syzbot


KASAN: use-after-free Read in get_work_pool

Status: fixed on 2020/04/03 09:27
Reported-by: syzbot+6b501c1f0090a00786d1@syzkaller.appspotmail.com
Fix commit: b9eb60a0ef39 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
First crash: 1160d, last: 1070d

Fix bisection: fixed by (bisect log) :
commit b9eb60a0ef3971101c94f9cddb09708c2f900b35
Author: Eric Biggers <ebiggers@google.com>
Date: Sun Mar 22 03:43:04 2020 +0000

  vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in get_work_pool (2) C done 2 1066d 1156d 0/24 closed as dup on 2020/02/24 18:36
upstream KASAN: use-after-free Read in get_work_pool syz 8 1907d 1929d 4/24 fixed on 2018/03/23 18:14

Sample crash report:
audit: type=1400 audit(1575505903.980:36): avc:  denied  { map } for  pid=7004 comm="syz-executor412" path="/root/syz-executor412016431" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in get_work_pool+0x12f/0x150 kernel/workqueue.c:711
Read of size 8 at addr ffff88807e53ca08 by task syz-executor412/7014

CPU: 0 PID: 7014 Comm: syz-executor412 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 __read_once_size include/linux/compiler.h:183 [inline]
 atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
 atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
 get_work_pool+0x12f/0x150 kernel/workqueue.c:711
 start_flush_work kernel/workqueue.c:2819 [inline]
 flush_work+0x117/0x730 kernel/workqueue.c:2884
 __cancel_work_timer+0x2f0/0x480 kernel/workqueue.c:2956
 cancel_work_sync+0x18/0x20 kernel/workqueue.c:2992
 tty_buffer_cancel_work+0x16/0x20 drivers/tty/tty_buffer.c:607
 release_tty+0x3f4/0x7c0 drivers/tty/tty_io.c:1507
 tty_release_struct+0x3c/0x50 drivers/tty/tty_io.c:1616
 tty_release+0xaa3/0xd60 drivers/tty/tty_io.c:1776
 __fput+0x275/0x7a0 fs/file_table.c:210
 ____fput+0x16/0x20 fs/file_table.c:244
 task_work_run+0x114/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x7df/0x2ce0 kernel/exit.c:874
 do_group_exit+0x111/0x330 kernel/exit.c:977
 SYSC_exit_group kernel/exit.c:988 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:986
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43ff38
RSP: 002b:00007ffc3e5864c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7014:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 vc_allocate drivers/tty/vt/vt.c:772 [inline]
 vc_allocate+0x148/0x580 drivers/tty/vt/vt.c:753
 con_install+0x52/0x400 drivers/tty/vt/vt.c:2881
 tty_driver_install_tty drivers/tty/tty_io.c:1225 [inline]
 tty_init_dev drivers/tty/tty_io.c:1338 [inline]
 tty_init_dev+0xea/0x3a0 drivers/tty/tty_io.c:1315
 tty_open_by_driver drivers/tty/tty_io.c:1973 [inline]
 tty_open+0x414/0xa10 drivers/tty/tty_io.c:2021
 chrdev_open+0x207/0x590 fs/char_dev.c:423
 do_dentry_open+0x73b/0xeb0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:891
 do_last fs/namei.c:3425 [inline]
 path_openat+0x8bd/0x3f70 fs/namei.c:3566
 do_filp_open+0x18e/0x250 fs/namei.c:3600
 do_sys_open+0x2c5/0x430 fs/open.c:1084
 SYSC_open fs/open.c:1102 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1097
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7016:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 vt_disallocate_all+0x286/0x380 drivers/tty/vt/vt_ioctl.c:323
 vt_ioctl+0x76b/0x2170 drivers/tty/vt/vt_ioctl.c:816
 tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff88807e53ca00
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 8 bytes inside of
 2048-byte region [ffff88807e53ca00, ffff88807e53d200)
The buggy address belongs to the page:
page:ffffea0001f94f00 count:1 mapcount:0 mapping:ffff88807e53c180 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88807e53c180 0000000000000000 0000000100000003
raw: ffffea0001f7ab20 ffffea00022649a0 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807e53c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e53c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807e53ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88807e53ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e53cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2019/12/05 00:35 linux-4.14.y fbc5fe7a54d0 b2088328 .config console log report syz C
* Struck through repros no longer work on HEAD.