Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2151524imm; Sat, 12 May 2018 06:48:16 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpuvZ2b1ObR19ooAcBX2jeUhdwToS2/zteomjg3PVxg05STHSpqJXP/IKPVCKwD1mBeIYVI X-Received: by 2002:a62:981d:: with SMTP id q29-v6mr3211727pfd.65.1526132896055; Sat, 12 May 2018 06:48:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526132896; cv=none; d=google.com; s=arc-20160816; b=o5g5c7u1aPRsXMFGg+u+WeDj0sGlXuNk+aY8uBdYLFF2ca4Y7e9bCP2Wm247z6fPfk G9rR+Miq4rLWUwjvlJDHTpdhYwTL0MuTNT1pO53zxQeCRiVp2qNSvGbpN2apCTnGzWRb AsW0wC3zmf1SAlAvbiHk8fAl0Gl2xzk63u0im3JoQaN6aLrHn2AufFJ/5zY39DG/HYOB /kUE8u9oei6cPaxsx5cpLxrYDhRiAiE5J+jh7GsuhDZC9E4/DTrJd3pOKsZYadufaNGb kGkGaK1cJ6m8Oa6vk6ROVACyzCJW1IcE7ky/bwaHqFAF76gkwNeyKry0X1ho53kliWwK s+cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=JrNBSHmmvqD7FDQrEqt2vf9lHAV9V3C8ZlBovE3DJmg=; b=xBMHS9kZItnxlCyCAT5t1uJvlShB9RWfqVulzivuNqRcg07vWcQUn1Ji/1p5FPWpQ1 CeNOnzbnpmuZULfiKnO2Shat4voJV0yo3OmazkFla0jXkVg9N+HvLlZa6ZAHPm5NHYp4 LS+x4ObvbKZ7XxvI+gHd8sGNDiGLW2+6V6iCu/A/nxLLPSqZWMDrFmYxPiWOdXiLD3li wZgp2BKxO4cnRl05tauPPiKNMVR6WgNi939zAV3phH/SrtIMezw0/0EpAw3IGJ4Tt5RM KkqNl22io9CMaSuf3+/O7aApwpV+zRkTivfb443ioMpJH1s6ERCsJzZ6py2d3/xu99NW yXAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Aul9mOAH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z64-v6si4306667pgb.471.2018.05.12.06.47.59; Sat, 12 May 2018 06:48:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Aul9mOAH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751048AbeELNrn (ORCPT + 99 others); Sat, 12 May 2018 09:47:43 -0400 Received: from mail-it0-f41.google.com ([209.85.214.41]:53333 "EHLO mail-it0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750735AbeELNrm (ORCPT ); Sat, 12 May 2018 09:47:42 -0400 Received: by mail-it0-f41.google.com with SMTP id n64-v6so5220268itb.3 for ; Sat, 12 May 2018 06:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JrNBSHmmvqD7FDQrEqt2vf9lHAV9V3C8ZlBovE3DJmg=; b=Aul9mOAH5VbXrpo1IDMfYvv8gK/u9455xM+AzLRwTxxeOjYlYmTTkiOMvCzR3NThIO hWn327FHmLgh/KjjgwOUszKHtZu8L8MbP9ZDt6qgfGdIctSYToE9UcOsqj6OJM1GPeI8 Mv2kyaHj4OJSDi3V56CtR+Y41CHa/VndhNO+iF4wXtjSenms2EPgK2Jfiy+8vkFf9YtT W34FLOcBgo7yjdK/YFlKTBdO59NKX4r7jSQRwJ0HhWEMhrpHwCEaknB/0xqVKXNLQ8f0 az98ITftKKsstQ9Gyvq7Pv1kOY92aAmnRNxD+lpg0vEe+hHGFfCa87cpsah04xQsqvgw hnLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JrNBSHmmvqD7FDQrEqt2vf9lHAV9V3C8ZlBovE3DJmg=; b=hpPV2gAuRw6f5FGIXOvIBDauufnupBxTSKbi/Sda0NX7Io0dJ7C0CiGvVxtGrotmyc fz93vTCsi1RPP4r4pMQ2B4KyhVks2+54a0kEaLoU1ghFWdQo2kagpzBb4AB2lRH4Ym5k XsFND+DojFc5zKyJRKKS4x/45zlPugI1uY4SG9ANfoIEvQcq30Vzt2sQ5tfEge4IYUZS vxHfzfWNmxhpakYWW5aLyYK8QheKj+bsbwfNw+ltCWMvaWyQwB1UWaBpH2lKLapDn5fw uZYj1eu4nUdCmIxWCvezAh7mGhu5vNN4YnLwOEqogJ8NQcftikvUnjoRwQBoAihzFnTS LzHQ== X-Gm-Message-State: ALKqPweNfHlBJyWUG7tj2m1YzyaG4qQz0GPqTEvNKNXAHizixzSeHw9D wi6FgIy4lLEUI7ONarO9wYrLu+WvWQTnu9vBXyZqtw== X-Received: by 2002:a24:490b:: with SMTP id z11-v6mr2224555ita.3.1526132861746; Sat, 12 May 2018 06:47:41 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:a157:0:0:0:0:0 with HTTP; Sat, 12 May 2018 06:47:41 -0700 (PDT) In-Reply-To: References: From: Kyungtae Kim Date: Sat, 12 May 2018 09:47:41 -0400 Message-ID: Subject: Fwd: KASAN: use-after-free Write in do_con_write To: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ---------- Forwarded message ---------- From: Kyungtae Kim Date: Sat, May 12, 2018 at 9:47 AM Subject: KASAN: use-after-free Write in do_con_write To: gregkh@linuxfoundation.org, jslaby@suse.com, linux-kernel@vger.kernel.org Cc: Byoungyoung Lee , DaeRyong Jeong We report the crash: "KASAN: use-after-free Write in do_con_write" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-c4a1f8.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: ============================================================== BUG: KASAN: use-after-free in do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 Write of size 2 at addr ffff880000139042 by task getty/2803 CPU: 0 PID: 2803 Comm: getty Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ffa6267ac00 RSP: 002b:00007ffee1ff7538 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000607340 RCX: 00007ffa6267ac00 RDX: 0000000000000002 RSI: 00000000004059fb RDI: 0000000000000001 RBP: 0000000000000002 R08: 000000000000000a R09: 00007ffa62944670 R10: 00007ffee1ff7620 R11: 0000000000000246 R12: 00007ffee1ff8090 R13: 00007ffa62d65690 R14: 00000000004059fb R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0000004e40 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x0() raw: 0000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffffea0000004e60 ffffea0000004e60 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880000138f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff880000138f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff880000139000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff880000139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff880000139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ============================================================== Thanks, Kyungtae Kim