399cf7 5d7b90f1 .config console log report syz C ci2-linux-4-19
2020/01/02 14:04 linux-4.19.y c7ecf3e3a71c 25a0186e .config console log report syz C ci2-linux-4-19
2019/12/15 00:43 linux-4.19.y 312017a460d5 eef6e580 .config console log report syz C ci2-linux-4-19
2019/12/13 10:53 linux-4.19.y 312017a460d5 2a752b7c .config console log report syz C ci2-linux-4-19
2019/12/13 04:59 linux-4.19.y fb683b5e3f53 08003f64 .config console log report syz C ci2-linux-4-19
2019/12/13 04:31 linux-4.19.y fb683b5e3f53 08003f64 .config console log report syz C ci2-linux-4-19
2019/12/08 12:50 linux-4.19.y fb683b5e3f53 1508f453 .config console log report syz C ci2-linux-4-19
2019/12/07 18:30 linux-4.19.y fb683b5e3f53 85f26751 .config console log report syz C ci2-linux-4-19
2019/12/29 12:56 linux-4.19.y 672481c2deff af6b8ef8 .config console log report syz ci2-linux-4-19
2019/12/15 08:42 linux-4.19.y 312017a460d5 eef6e580 .config console log report syz ci2-linux-4-19
2019/12/12 09:06 linux-4.19.y fb683b5e3f53 d973f528 .config console log report syz ci2-linux-4-19
2019/12/04 11:08 linux-4.19.y 174651bdf802 0ecb9746 .config console log report syz ci2-linux-4-19
2020/03/07 23:53 linux-4.19.y 7472c4028e23 2e9971bb .config console log report ci2-linux-4-19
2020/03/05 21:06 linux-4.19.y 7472c4028e23 b655d91b .config console log report ci2-linux-4-19
2020/03/04 16:35 linux-4.19.y a083db76118d 712198ac .config console log report ci2-linux-4-19
2020/03/04 06:45 linux-4.19.y a083db76118d 1f73b64b .config console log report ci2-linux-4-19
2020/03/04 04:49 linux-4.19.y a083db76118d 1f73b64b .config console log report ci2-linux-4-19
2020/03/03 19:27 linux-4.19.y a083db76118d 350a7a26 .config console log report ci2-linux-4-19
2020/02/29 21:40 linux-4.19.y a083db76118d c88c7b75 .config console log report ci2-linux-4-19
2020/02/28 08:53 linux-4.19.y f25804f38984 c88c7b75 .config console log report ci2-linux-4-19
2020/02/19 10:26 linux-4.19.y 9b15f7fae677 135c18aa .config console log report ci2-linux-4-19
2020/02/19 10:15 linux-4.19.y 9b15f7fae677 135c18aa .config console log report ci2-linux-4-19
2020/02/13 01:39 linux-4.19.y 357668399cf7 84f4fc8a .config console log report ci2-linux-4-19
2020/02/01 00:56 linux-4.19.y 7cdefde351b6 0eb59c27 .config console log report ci2-linux-4-19
2020/01/30 22:56 linux-4.19.y 7cdefde351b6 5ed23f9a .config console log report ci2-linux-4-19
2020/01/26 11:21 linux-4.19.y d183c8e2647a f4e7270e .config console log report ci2-linux-4-19
2020/01/24 14:41 linux-4.19.y d183c8e2647a 2e95ab33 .config console log report ci2-linux-4-19
2020/01/23 07:14 linux-4.19.y dc4ba5be1bab 3334d684 .config console log report ci2-linux-4-19
2020/01/14 06:59 linux-4.19.y dcd888983542 32881205 .config console log report ci2-linux-4-19
2020/01/06 13:01 linux-4.19.y 3d40d7117e35 438e1227 .config console log report ci2-linux-4-19
2020/01/04 23:29 linux-4.19.y 3d40d7117e35 68256974 .config console log report ci2-linux-4-19
2019/12/30 09:03 linux-4.19.y 672481c2deff af6b8ef8 .config console log report ci2-linux-4-19
2019/12/28 21:44 linux-4.19.y 672481c2deff af6b8ef8 .config console log report ci2-linux-4-19
2019/12/24 12:15 linux-4.19.y 672481c2deff be5c2c81 .config console log report ci2-linux-4-19
2019/12/24 04:55 linux-4.19.y 672481c2deff be5c2c81 .config console log report ci2-linux-4-19
2019/12/22 17:26 linux-4.19.y 672481c2deff 8b967267 .config console log report ci2-linux-4-19
2019/12/16 19:11 linux-4.19.y 312017a460d5 0ae38e44 .config console log report ci2-linux-4-19
2019/12/08 04:06 linux-4.19.y fb683b5e3f53 1508f453 .config console log report ci2-linux-4-19
2019/12/07 17:49 linux-4.19.y fb683b5e3f53 85f26751 .config console log report ci2-linux-4-19
2019/12/04 10:29 linux-4.19.y 174651bdf802 0ecb9746 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.