Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752553AbbKVOOz (ORCPT ); Sun, 22 Nov 2015 09:14:55 -0500 Received: from mail-wm0-f50.google.com ([74.125.82.50]:34365 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752230AbbKVOOx (ORCPT ); Sun, 22 Nov 2015 09:14:53 -0500 MIME-Version: 1.0 From: Dmitry Vyukov Date: Sun, 22 Nov 2015 15:14:31 +0100 Message-ID: Subject: Use-after-free in ppoll To: Rainer Weikusat , Jason Baron , Al Viro , David Miller , LKML , David Howells , netdev Cc: syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 9954 Lines: 241 Hello, On commit f2d10565b9bdbb722bd43e6e1a759eeddb9645c8 (Nov 20). The following program triggers use-after-free: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include void *thread(void *p) { syscall(SYS_write, (long)p, 0x2000278ful, 0x1ul, 0, 0, 0); return 0; } int main() { long r0 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x2ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); long r1 = syscall(SYS_socketpair, 0x1ul, 0x3ul, 0x0ul, 0x20001000ul, 0, 0); long r2 = -1; if (r1 != -1) r2 = *(uint32_t*)0x20001000; long r3 = -1; if (r1 != -1) r3 = *(uint32_t*)0x20001004; //long r4 = syscall(SYS_getuid, 0, 0, 0, 0, 0, 0); long r5 = syscall(SYS_close, r2, 0, 0, 0, 0, 0); pthread_t th; pthread_create(&th, 0, thread, (void*)(long)r3); long r6 = syscall(SYS_clock_gettime, 0x0ul, 0x20000ff0ul, 0, 0, 0, 0); long r7 = -1; if (r6 != -1) r7 = *(uint64_t*)0x20000ff0; long r8 = -1; if (r6 != -1) r8 = *(uint64_t*)0x20000ff8; *(uint32_t*)0x20000fff = r3; *(uint16_t*)0x20001003 = 0x8; *(uint16_t*)0x20001005 = 0x9; *(uint32_t*)0x20001007 = r3; *(uint16_t*)0x2000100b = 0x6; *(uint16_t*)0x2000100d = 0x22b; *(uint32_t*)0x2000100f = r3; *(uint16_t*)0x20001013 = 0xe7838d7e9fc50196; *(uint16_t*)0x20001015 = 0x9c2; *(uint64_t*)0x20000ffc = 0;//r7; *(uint64_t*)0x20001004 = /*r8+*/10000000; *(uint64_t*)0x20000ffd = 0x3; long r21 = syscall(SYS_ppoll, 0x20000ffful, 0x3ul, 0x20000ffcul, 0x20000ffdul, 0x8ul, 0); return 0; } [ 2672.994366] BUG: KASAN: use-after-free in do_raw_spin_lock+0x22/0x220 at addr ffff88003d8829c4 [ 2672.994366] Read of size 4 by task syzkaller_execu/6653 [ 2672.994366] ============================================================================= [ 2672.994366] BUG UNIX (Not tainted): kasan: bad access detected [ 2672.994366] ----------------------------------------------------------------------------- [ 2672.994366] [ 2672.994366] INFO: Allocated in sk_prot_alloc+0x53/0x220 age=11 cpu=1 pid=6653 [ 2672.994366] __slab_alloc+0x235/0x570 [ 2672.994366] kmem_cache_alloc+0x131/0x170 [ 2672.994366] sk_prot_alloc+0x53/0x220 [ 2672.994366] sk_alloc+0x38/0x1c0 [ 2672.994366] unix_create1+0x5a/0x260 [ 2672.994366] unix_create+0xc4/0x110 [ 2672.994366] __sock_create+0x31c/0x490 [ 2672.994366] SyS_socketpair+0x14c/0x3c0 [ 2672.994366] entry_SYSCALL_64_fastpath+0x31/0x9a [ 2672.994366] INFO: Freed in sk_destruct+0x1b5/0x260 age=12 cpu=1 pid=6653 [ 2672.994366] __slab_free+0x1ec/0x350 [ 2672.994366] kmem_cache_free+0x1ed/0x200 [ 2672.994366] sk_destruct+0x1b5/0x260 [ 