syzbot


KASAN: use-after-free Read in corrupted (3)

Status: fixed on 2019/08/27 17:15
Reported-by: syzbot+8a821b383523654227bf@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1262d, last: 1262d

Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in corrupted C 2 1668d 1671d 9/24 fixed on 2018/07/09 18:05
linux-4.14 KASAN: use-after-free Read in corrupted syz error 1 283d 754d 0/1 upstream: reported syz repro on 2020/11/15 10:58
android-414 KASAN: use-after-free Read in corrupted C 2 1222d 1223d 0/1 public: reported C repro on 2019/08/03 12:36
upstream KASAN: use-after-free Read in corrupted (2) syz 1 1324d 1324d 0/24 closed as invalid on 2019/04/25 11:05
upstream KASAN: use-after-free Read in corrupted (4) C done error 9 155d 849d 0/24 upstream: reported C repro on 2020/08/11 12:47

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in vsnprintf+0x1727/0x19a0 lib/vsprintf.c:2503
Read of size 8 at addr ffff8880952500a0 by task syz-executor.1/9180

CPU: 0 PID: 9180 Comm: syz-executor.1 Not tainted 5.2.0-rc5+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:

Allocated by task 8:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3326 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488
 vm_area_dup+0x21/0x170 kernel/fork.c:343
 dup_mmap kernel/fork.c:528 [inline]
 dup_mm+0x8c4/0x13b0 kernel/fork.c:1341
 copy_mm kernel/fork.c:1397 [inline]
 copy_process.part.0+0x2cde/0x6790 kernel/fork.c:2032
 copy_process kernel/fork.c:1800 [inline]
 _do_fork+0x25d/0xfe0 kernel/fork.c:2369
 __do_sys_clone kernel/fork.c:2476 [inline]
 __se_sys_clone kernel/fork.c:2470 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2470
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2502230480:
------------[ cut here ]------------
Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected to SLAB object 'shmem_inode_cache' (offset 1040, size 1)!
WARNING: CPU: 0 PID: 9180 at mm/usercopy.c:74 usercopy_warn+0xeb/0x110 mm/usercopy.c:74
Kernel panic - not syncing: panic_on_warn set ...
Shutting down cpus with NMI
Kernel Offset: disabled

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-kasan-gce 2019/06/26 10:16 net-next 045df37e743c 0a8d1a96 .config log report syz
* Struck through repros no longer work on HEAD.