Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3486421imm; Thu, 17 May 2018 09:29:12 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqFSPfLbYnGicF9dlUbojLilNhYvh+0+INCs88hstEoA6LRFBLPsPdh0REOKuQbjcpSf/Np X-Received: by 2002:a17:902:264:: with SMTP id 91-v6mr5775641plc.341.1526574552922; Thu, 17 May 2018 09:29:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526574552; cv=none; d=google.com; s=arc-20160816; b=t5qfo2kCilYFG2PoIyJAzv4PJ/d/p229vP18lpskMeYcg0QDsr8tf34CQRrhImCQXr 9xBQecHbPoMDm2n7smvYXxq3n+p8oiuXyXmZeevNSUHW6cFGImOnK6fOw+t96AT/xLuk bODNN90GJvXIUALgDQ0P1/CKFRH/AXVW2iqmxXOaR2775MEGXa+hroeHpqRgxYnVUIoM 6V2ekSIOgy3gAj+1jbMg1Sseob9EpNNR9rL01q3xNbaTSnv5MgaaDRq4v1vuYAG5Crb0 B6u55zzr/lfrFdWEnMWBpnlI9HkuMiI0TFIvpX9tCyS7bHYgherEO7b2aK9W9d7cSmk/ t7ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature:arc-authentication-results; bh=6UfVMNqVbpAVo7lwFJLddLXXpbJl8F0ItzMk27ogcUE=; b=WZeHp1VYTDS3Lx9cuTGQjBI5KTP+dx1XqLIwdwRhqmjven6nemwOE0RrtrszGIavRf A8FNhKPnwYnovwPD9laiKFit8lkYft0bv8C4LGqgTQFrZPugCOaxmmU+ipNQuvWfljK+ DEPLrn29BxYVJogXLl0wli6ikEbwDKuJLsiVVCtK0Eo2QJSlyOEN+fqfdHY/mNHgZq/r zYUwO1+z7t/4WXyGf3qvCgEZBTg0yjeFB0b0/tCYuwQDdV838bYuzsbt6OeLrndLObw6 mwdcQ6EYXrhcVQycZ0v30nMDZA7dp04yaTZ4wigBxalySLRgdhlIn3M0OllhfwJZCVTv iFsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=d+xUvMM6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f9-v6si4305913pgt.625.2018.05.17.09.28.58; Thu, 17 May 2018 09:29:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=d+xUvMM6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752348AbeEQQ2k (ORCPT + 99 others); Thu, 17 May 2018 12:28:40 -0400 Received: from mail-io0-f193.google.com ([209.85.223.193]:45874 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751396AbeEQQ2i (ORCPT ); Thu, 17 May 2018 12:28:38 -0400 Received: by mail-io0-f193.google.com with SMTP id c9-v6so2725686iob.12 for ; Thu, 17 May 2018 09:28:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=6UfVMNqVbpAVo7lwFJLddLXXpbJl8F0ItzMk27ogcUE=; b=d+xUvMM6GpAknqVvq2CMx0U/4Uu/xkdA7/4mZo4AQtdppjhJXjI0A2H9AgvaFTrgDM YHkK0j8wxV3QP9JbFVEZe7/RGo1BRYz6W8v/aVVGULEeqqwziazFMuvh6mf2jY9o0kX/ NRLVdToP+QVMNy9vzP8icrfGhNw4JtIEkE8T00lv6J8oqbtnP+v0Kp6RTHSKoW3JIkuq A21l3EXlUCAMJabowyNYKWcI4bWsfNBoy7V9bnerW0jQLKbylJkNhOQutjEeo8ZckPAb NrK/15YzsV6l8JAhh3vktcCkZejcLaYXltZLauk94vqdE6MhXMBigICgYDjd6a+pwndE ADuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=6UfVMNqVbpAVo7lwFJLddLXXpbJl8F0ItzMk27ogcUE=; b=rxU3BPUrvez83F01K9mO/lbD0hM85oBAxnDeGq9Wi17wCZqcAnHog2dhiQM62BIwFH GJeV54DaGqXxqLopH/9M0nTP4PiNmTNnzzJkUGKAxFvalko2vAwFenng9e4yiLo1mWgu 6XNR34sI18oMBRY/9uZRMw0k4YDqtsWV5LjRmSFOwPJkntsRv2FeVX2pIdWaQdSVrPEX XQC38n4wq3EIFfy+cXxYA0ngJ7oBHx2xapTmHLB13ev/5u5W+E2zVnDxhRm/G4KrvBAW DapAoSIqpF+KP9b95CCYvr1e6/lGQeSk33tJvAndPlozJisXsjq9NVYlhd1F+pAFyEAu 0+eA== X-Gm-Message-State: ALKqPwdhwykdLZr2A+LowJFT+YPb5CXEg4kuqzcMa2FyhtZazw2l2Ve2 4vDrZWbiGg69gB7i4Gqyh0OmukEXzFl4SCgfqvU= X-Received: by 2002:a6b:88e3:: with SMTP id s96-v6mr6598990ioi.45.1526574518266; Thu, 17 May 2018 09:28:38 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:a157:0:0:0:0:0 with HTTP; Thu, 17 May 2018 09:28:37 -0700 (PDT) From: Kyungtae Kim Date: Thu, 17 May 2018 12:28:37 -0400 Message-ID: Subject: KASAN: use-after-free Write in do_con_write To: gregkh@linuxfoundation.org, jslaby@suse.com Cc: Byoungyoung Lee , linux-kernel@vger.kernel.org, DaeRyong Jeong Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We report the crash: "KASAN: use-after-free Write in do_con_write" This crash was found in v4.17-rc3. Specifically, memory access (write operation) is invalid, and it is detected by KASAN. C repro code: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/repro-c4a1f8.c kernel config: https://kiwi.cs.purdue.edu/static/alexkkid-fuzzer/kernel-config-v4.17-rc3 Crash log: ============================================================== BUG: KASAN: use-after-free in do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 Write of size 2 at addr ffff880000139042 by task getty/2803 CPU: 0 PID: 2803 Comm: getty Not tainted 4.17.0-rc3 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc7/0x138 lib/dump_stack.c:113 print_address_description+0x6a/0x280 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x22f/0x350 mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 do_con_write.part.20+0x1a14/0x1b70 drivers/tty/vt/vt.c:2397 do_con_write drivers/tty/vt/vt.c:2790 [inline] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2786 n_tty_write+0x763/0xea0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:958 [inline] tty_write+0x48c/0x870 drivers/tty/tty_io.c:1042 __vfs_write+0x10d/0x610 fs/read_write.c:485 vfs_write+0x187/0x500 fs/read_write.c:549 ksys_write+0xd4/0x1a0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0xa4/0x460 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ffa6267ac00 RSP: 002b:00007ffee1ff7538 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000607340 RCX: 00007ffa6267ac00 RDX: 0000000000000002 RSI: 00000000004059fb RDI: 0000000000000001 RBP: 0000000000000002 R08: 000000000000000a R09: 00007ffa62944670 R10: 00007ffee1ff7620 R11: 0000000000000246 R12: 00007ffee1ff8090 R13: 00007ffa62d65690 R14: 00000000004059fb R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0000004e40 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x0() raw: 0000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffffea0000004e60 ffffea0000004e60 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880000138f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff880000138f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff880000139000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff880000139080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff880000139100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ============================================================== Thanks, Kyungtae Kim