2672.994366] __sk_free+0x61/0x110 [ 2672.994366] sk_free+0x30/0x40 [ 2672.994366] unix_dgram_poll+0x352/0x390 [ 2672.994366] sock_poll+0x13b/0x340 [ 2672.994366] do_sys_poll+0x405/0x860 [ 2672.994366] SyS_ppoll+0x1a9/0x310 [ 2672.994366] entry_SYSCALL_64_fastpath+0x31/0x9a [ 2672.994366] INFO: Slab 0xffffea0000f62000 objects=17 used=5 fp=0xffff88003d882440 flags=0x100000000004080 [ 2672.994366] INFO: Object 0xffff88003d882440 @offset=9280 fp=0xffff88003d880e80 [ 2672.994366] [ 2672.994366] CPU: 1 PID: 6653 Comm: syzkaller_execu Tainted: G B 4.4.0-rc1+ #66 [ 2672.994366] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 2672.994366] ffffea0000f62000 ffff88004cee76f0 ffffffff8165b3b7 ffff88003e28fa80 [ 2672.994366] ffff88003d882440 ffff88003d880000 ffff88004cee7720 ffffffff812c32c4 [ 2672.994366] ffff88003e28fa80 ffffea0000f62000 ffff88003d882440 ffff88003d8829c0 [ 2672.994366] Call Trace: [ 2672.994366] [] __asan_load4+0x6a/0x70 [ 2672.994366] [] do_raw_spin_lock+0x22/0x220 [ 2672.994366] [] _raw_spin_lock_irqsave+0x51/0x60 [ 2672.994366] [] remove_wait_queue+0x18/0x80 [ 2672.994366] [] poll_freewait+0x7b/0x130 [ 2672.994366] [] do_sys_poll+0x4dc/0x860 [ 2672.994366] [] SyS_ppoll+0x1a9/0x310 [ 2672.994366] ================================================================== [ 40.882065] BUG: KASAN: use-after-free in __lock_acquire+0x7ea/0x2600 at addr ffff88006d145f98 [ 40.882065] Read of size 8 by task a.out/13880 [ 40.882065] ============================================================================= [ 40.887431] BUG UNIX (Not tainted): kasan: bad access detected [ 40.887431] ----------------------------------------------------------------------------- [ 40.887431] [ 40.887431] INFO: Allocated in sk_prot_alloc+0x53/0x220 age=0 cpu=3 pid=13885 [ 40.887431] ___slab_alloc+0x489/0x4e0 [ 40.896414] __slab_alloc+0x4c/0x90 [ 40.896786] kmem_cache_alloc+0x131/0x170 [ 40.896786] sk_prot_alloc+0x53/0x220 [ 40.896786] sk_alloc+0x38/0x1c0 [ 40.896786] unix_create1+0x5a/0x260 [ 40.896786] unix_create+0xc4/0x110 [ 40.896786] __sock_create+0x31c/0x490 [ 40.896786] SyS_socketpair+0x101/0x3c0 [ 40.896786] entry_SYSCALL_64_fastpath+0x31/0x9a [ 40.896786] INFO: Freed in sk_destruct+0x1b5/0x260 age=0 cpu=1 pid=13888 [ 40.896786] __slab_free+0x1ec/0x350 [ 40.896786] kmem_cache_free+0x1ed/0x200 [ 40.896786] sk_destruct+0x1b5/0x260 [ 40.896786] __sk_free+0x61/0x110 [ 40.896786] sk_free+0x30/0x40 [ 40.896786] unix_release_sock+0x320/0x4e0 [ 40.896786] unix_release+0x35/0x60 [ 40.896786] sock_release+0x4e/0x100 [ 40.896786] sock_close+0x16/0x20 [ 40.896786] __fput+0x173/0x360 [ 40.896786] ____fput+0x15/0x20 [ 40.896786] task_work_run+0xe1/0x110 [ 40.896786] do_exit+0x55f/0x1690 [ 40.896786] do_group_exit+0xa7/0x190 [ 40.896786] get_signal+0x3d7/0xd80 [ 40.896786] do_signal+0x8c/0xa60 [ 40.896786] INFO: Slab 0xffffea0001b45000 objects=17 used=1 fp=0xffff88006d140000 flags=0x500000000004080 [ 40.896786] INFO: Object 0xffff88006d145a00 @offset=23040 fp=0xffff88006d144380 [ 40.896786] [ 40.896786] Call Trace: [ 40.896786] [] __asan_load8+0x64/0x70 [ 