syzbot


KASAN: use-after-free Read in rfcomm_dlc_open (2)

Status: auto-closed as invalid on 2020/01/07 22:09
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+0b0fd24d40f358830891@syzkaller.appspotmail.com
First crash: 1825d, last: 1679d
Discussions (4)
Title Replies (including bot) Last reply
Reminder: 29 open syzbot bugs in bluetooth subsystem 1 (1) 2019/07/24 01:41
Reminder: 29 open syzbot bugs in bluetooth subsystem 1 (1) 2019/07/09 19:07
Reminder: 27 open syzbot bugs in bluetooth subsystem 1 (1) 2019/06/24 05:14
KASAN: use-after-free Read in rfcomm_dlc_open (2) 0 (1) 2019/04/23 16:22
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in rfcomm_dlc_open bluetooth 1 2078d 2074d 0/26 auto-closed as invalid on 2019/02/22 10:29

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in rfcomm_dlc_get net/bluetooth/rfcomm/core.c:360 [inline]
BUG: KASAN: use-after-free in __rfcomm_dlc_open net/bluetooth/rfcomm/core.c:396 [inline]
BUG: KASAN: use-after-free in rfcomm_dlc_open+0xc9d/0xd80 net/bluetooth/rfcomm/core.c:431
Read of size 1 at addr ffff88808eb73644 by task syz-executor.3/17540

CPU: 0 PID: 17540 Comm: syz-executor.3 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0xd4/0x306 mm/kasan/report.c:351
 __kasan_report.cold+0x1b/0x36 mm/kasan/report.c:482
 kasan_report+0x12/0x17 mm/kasan/common.c:618
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:129
 rfcomm_dlc_get net/bluetooth/rfcomm/core.c:360 [inline]
 __rfcomm_dlc_open net/bluetooth/rfcomm/core.c:396 [inline]
 rfcomm_dlc_open+0xc9d/0xd80 net/bluetooth/rfcomm/core.c:431
 rfcomm_sock_connect+0x38a/0x4b0 net/bluetooth/rfcomm/sock.c:416
 __sys_connect+0x264/0x330 net/socket.c:1828
 __do_sys_connect net/socket.c:1839 [inline]
 __se_sys_connect net/socket.c:1836 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1836
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4598e9
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f63c84a4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9
RDX: 000000000000000e RSI: 0000000020000100 RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63c84a56d4
R13: 00000000004bfda3 R14: 00000000004d1bf0 R15: 00000000ffffffff

Allocated by task 15796:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:493 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:466
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507
 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3550
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 rfcomm_dlc_alloc+0x82/0x410 net/bluetooth/rfcomm/core.c:305
 rfcomm_sock_alloc.constprop.0+0xb3/0x370 net/bluetooth/rfcomm/sock.c:286
 rfcomm_sock_create+0xf3/0x2b0 net/bluetooth/rfcomm/sock.c:329
 bt_sock_create+0x16a/0x2d0 net/bluetooth/af_bluetooth.c:130
 __sock_create+0x3d8/0x730 net/socket.c:1418
 sock_create net/socket.c:1469 [inline]
 __sys_socket+0x103/0x220 net/socket.c:1511
 __do_sys_socket net/socket.c:1520 [inline]
 __se_sys_socket net/socket.c:1518 [inline]
 __x64_sys_socket+0x73/0xb0 net/socket.c:1518
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 17165:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3756
 rfcomm_dlc_free+0x20/0x30 net/bluetooth/rfcomm/core.c:328
 rfcomm_dlc_put include/net/bluetooth/rfcomm.h:258 [inline]
 __rfcomm_create_dev net/bluetooth/rfcomm/tty.c:417 [inline]
 rfcomm_create_dev net/bluetooth/rfcomm/tty.c:486 [inline]
 rfcomm_dev_ioctl+0x183e/0x1b80 net/bluetooth/rfcomm/tty.c:588
 rfcomm_sock_ioctl+0x90/0xb0 net/bluetooth/rfcomm/sock.c:902
 sock_do_ioctl+0xd8/0x2f0 net/socket.c:1038
 sock_ioctl+0x3ed/0x780 net/socket.c:1189
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808eb73500
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 324 bytes inside of
 512-byte region [ffff88808eb73500, ffff88808eb73700)
The buggy address belongs to the page:
page:ffffea00023adcc0 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00025a0fc8 ffffea0001258188 ffff8880aa400a80
raw: 0000000000000000 ffff88808eb73000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808eb73500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808eb73580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808eb73600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88808eb73680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808eb73700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/09 22:08 net-old 28abe5796252 a60cb4cd .config console log report ci-upstream-net-this-kasan-gce
2019/09/06 23:42 net-old 74346c434cd2 a60cb4cd .config console log report ci-upstream-net-this-kasan-gce
2019/08/27 18:57 net-old f53a7ad18959 d21c5d9d .config console log report ci-upstream-net-this-kasan-gce
2019/08/27 16:48 net-old f53a7ad18959 d21c5d9d .config console log report ci-upstream-net-this-kasan-gce
2019/08/27 00:01 net-old f53a7ad18959 d21c5d9d .config console log report ci-upstream-net-this-kasan-gce
2019/04/26 16:02 net-old ad759c906954 b617407b .config console log report ci-upstream-net-this-kasan-gce
2019/08/12 03:16 net-next-old 2cc2743d8fee acb51638 .config console log report ci-upstream-net-kasan-gce
2019/08/04 02:50 net-next-old 31cc088a4f5d 6affd8e8 .config console log report ci-upstream-net-kasan-gce
2019/08/03 21:42 net-next-old 31cc088a4f5d 6affd8e8 .config console log report ci-upstream-net-kasan-gce
2019/07/29 14:58 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/07/29 09:50 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/07/28 17:10 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/07/28 14:40 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/07/28 06:02 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/07/28 03:10 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/05/21 06:54 net-next-old f49aa1de9836 8285069f .config console log report ci-upstream-net-kasan-gce
2019/05/14 14:14 net-next-old 63863ee8e2f6 ada3c44c .config console log report ci-upstream-net-kasan-gce
2019/05/08 17:06 net-next-old a55a385d8c84 a7383bfa .config console log report ci-upstream-net-kasan-gce
2019/04/16 22:48 net-next-old 432bc230700f 505ab413 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.