Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754639AbcDSOZS (ORCPT ); Tue, 19 Apr 2016 10:25:18 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:44624 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752992AbcDSOZQ (ORCPT ); Tue, 19 Apr 2016 10:25:16 -0400 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 Message-ID: <57163BCA.6080406@oracle.com> Date: Tue, 19 Apr 2016 07:08:10 -0700 (PDT) From: Sasha Levin To: Miklos Szeredi Cc: linux-fsdevel , LKML Subject: fuse: use afer free reading/writing Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 6896 Lines: 98 Hi all, I've hit the following while fuzzing with syzkaller inside a KVM tools guest running the latest -next kernel: [ 1065.365235] BUG: KASAN: use-after-free in fuse_dev_do_read.constprop.5+0xfb0/0x1290 at addr ffff8800bad3fbf0 [ 1065.365256] Read of size 8 by task syz-executor/2448 [ 1065.365272] ============================================================================= [ 1065.365289] BUG fuse_request (Not tainted): kasan: bad access detected [ 1065.365295] ----------------------------------------------------------------------------- [ 1065.365295] [ 1065.365304] Disabling lock debugging due to kernel taint [ 1065.365337] INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446733319112207795 cpu=2751490774 pid=-1 [ 1065.365359] __fuse_request_alloc+0x2b/0xf0 [ 1065.365397] ___slab_alloc+0x7af/0x870 [ 1065.365419] __slab_alloc.isra.22+0xf4/0x130 [ 1065.365440] kmem_cache_alloc+0x188/0x2b0 [ 1065.365467] __fuse_request_alloc+0x2b/0xf0 [ 1065.365496] __fuse_get_req+0x3f4/0x5b0 [ 1065.365520] fuse_get_req_for_background+0x22/0x30 [ 1065.365546] cuse_channel_open+0x210/0x830 [ 1065.365590] misc_open+0x42f/0x460 [ 1065.365616] chrdev_open+0x412/0x500 [ 1065.365641] do_dentry_open+0x6cc/0xba0 [ 1065.365667] vfs_open+0x1da/0x1f0 [ 1065.365694] path_openat+0x3291/0x3d10 [ 1065.365716] do_filp_open+0x1df/0x280 [ 1065.365732] do_sys_open+0x25c/0x440 [ 1065.365745] SyS_open+0x2d/0x40 [ 1065.365759] INFO: Freed in 0x1000bad60 age=18446733319112207795 cpu=0 pid=0 [ 1065.365772] fuse_request_free+0xa8/0xb0 [ 1065.365784] __slab_free+0x6a/0x2f0 [ 1065.365796] kmem_cache_free+0x257/0x2c0 [ 1065.365809] fuse_request_free+0xa8/0xb0 [ 1065.365823] fuse_put_request+0x2a3/0x310 [ 1065.365836] request_end+0x66a/0x6b0 [ 1065.365849] fuse_dev_do_write+0xa9d/0xc00 [ 1065.365862] fuse_dev_write+0x195/0x1f0 [ 1065.365875] __vfs_write+0x44b/0x520 [ 1065.365888] vfs_write+0x225/0x4a0 [ 1065.365901] SyS_write+0xe5/0x1b0 [ 1065.365935] do_syscall_64+0x2a6/0x4a0 [ 1065.365991] return_from_SYSCALL_64+0x0/0x6a [ 1065.366010] INFO: Slab 0xffffea0002eb4f00 objects=22 used=1 fp=0xffff8800bad3fbc0 flags=0x1fffff80004080 [ 1065.366019] INFO: Object 0xffff8800bad3fbb8 @offset=15288 fp=0xbbbbbbbbbbbbbbbb [ 1065.366019] [ 1065.366019] Redzone ffff8800bad3fbb0: f0 8e 01 00 00 00 00 00 ........ [ 1065.366019] Object ffff8800bad3fbb8: bb bb bb bb bb bb bb bb e8 f8 d3 ba 00 88 ff ff ................ [ 1065.366019] Object ffff8800bad3fbc8: c0 fb d3 ba 00 88 ff ff d0 fb d3 ba 00 88 ff ff ................ [ 1065.366019] Object ffff8800bad3fbd8: d0 fb d3 ba 00 88 ff ff 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fbe8: 00 00 00 00 00 00 00 00 01 03 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fbf8: 38 00 00 00 00 10 00 00 01 00 00 00 00 00 00 00 8............... [ 1065.366019] Object ffff8800bad3fc08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fc18: c9 09 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fc28: 10 00 00 00 00 00 00 00 a8 fc d3 ba 00 88 ff ff ................ [ 1065.366019] Object ffff8800bad3fc38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fc48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fc58: 18 00 00 00 fb ff ff ff 01 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fc68: 03 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 ........H....... [ 1065.366019] Object ffff8800bad3fc78: 98 90 2f b3 01 88 ff ff 00 10 00 00 00 00 00 00 ../............. [ 1065.366019] Object ffff8800bad3fc88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fc98: 98 fc d3 ba 00 88 ff ff 98 fc d3 ba 00 88 ff ff ................ [ 1065.366019] Object ffff8800bad3fca8: 07 00 00 00 18 00 00 00 00 00 00 00 01 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fcb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fcc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fcd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fce8: 00 fd d3 ba 00 88 ff ff 08 fd d3 ba 00 88 ff ff ................ [ 1065.366019] Object ffff8800bad3fcf8: 01 00 00 00 00 00 00 00 80 d4 ec 02 00 ea ff ff ................ [ 1065.366019] Object ffff8800bad3fd08: 00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fd18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fd28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1065.366019] Object ffff8800bad3fd38: 00 00 00 00 00 00 00 00 a0 e7 21 a5 ff ff ff ff ..........!..... [ 1065.366019] Redzone ffff8800bad3fd48: 00 00 00 00 00 00 00 00 ........ [ 1065.366019] Padding ffff8800bad3fe80: b2 ad 0b 00 01 00 00 00 ........ [ 1065.366019] CPU: 1 PID: 2448 Comm: syz-executor Tainted: G B 4.6.0-rc3-next-20160412-sasha-00024-geaec67e-dirty #3002 [ 1065.366019] 0000000000000000 0000000014efd39a ffff8801add078b0 ffffffffa5fcce01 [ 1065.366019] ffffffff00000001 fffffbfff61ad290 0000000041b58ab3 ffffffffb0660568 [ 1065.366019] ffffffffa5fccc88 0000000014efd39a ffff8801b2bf4000 ffffffffb067e58e [ 1065.366019] Call Trace: [ 1065.366019] dump_stack (lib/dump_stack.c:53) [ 1065.366019] print_trailer (mm/slub.c:668) [ 1065.366019] object_err (mm/slub.c:675) [ 1065.366019] kasan_report_error (mm/kasan/report.c:180 mm/kasan/report.c:276) [ 1065.366019] __asan_report_load8_noabort (mm/kasan/report.c:319) [ 1065.366019] fuse_dev_do_read.constprop.5 (./arch/x86/include/asm/bitops.h:311 fs/fuse/dev.c:1320) [ 1065.366019] fuse_dev_read (fs/fuse/dev.c:1362) [ 1065.366019] __vfs_read (fs/read_write.c:467 fs/read_write.c:478) [ 1065.366019] vfs_read (fs/read_write.c:499) [ 1065.366019] SyS_pread64 (fs/read_write.c:651 fs/read_write.c:638) [ 1065.366019] do_syscall_64 (arch/x86/entry/common.c:350) [ 1065.366019] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251) [ 1065.366019] Memory state around the buggy address: [ 1065.366019] ffff8800bad3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1065.366019] ffff8800bad3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1065.366019] >ffff8800bad3fb80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1065.366019] ^ [ 1065.366019] ffff8800bad3fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1065.366019] ffff8800bad3fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb