syzbot


KASAN: use-after-free Read in handle_userfault

Status: fixed on 2018/01/10 09:03
Reported-by: syzbot+998c483ca801a50e3ce5b63a845216588ada5e2a@syzkaller.appspotmail.com
Fix commit: 0cbb4b4f4c44 userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails
First crash: 1904d, last: 1795d
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in handle_userfault (3) 1 1385d 1385d 0/24 closed as invalid on 2019/02/12 06:42
upstream KASAN: use-after-free Read in handle_userfault (4) 14 165d 196d 0/24 auto-closed as invalid on 2022/08/15 08:51
upstream KASAN: use-after-free Read in handle_userfault (2) 1 1447d 1447d 0/24 closed as dup on 2019/01/07 09:45

Sample crash report:
audit: type=1400 audit(1513632854.976:7): avc:  denied  { map } for  pid=3149 comm="syzkaller213261" path="/root/syzkaller213261263" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in handle_userfault+0x21c1/0x24c0 fs/userfaultfd.c:371
Read of size 8 at addr ffff8801ca0f4da0 by task syzkaller213261/3156

CPU: 1 PID: 3156 Comm: syzkaller213261 Not tainted 4.15.0-rc4+ #227
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 handle_userfault+0x21c1/0x24c0 fs/userfaultfd.c:371
 do_huge_pmd_anonymous_page+0xe2c/0x1b00 mm/huge_memory.c:707
 create_huge_pmd mm/memory.c:3828 [inline]
 __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4032
 handle_mm_fault+0x334/0x8d0 mm/memory.c:4098
 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429
 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504
 page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1094
RIP: 0033:0x4453e5
RSP: 002b:0000000020687000 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004453d9
RDX: 0000000020b4c000 RSI: 0000000020687000 RDI: 0000000000000600
RBP: 0000000000000000 R08: 00000000207a4f71 R09: 00007fb416266700
R10: 0000000020552ffc R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe289b94df R14: 00007fb4162669c0 R15: 0000000000000000

Allocated by task 3154:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544
 dup_userfaultfd+0x21c/0x890 fs/userfaultfd.c:659
 dup_mmap kernel/fork.c:662 [inline]
 dup_mm kernel/fork.c:1197 [inline]
 copy_mm+0xa38/0x1310 kernel/fork.c:1251
 copy_process.part.38+0x1eb9/0x4ac0 kernel/fork.c:1753
 copy_process kernel/fork.c:1566 [inline]
 _do_fork+0x1ef/0xfb0 kernel/fork.c:2045
 SYSC_clone kernel/fork.c:2155 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2149
 do_syscall_64+0x26c/0x920 arch/x86/entry/common.c:285
 return_from_SYSCALL_64+0x0/0x75

Freed by task 3154:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3488 [inline]
 kmem_cache_free+0x77/0x280 mm/slab.c:3746
 userfaultfd_ctx_put+0x50c/0x740 fs/userfaultfd.c:165
 userfaultfd_event_wait_completion+0x86d/0xae0 fs/userfaultfd.c:605
 dup_fctx fs/userfaultfd.c:693 [inline]
 dup_userfaultfd_complete+0x2de/0x480 fs/userfaultfd.c:701
 dup_mmap kernel/fork.c:730 [inline]
 dup_mm kernel/fork.c:1197 [inline]
 copy_mm+0xe9b/0x1310 kernel/fork.c:1251
 copy_process.part.38+0x1eb9/0x4ac0 kernel/fork.c:1753
 copy_process kernel/fork.c:1566 [inline]
 _do_fork+0x1ef/0xfb0 kernel/fork.c:2045
 SYSC_clone kernel/fork.c:2155 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2149
 do_syscall_64+0x26c/0x920 arch/x86/entry/common.c:285
 return_from_SYSCALL_64+0x0/0x75