40.896786] [] __lock_acquire+0x7ea/0x2600 [ 40.896786] [] lock_acquire+0x101/0x1d0 [ 40.896786] [] _raw_spin_lock_irqsave+0x49/0x60 [ 40.896786] [] remove_wait_queue+0x18/0x80 [ 40.896786] [] poll_freewait+0x7b/0x130 [ 40.896786] [] do_sys_poll+0x4dc/0x860 [ 40.896786] [] SyS_ppoll+0x1a9/0x310 [ 40.896786] ================================================================== [ 198.125032] BUG: KASAN: use-after-free in __lock_acquire+0x7ea/0x2600 at addr ffff88006d271c18 [ 198.125032] Read of size 8 by task executor/12267 [ 198.125032] ============================================================================= [ 198.125032] BUG UNIX (Not tainted): kasan: bad access detected [ 198.125032] ----------------------------------------------------------------------------- [ 198.125032] [ 198.136373] INFO: Allocated in sk_prot_alloc+0x53/0x220 age=27 cpu=3 pid=12267 [ 198.136373] __slab_alloc+0x235/0x570 [ 198.136373] kmem_cache_alloc+0x131/0x170 [ 198.136373] sk_prot_alloc+0x53/0x220 [ 198.136373] sk_alloc+0x38/0x1c0 [ 198.136373] unix_create1+0x5a/0x260 [ 198.136373] unix_create+0xc4/0x110 [ 198.136373] __sock_create+0x31c/0x490 [ 198.136373] SyS_socketpair+0x14c/0x3c0 [ 198.136373] entry_SYSCALL_64_fastpath+0x31/0x9a [ 198.136373] INFO: Freed in sk_destruct+0x1b5/0x260 age=25 cpu=1 pid=12268 [ 198.136373] __slab_free+0x1ec/0x350 [ 198.136373] kmem_cache_free+0x1ed/0x200 [ 198.136373] sk_destruct+0x1b5/0x260 [ 198.136373] __sk_free+0x61/0x110 [ 198.136373] sk_free+0x30/0x40 [ 198.136373] unix_dgram_sendmsg+0x9f4/0xa50 [ 198.136373] sock_sendmsg+0x84/0xa0 [ 198.136373] sock_write_iter+0x142/0x1f0 [ 198.136373] __vfs_write+0x249/0x2a0 [ 198.136373] vfs_write+0x113/0x290 [ 198.136373] SyS_write+0xbb/0x170 [ 198.136373] entry_SYSCALL_64_fastpath+0x31/0x9a [ 198.136373] INFO: Slab 0xffffea0001b49c00 objects=17 used=6 fp=0xffff88006d272580 flags=0x500000000004080 [ 198.136373] INFO: Object 0xffff88006d271680 @offset=5760 fp=0xffff88006d275280 [ 198.136373] CPU: 3 PID: 12267 Comm: executor Tainted: G B 4.4.0-rc1+ #66 [ 198.136373] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 198.247087] ffffea0001b49c00 ffff88006cb9f540 ffffffff8165b3b7 ffff88003d98aac0 [ 198.247087] ffff88006d271680 ffff88006d270000 ffff88006cb9f570 ffffffff812c32c4 [ 198.247087] ffff88003d98aac0 ffffea0001b49c00 ffff88006d271680 0000000000000000 [ 198.247087] Call Trace: [ 198.247087] [] __asan_load8+0x64/0x70 [ 198.247087] [] __lock_acquire+0x7ea/0x2600 [ 198.247087] [] lock_acquire+0x101/0x1d0 [ 198.247087] [] _raw_spin_lock_irqsave+0x49/0x60 [ 198.247087] [] remove_wait_queue+0x18/0x80 [ 198.247087] [] poll_freewait+0x7b/0x130 [ 198.247087] [] do_sys_poll+0x4dc/0x860 [ 198.247087] [] SyS_ppoll+0x1a9/0x310 [ 198.247087] ================================================================== This can be related to "Use-after-free in ep_remove_wait_queue": https://groups.google.com/d/msg/syzkaller/3twDUI4Cpm8/EY6qWbrjCAAJ However, stacks are somewhat different, so maybe it is a different issue (or at least another test case). Thank you -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/