syzbot

 sign-in | mailing list | source | docs
🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in __fput

Status: fixed on 2020/10/03 03:32
Reported-by: syzbot+b65d1d9e4b6cccde9bca@syzkaller.appspotmail.com
Fix commit: 37d933e8b41b fix regression in "epoll: Keep a reference on files added to the check list"
First crash: 1325d, last: 1325d
Fix bisection: fixed by (bisect log) :
commit 37d933e8b41b83bb8278815e366aec5a542b7e31
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000

  fix regression in "epoll: Keep a reference on files added to the check list"

  
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in __fput fs 23 2326d 2360d 4/26 fixed on 2018/02/13 04:59
upstream KASAN: use-after-free Read in __fput (2) fs 1 2200d 2192d 0/26 auto-closed as invalid on 2019/02/22 10:26
upstream KASAN: use-after-free Read in __fput (3) fs syz done unreliable 1 1330d 1326d 0/26 auto-obsoleted due to no activity on 2022/09/19 18:33

Sample crash report:
audit: type=1400 audit(1599036017.636:9): avc:  denied  { block_suspend } for  pid=6691 comm="syz-executor.0" capability=36  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
Bluetooth: hci0: command 0x0409 tx timeout
Bluetooth: hci0: command 0x041b tx timeout
==================================================================
BUG: KASAN: use-after-free in fsnotify_close include/linux/fsnotify.h:233 [inline]
BUG: KASAN: use-after-free in __fput+0x76a/0x890 fs/file_table.c:264
Read of size 2 at addr ffff8880807dd670 by task syz-executor.0/7212

CPU: 1 PID: 7212 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load2_noabort+0x88/0x90 mm/kasan/report.c:431
 fsnotify_close include/linux/fsnotify.h:233 [inline]
 __fput+0x76a/0x890 fs/file_table.c:264
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd34b8bfc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000006
RBP: 000000000118d028 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 000000000118cfec
R13: 00007ffea2347baf R14: 00007fd34b8c09c0 R15: 000000000118cfec

Allocated by task 7212:
 kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
 sock_alloc_inode+0x19/0x250 net/socket.c:244
 alloc_inode+0x5d/0x180 fs/inode.c:211
 new_inode_pseudo+0x14/0xe0 fs/inode.c:911
 sock_alloc+0x3c/0x260 net/socket.c:547
 __sock_create+0xba/0x740 net/socket.c:1240
 sock_create net/socket.c:1316 [inline]
 __sys_socket+0xef/0x200 net/socket.c:1346
 __do_sys_socket net/socket.c:1355 [inline]
 __se_sys_socket net/socket.c:1353 [inline]
 __x64_sys_socket+0x6f/0xb0 net/socket.c:1353
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7210:
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x7f/0x260 mm/slab.c:3765
 destroy_inode+0xb9/0x110 fs/inode.c:268
 iput_final fs/inode.c:1555 [inline]
 iput+0x4f1/0x860 fs/inode.c:1581
 dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
 __dentry_kill+0x3c0/0x640 fs/dcache.c:566
 dentry_kill+0xc4/0x510 fs/dcache.c:685
 dput+0x55f/0x640 fs/dcache.c:846
 __fput+0x415/0x890 fs/file_table.c:291
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880807dd640
 which belongs to the cache sock_inode_cache of size 992
The buggy address is located 48 bytes inside of
 992-byte region [ffff8880807dd640, ffff8880807dda20)
The buggy address belongs to the page:
page:ffffea000201f740 count:1 mapcount:0 mapping:ffff88821b6c6180 index:0xffff8880807ddffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000201fd48 ffffea000201fe88 ffff88821b6c6180
raw: ffff8880807ddffd ffff8880807dd1c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880807dd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880807dd580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880807dd600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880807dd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880807dd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/02 08:42 linux-4.19.y f6d5cb9e2c06 abf9ba4f .config console log report syz ci2-linux-4-19
* Struck through repros no longer work on HEAD.