The buggy address belongs to the object at ffff8801ca0f4c40
 which belongs to the cache userfaultfd_ctx_cache of size 360
The buggy address is located 352 bytes inside of
 360-byte region [ffff8801ca0f4c40, ffff8801ca0f4da8)
The buggy address belongs to the page:
page:000000003fea5f5a count:1 mapcount:0 mapping:00000000e8b86b1a index:0xffff8801ca0f4ff7
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801ca0f4000 ffff8801ca0f4ff7 0000000100000009
raw: ffff8801d6b32a48 ffff8801d6b32a48 ffff8801d6a7c000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ca0f4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ca0f4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801ca0f4d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff8801ca0f4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ca0f4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (151):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2017/12/18 21:35 upstream 1291a0d5049d 1c4160ef .config log report syz C
ci-upstream-kasan-gce 2017/12/18 18:05 upstream 1291a0d5049d 1c4160ef .config log report syz C
ci-upstream-kasan-gce 2017/10/02 07:17 upstream 368f89984bb9 c26ea367 .config log report syz C
ci-upstream-kasan-gce-386 2017/12/18 20:15 upstream 1291a0d5049d 1c4160ef .config log report syz C
ci-upstream-kasan-gce-386 2017/12/18 18:06 upstream 1291a0d5049d 1c4160ef .config log report syz C
ci-upstream-next-kasan-gce 2017/09/11 07:00 linux-next a31cc455c512 449b6f15 .config log report syz C
ci-upstream-next-kasan-gce 2017/09/11 06:53 linux-next a31cc455c512 449b6f15 .config log report syz C
ci-upstream-mmots-kasan-gce 2017/09/11 06:48 mmots d95e159cd1da 449b6f15 .config log report syz C
ci-upstream-kasan-gce 2017/12/28 11:33 upstream 5f520fc31876 7d240098 .config log report
ci-upstream-kasan-gce 2017/12/25 04:46 upstream 464e1d5f23cc 73aba437 .config log report
ci-upstream-kasan-gce 2017/11/10 03:30 upstream 87df26175e67 e0a2b195 .config log report
ci-upstream-kasan-gce 2017/11/03 23:52 upstream 866ba84ea30f e930d6f6 .config log report
ci-upstream-kasan-gce 2017/10/29 17:06 upstream 25a5d23b4799 80c74880 .config log report
ci-upstream-kasan-gce 2017/10/22 14:21 upstream b5ac3beb5a9f ab829b1b .config log report
ci-upstream-kasan-gce 2017/09/16 08:13 upstream b38923a068c1 96b8e399 .config log report
ci-upstream-kasan-gce-386 2017/12/26 13:11 upstream 464e1d5f23cc 73aba437 .config log report
ci-upstream-kasan-gce-386 2017/12/11 07:00 upstream 50c4c4e268a2 5ad0ce95 .config log report
ci-upstream-kasan-gce-386 2017/11/29 13:16 upstream 43570f0383d6 34f2c233 .config log report
ci-upstream-kasan-gce-386 2017/11/28 19:33 upstream 43f462f1c2e1 ac93d7e1 .config log report
ci-upstream-kasan-gce-386 2017/11/28 18:49 upstream 43f462f1c2e1 ac93d7e1 .config log report
ci-upstream-kasan-gce-386 2017/11/28 09:52 upstream 4fbd8d194f06 ac93d7e1 .config log report
ci-upstream-kasan-gce-386 2017/11/27 16:57 upstream 4fbd8d194f06 ac93d7e1 .config log report
ci-upstream-kasan-gce-386 2017/11/24 11:34 net-next 1d3b78bbc6e9 deb5f6ae .config log report
ci-upstream-kasan-gce-386 2017/10/26 04:02 upstream f34157878d3b 83d9c302 .config log report
ci-upstream-kasan-gce-386 2017/10/24 10:56 upstream 6cff0a118f23 92f543f0 .config log report
ci-upstream-kasan-gce-386 2017/10/15 04:26 upstream e7a36a6ec9cf c26ea367 .config log report
ci-upstream-kasan-gce-386 2017/10/12 05:30 upstream 56ae414e9d27 c26ea367 .config log report
ci-upstream-kasan-gce-386 2017/09/29 22:54 upstream 770b782f555d c26ea367 .config log report
ci-upstream-mmots-kasan-gce 2017/12/29 09:44 mmots 37759fa6d0fa 7d240098 .config log report
ci-upstream-mmots-kasan-gce 2017/12/24 21:38 mmots 37759fa6d0fa 73aba437 .config log report
ci-upstream-mmots-kasan-gce 2017/12/24 17:08 mmots 37759fa6d0fa 73aba437 .config log report
skylake-linux-next-kasan-qemu 2017/11/02 23:08 linux-next fa8785e862ef 02b8363d .config log report
ci-upstream-next-kasan-gce 2017/10/29 14:05 linux-next 36ef71cae353 e511d9f8 .config log report
skylake-linux-next-kasan-qemu 2017/10/27 21:35 linux-next 36ef71cae353 e511d9f8 .config log report
ci-upstream-next-kasan-gce 2017/10/22 00:09 linux-next 36ef71cae353 e511d9f8 .config log report
ci-upstream-next-kasan-gce 2017/10/07 06:40 linux-next 1418b852174a c26ea367 .config log report
ci-upstream-next-kasan-gce 2017/09/21 20:36 linux-next 43ec4ba69622 c26ea367 .config log report
ci-upstream-next-kasan-gce 2017/09/20 18:27 linux-next 0b093a564fe0 4e341009 .config log report
ci-upstream-mmots-kasan-gce 2017/09/17 18:21 mmots 720bbe532b7c c26ea367 .config log report
skylake-linux-next-kasan-qemu 2017/09/15 00:17 linux-next 31fc38c47623 96b8e399 .config log report
skylake-linux-next-kasan-qemu 2017/09/13 16:14 linux-next 6f20b7a58cb9 96b8e399 .config log report
* Struck through repros no longer work on HEAD.