syzbot


KASAN: use-after-free Write in get_ucounts

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+8c3af233123df0578a5c@syzkaller.appspotmail.com
Fix commit: 345daff2e994 ucounts: Fix race condition between alloc_ucounts and put_ucounts
First crash: 579d, last: 551d

Cause bisection: introduced by (bisect log) [no-op commit]:
commit b9fc8b4a591811546fec2dbef7e9f809362100c9
Author: Grant Seltzer <grantseltzer@gmail.com>
Date: Mon Feb 22 19:58:46 2021 +0000

  bpf: Add kernel/modules BTF presence checks to bpftool feature command

Crash: WARNING in kvm_wait (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit 345daff2e994ee844d6a609c37f085695fbb4c4d
Author: Alexey Gladkov <legion@kernel.org>
Date: Tue Jul 27 15:24:18 2021 +0000

  ucounts: Fix race condition between alloc_ucounts and put_ucounts


Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_add_negative include/asm-generic/atomic-instrumented.h:556 [inline]
BUG: KASAN: use-after-free in get_ucounts+0x28/0x160 kernel/ucount.c:152
Write of size 4 at addr ffff8880149c631c by task syz-executor.0/9601

CPU: 0 PID: 9601 Comm: syz-executor.0 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
 print_address_description+0x66/0x3b0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x163/0x210 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:135 [inline]
 kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_add_negative include/asm-generic/atomic-instrumented.h:556 [inline]
 get_ucounts+0x28/0x160 kernel/ucount.c:152
 set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
 __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1ddba3c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000075
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 000000000000ee01
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffcddd8c8df R14: 00007f1ddba3c300 R15: 0000000000022000

Allocated by task 9301:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2983
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 alloc_ucounts+0x176/0x420 kernel/ucount.c:169
 set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
 __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 9601:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1625 [inline]
 slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1650
 slab_free mm/slub.c:3210 [inline]
 kfree+0xd0/0x1f0 mm/slub.c:4264
 put_cred_rcu+0x221/0x400 kernel/cred.c:124
 rcu_do_batch kernel/rcu/tree.c:2550 [inline]
 rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
 __do_softirq+0x372/0x783 kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
 insert_work+0x54/0x400 kernel/workqueue.c:1332
 __queue_work+0x928/0xc60 kernel/workqueue.c:1498
 queue_work_on+0x111/0x200 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
 kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
 uevent_store+0x20/0x60 drivers/base/core.c:2372
 kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write fs/read_write.c:518 [inline]
 vfs_write+0xa39/0xc90 fs/read_write.c:605
 ksys_write+0x171/0x2a0 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
 insert_work+0x54/0x400 kernel/workqueue.c:1332
 __queue_work+0x928/0xc60 kernel/workqueue.c:1498
 queue_work_on+0x111/0x200 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
 kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
 uevent_store+0x20/0x60 drivers/base/core.c:2372
 kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write fs/read_write.c:518 [inline]
 vfs_write+0xa39/0xc90 fs/read_write.c:605
 ksys_write+0x171/0x2a0 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880149c6300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 28 bytes inside of
 192-byte region [ffff8880149c6300, ffff8880149c63c0)
The buggy address belongs to the page:
page:ffffea0000527180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x149c6
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00005db940 0000000c0000000c ffff888011041a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2026668314, free_ts 2026024162
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
 alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
 alloc_slab_page mm/slub.c:1688 [inline]
 allocate_slab+0xf1/0x540 mm/slub.c:1828
 new_slab mm/slub.c:1891 [inline]
 new_slab_objects mm/slub.c:2637 [inline]
 ___slab_alloc+0x1cf/0x350 mm/slub.c:2800
 __slab_alloc mm/slub.c:2840 [inline]
 slab_alloc_node mm/slub.c:2922 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2981
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
 kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
 kernel_add_sysfs_param+0x106/0x126 kernel/params.c:798
 param_sysfs_builtin+0x145/0x1b9 kernel/params.c:833
 param_sysfs_init+0x68/0x6c kernel/params.c:952
 do_one_initcall+0x197/0x3f0 init/main.c:1282
 do_initcall_level+0x14a/0x1f5 init/main.c:1355
 do_initcalls+0x4b/0x8c init/main.c:1371
 kernel_init_freeable+0x3f1/0x57e init/main.c:1593
 kernel_init+0x19/0x2a0 init/main.c:1485
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1346 [inline]
 free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1397
 free_unref_page_prepare mm/page_alloc.c:3332 [inline]
 free_unref_page+0x7e/0x550 mm/page_alloc.c:3411
 __vunmap+0x926/0xa70 mm/vmalloc.c:2587
 free_work+0x66/0x90 mm/vmalloc.c:82
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
 worker_thread+0xac1/0x1320 kernel/workqueue.c:2422
 kthread+0x453/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff8880149c6200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880149c6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880149c6300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880149c6380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880149c6400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2021/08/04 01:12 upstream d5ad8ec3cfb5 6c236867 .config console log report syz KASAN: use-after-free Write in get_ucounts
ci-upstream-kasan-gce-smack-root 2021/07/07 15:12 upstream 3dbdb38e2869 4846d5c1 .config console log report syz KASAN: use-after-free Write in get_ucounts
ci-upstream-kasan-gce-smack-root 2021/08/04 22:30 upstream 251a1524293d b97d64c9 .config console log report info KASAN: use-after-free Write in get_ucounts
ci-upstream-kasan-gce-smack-root 2021/08/03 20:45 upstream d5ad8ec3cfb5 6c236867 .config console log report info KASAN: use-after-free Write in get_ucounts
ci-upstream-kasan-gce-smack-root 2021/07/31 22:49 upstream f3438b4c4e69 6c236867 .config console log report info KASAN: use-after-free Write in get_ucounts
ci-upstream-kasan-gce-smack-root 2021/07/18 09:05 upstream 1d67c8d993ba f115ae98 .config console log report info KASAN: use-after-free Write in get_ucounts
ci-upstream-kasan-gce-smack-root 2021/07/08 01:59 upstream 3dbdb38e2869 95793bce .config console log report info KASAN: use-after-free Write in get_ucounts
* Struck through repros no longer work on HEAD.