syzbot


KASAN: use-after-free Read in drm_getunique

Status: fixed on 2021/06/26 05:18
Reported-by: syzbot+eb9ee624949c6f815b8b@syzkaller.appspotmail.com
Fix commit: 7d233ba700ce drm: Fix use-after-free read in drm_getunique()
First crash: 607d, last: 439d

Fix bisection: fixed by (bisect log) :
commit 7d233ba700ceb593905ea82b42dadb4ec8ef85e9
Author: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Date: Tue Jun 8 11:04:36 2021 +0000

  drm: Fix use-after-free read in drm_getunique()

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in drm_getunique syz inconclusive 2 433d 433d 22/23 fixed on 2021/11/10 00:50
linux-4.14 KASAN: use-after-free Read in drm_getunique syz error 1 161d 601d 0/1 upstream: reported syz repro on 2020/12/15 15:58

Sample crash report:
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
==================================================================
BUG: KASAN: use-after-free in drm_getunique+0x1cc/0x260 drivers/gpu/drm/drm_ioctl.c:118
Read of size 4 at addr ffff8880af2fcc98 by task syz-executor.0/8431

CPU: 0 PID: 8431 Comm: syz-executor.0 Not tainted 4.19.162-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
 drm_getunique+0x1cc/0x260 drivers/gpu/drm/drm_ioctl.c:118
 drm_ioctl_kernel+0x208/0x2a0 drivers/gpu/drm/drm_ioctl.c:757
 drm_ioctl+0x507/0x9c0 drivers/gpu/drm/drm_ioctl.c:857
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45e0f9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd079a87c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e0f9
RDX: 0000000020000180 RSI: 00000000c0145401 RDI: 0000000000000003
RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034
R13: 00007fff27d6482f R14: 00007fd079a889c0 R15: 000000000119c034

Allocated by task 8430:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 drm_master_create+0x40/0x590 drivers/gpu/drm/drm_auth.c:101
 drm_new_set_master+0x11c/0x4a0 drivers/gpu/drm/drm_auth.c:147
 drm_master_open+0xee/0x120 drivers/gpu/drm/drm_auth.c:257
 drm_open_helper drivers/gpu/drm/drm_file.c:376 [inline]
 drm_open+0x4e5/0x810 drivers/gpu/drm/drm_file.c:316
 drm_stub_open+0x290/0x410 drivers/gpu/drm/drm_drv.c:950
 chrdev_open+0x266/0x770 fs/char_dev.c:423
 do_dentry_open+0x4aa/0x1160 fs/open.c:796
 do_last fs/namei.c:3421 [inline]
 path_openat+0x793/0x2df0 fs/namei.c:3537
 do_filp_open+0x18c/0x3f0 fs/namei.c:3567
 do_sys_open+0x3b3/0x520 fs/open.c:1085
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8430:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 drm_master_destroy drivers/gpu/drm/drm_auth.c:356 [inline]
 kref_put include/linux/kref.h:70 [inline]
 drm_master_put+0x1b5/0x240 drivers/gpu/drm/drm_auth.c:367
 drm_new_set_master+0x2cd/0x4a0 drivers/gpu/drm/drm_auth.c:166
 drm_setmaster_ioctl+0x291/0x3a0 drivers/gpu/drm/drm_auth.c:199
 drm_ioctl_kernel+0x208/0x2a0 drivers/gpu/drm/drm_ioctl.c:757
 drm_ioctl+0x507/0x9c0 drivers/gpu/drm/drm_ioctl.c:857
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880af2fcc80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 24 bytes inside of
 512-byte region [ffff8880af2fcc80, ffff8880af2fce80)
The buggy address belongs to the page:
page:ffffea0002bcbf00 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ad6bc8 ffffea0002aff488 ffff88813bff0940
raw: 0000000000000000 ffff8880af2fc000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880af2fcb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880af2fcc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880af2fcc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880af2fcd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880af2fcd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2020/12/09 19:28 linux-4.19.y 4abf26854aad 99917735 .config log report syz
ci2-linux-4-19 2020/12/09 18:59 linux-4.19.y 4abf26854aad 99917735 .config log report info