syzbot


KASAN: use-after-free Read in ieee80211_ibss_build_presp
Status: fixed on 2021/04/22 23:33
Reported-by: syzbot+11659667bfe36d2e7868@syzkaller.appspotmail.com
Fix commit: d2ddd5417f6d mac80211: fix double free in ibss_leave
First crash: 573d, last: 427d

Fix bisection: fixed by (bisect log) :
commit d2ddd5417f6d5be4421068434408e716787cf1b3
Author: Markus Theil <markus.theil@tu-ilmenau.de>
Date: Sat Feb 13 13:36:53 2021 +0000

  mac80211: fix double free in ibss_leave

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in ieee80211_ibss_build_presp C error 1 246d 563d 0/1 upstream: reported C repro on 2020/11/07 02:41
upstream KASAN: use-after-free Read in ieee80211_ibss_build_presp C inconclusive unreliable 3 426d 533d 0/22 upstream: reported C repro on 2020/12/07 19:03

Sample crash report:
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:372 [inline]
BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xf55/0x14b0 net/mac80211/ibss.c:173
Read of size 4 at addr ffff8880aa877100 by task kworker/u4:0/8026

CPU: 0 PID: 8026 Comm: kworker/u4:0 Not tainted 4.14.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy2 ieee80211_iface_work
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report+0x6f/0x7b mm/kasan/report.c:409
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:372 [inline]
 ieee80211_ibss_build_presp+0xf55/0x14b0 net/mac80211/ibss.c:173
 __ieee80211_sta_join_ibss+0x5d1/0x1c80 net/mac80211/ibss.c:319
 ieee80211_sta_create_ibss.cold+0xbb/0xf1 net/mac80211/ibss.c:1346
 ieee80211_sta_find_ibss net/mac80211/ibss.c:1476 [inline]
 ieee80211_ibss_work.cold+0x266/0x565 net/mac80211/ibss.c:1700
 ieee80211_iface_work+0x690/0x770 net/mac80211/iface.c:1383
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 8477:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc_track_caller+0x155/0x400 mm/slab.c:3735
 kmemdup+0x23/0x50 mm/util.c:118
 kmemdup include/linux/string.h:445 [inline]
 ieee80211_ibss_join+0x761/0xd70 net/mac80211/ibss.c:1812
 rdev_join_ibss net/wireless/rdev-ops.h:521 [inline]
 __cfg80211_join_ibss+0x5bc/0xd90 net/wireless/ibss.c:132
 cfg80211_join_ibss+0x70/0x90 net/wireless/ibss.c:155
 nl80211_join_ibss+0xb4f/0xf00 net/wireless/nl80211.c:8626
 genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600
 genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 8478:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 ieee80211_ibss_leave+0x83/0xd8 net/mac80211/ibss.c:1863
 rdev_leave_ibss net/wireless/rdev-ops.h:531 [inline]
 __cfg80211_leave_ibss+0x14c/0x6d0 net/wireless/ibss.c:217
 cfg80211_leave_ibss+0x54/0x70 net/wireless/ibss.c:234
 cfg80211_change_iface+0x791/0x13d0 net/wireless/util.c:1028
 nl80211_set_interface+0x588/0x760 net/wireless/nl80211.c:2929
 genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600
 genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880aa877100
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff8880aa877100, ffff8880aa877120)
The buggy address belongs to the page:
page:ffffea0002aa1dc0 count:1 mapcount:0 mapping:ffff8880aa877000 index:0xffff8880aa877fc1
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880aa877000 ffff8880aa877fc1 000000010000003f
raw: ffffea0002c3bce0 ffffea0002ad8f60 ffff88813fe801c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880aa877000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8880aa877080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff8880aa877100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
                   ^
 ffff8880aa877180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8880aa877200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2020/11/08 23:20 linux-4.14.y 6b6446efedb2 cba33199 .config log report syz C
ci2-linux-4-14 2020/10/28 16:05 linux-4.14.y 5b7a52cd2eef 96e03c1c .config log report syz C