2022-11-23 19:20:13

by Sanan Hasanov

[permalink] [raw]
Subject: Syzkaller found a bug: KASAN: use-after-free Read in do_update_region

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel branch: linux-next 5.11.0-rc1+ (HEAD detached at 6a4b1f2dff55)

configuration file: https://drive.google.com/file/d/18W-8umgZVSm-KwvIzcBQpxRn74Q1S_Fa/view?usp=sharing

Unfortunately, we have no reproducer for this bug yet.

Thank you!

==================================================================
BUG: KASAN: use-after-free in do_update_region+0x571/0x5f0 drivers/tty/vt/vt.c:664
Read of size 2 at addr ffff888000100000 by task (agetty)/17350

CPU: 6 PID: 17350 Comm: (agetty) Not tainted 5.11.0-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
?__dump_stack lib/dump_stack.c:79 [inline]
?dump_stack+0x9c/0xcf lib/dump_stack.c:120
?print_address_description.constprop.0+0x1a/0x140 mm/kasan/report.c:230
?__kasan_report mm/kasan/report.c:396 [inline]
?kasan_report.cold+0x7f/0x10e mm/kasan/report.c:413
?do_update_region+0x571/0x5f0 drivers/tty/vt/vt.c:664
?csi_J+0x294/0xa10 drivers/tty/vt/vt.c:1568
?do_con_trol+0x1c23/0x53e0 drivers/tty/vt/vt.c:2420
?do_con_write+0xd92/0x1a40 drivers/tty/vt/vt.c:2911
?con_write+0x21/0x40 drivers/tty/vt/vt.c:3255
?process_output_block drivers/tty/n_tty.c:596 [inline]
?n_tty_write+0x3d6/0xe20 drivers/tty/n_tty.c:2335
?do_tty_write drivers/tty/tty_io.c:961 [inline]
?tty_write+0x438/0x790 drivers/tty/tty_io.c:1045
?vfs_write+0x1bf/0x760 fs/read_write.c:603
?ksys_write+0x100/0x210 fs/read_write.c:658
?do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
?entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fe7d10101b0
Code: 2e 0f 1f 84 00 00 00 00 00 90 48 8b 05 19 7e 20 00 c3 0f 1f 84 00 00 00 00 00 83 3d 19 c2 20 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24
RSP: 002b:00007ffd1dee4fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000a RCX: 00007fe7d10101b0
RDX: 000000000000000a RSI: 00007fe7d247bcbe RDI: 0000000000000003
RBP: 00007fe7d247bcbe R08: 00007ffd1dee4fa0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: ffffffffffffffff R15: 00007ffd1dee52a0

The buggy address belongs to the page:
page:000000005dd3986c refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x100
flags: 0x0()
raw: 0000000000000000 ffff8881401fa300 ffff8881401fa300 0000000000000000
raw: 0000000000000000 0000000000000008 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
?ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
?ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
? ? ? ? ? ? ? ? ? ?^
?ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
?ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Best regards,
Sanan Hasanov.


2022-11-23 20:01:39

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: Syzkaller found a bug: KASAN: use-after-free Read in do_update_region

On Wed, Nov 23, 2022 at 06:38:01PM +0000, Sanan Hasanov wrote:
> Good day, dear maintainers,
>
> We found a bug using a modified kernel configuration file used by syzbot.
>
> We enhanced the coverage of the configuration file using our tool, klocalizer.
>
> Kernel branch: linux-next 5.11.0-rc1+ (HEAD detached at 6a4b1f2dff55)
>
> configuration file: https://drive.google.com/file/d/18W-8umgZVSm-KwvIzcBQpxRn74Q1S_Fa/view?usp=sharing
>
> Unfortunately, we have no reproducer for this bug yet.

Reproducer would be great, thanks. Otherwise this goes on the thousands
of other "syzbot-found-bugs-with-no-way-to-reproduce" pile that we
have...

> ==================================================================
> BUG: KASAN: use-after-free in do_update_region+0x571/0x5f0 drivers/tty/vt/vt.c:664
> Read of size 2 at addr ffff888000100000 by task (agetty)/17350
>
> CPU: 6 PID: 17350 Comm: (agetty) Not tainted 5.11.0-rc1+ #3

Wait, that's a VERY old and obsolete and known buggy kernel version.
Please test with something more modern, usually Linus's tree, or
linux-next or worst case, the latest stable release. 5.11-rc1 came out
almost 2 years ago, and over 150 thousand changes have happened since
then.

Not much we really can do about old obsolete kernels, sorry.

thanks,

greg k-h