Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp951749pxu; Sun, 25 Oct 2020 23:22:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyyJc8kh69KpUU3G8+8isWnPoQOOt3lGyKH8wANt4XaN+c+OMEgYBh6IN5el2CgnBP7PW3H X-Received: by 2002:a17:906:a89a:: with SMTP id ha26mr13858174ejb.533.1603693320145; Sun, 25 Oct 2020 23:22:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603693320; cv=none; d=google.com; s=arc-20160816; b=QJe5JdcH7SwBNPSOFmKJD4pkLSY1D0LGrY+RuKG1Ao/Qw8F4u/qq4BotpcSfU2Cay9 rW2tK+UOJwjlJb2HYfdbWeerf47RmbH8VFLGWaqnr/VuqAnS1+ftQSg9vmyARKzeGO9R 5enilmCtgcrGFllJCb0ObiXB4MmgqACAAQBoJdmlUPK27idvbNYMI1D6oFMrf9tiwo42 mtq5XlCzP3J82SQZngSqlz+ygFatiFN6G7hmz8c4jqwfopf84qf2667QI7h5WjZ/7l26 uEDo7Y6HCkTkjopBah+wJwBUkUhwNOG8ty3ilY+qEgc0Hde0fIsO9dc5S9aEJx+RzGHa emAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=Vt0uSw1mB/ZaasUfNjH+I5OWDz73d0Ci+yC5WIZEzSY=; b=QvODaiBvvHqTrpGZz11uIwcEuF7HoWa7QXkmZdlepFRBGmyf2ertuhaQj9vGijqWP/ Jas6gLU8D4jafDcK9wH3qcmW+MTIArvr2wmihELKQwQmgszbesboWSQxeNePiVp26+U+ 3M+q6V2Agg4zmrBvo816uP6kHQu1NiJSUOpRapf9Dz/pJHdYfJUD8jOrrzhbNLgWpWXq b+gvMr26VMd6nB7EpP+2G6yg1JhGU5ZlLjvWn/Zp8qYx0PgeR2yBLHCL6HWa0RapDqrs CggGe/fJYt2GAmS59YPjuIhVTQDLxABCAkVwBT3RMXyjs5Pz4YSySWoN9ujuywhum59p Kj2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uwO2QrjV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d11si5487604edj.223.2020.10.25.23.21.37; Sun, 25 Oct 2020 23:22:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uwO2QrjV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1421197AbgJZBhm (ORCPT + 99 others); Sun, 25 Oct 2020 21:37:42 -0400 Received: from mail-ej1-f44.google.com ([209.85.218.44]:39844 "EHLO mail-ej1-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1419334AbgJZBhm (ORCPT ); Sun, 25 Oct 2020 21:37:42 -0400 Received: by mail-ej1-f44.google.com with SMTP id qh17so11113588ejb.6; Sun, 25 Oct 2020 18:37:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=Vt0uSw1mB/ZaasUfNjH+I5OWDz73d0Ci+yC5WIZEzSY=; b=uwO2QrjVeIePWTHQlVOkBBS0TR0nrGUdOQPltqtGQdgnsbvBwHyevFG1t7usK8Nb/y 38vyUlHw9Exas5O2d9bwPAKArv1LeaWwECfaRYw2xaSi3nV59G+OXVJvj7yrlJe3lQeC Xbfu58IJyhU5/FQVN2a6nBEY1+w+Y/2ycWt7UNWZE8cVEC9QZSdjNIaXM51ClMAwQf8E pQjs61x72GlxHiUZf7byOtBlSN4kP4IXwe/+VVjV/rm7YP9ZlhtR4VYr/WyYxgoUw3Dy VsGQTt/uMv0MmlloV8u7x7NorvP1511ZBJJCL5zmL//+yd/SRtAre38SOpQRTnmLpLqk Lbbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=Vt0uSw1mB/ZaasUfNjH+I5OWDz73d0Ci+yC5WIZEzSY=; b=tfNRxoXdIufsgN7mskimiuGPqRf4WDwqt96aH/l5+OcHCpP7dyATZ15URwmwfKAV1o 6vYe/6+wBTAgH6xGqTMIK7tLpMKjjrvky0tgQVfx6cKIH62z0o7Mw+Gm3XDiJ3LhsjzC lshQzcMAzCvo9JRFtX0P2rGiqIA8f82j8igAijKmq8FCP4Vi/BpWLyrmyxwqV1DYCl9+ Sj0cLx2/JIfXPr0YekloNf9Ka20oXpFZhnPYpbAMiC7z76LQ8jRdVBr/0v9pnOdKWl86 V11XufjnlriZCROdmvuH7kwGAim731gKTB5QtRyeCd8O74OeeY6NGRdPwDmCsXGUWXwS b2fw== X-Gm-Message-State: AOAM531pKdcYGuzQBvpqPKVByDHYJNET1DqzOMHALwaZGdO/lPri4Bnr B/UJM01s86tIO7zcA1Q4ZS+vVAxh5ynozUgPuDuSbNosoYc= X-Received: by 2002:a17:906:715a:: with SMTP id z26mr13499333ejj.300.1603676257771; Sun, 25 Oct 2020 18:37:37 -0700 (PDT) MIME-Version: 1.0 From: Kyungtae Kim Date: Sun, 25 Oct 2020 21:37:26 -0400 Message-ID: Subject: KASAN: use-after-free Write in tty_init_dev To: Greg KH , Jiri Slaby Cc: USB list , LKML , syzkaller Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version of syzkaller). The bug happens when the freed object tty->port is accessed in tty_init_dev (line 1358). It seems tty->port is freed during the locking (i.e., tty_ldisc_lock) ahead (line 1355). ================================================================== BUG: KASAN: use-after-free in tty_init_dev+0x41a/0x440 drivers/tty/tty_io.c:1358 Write of size 8 at addr ffff888039317128 by task c4_fuzz/2278 CPU: 2 PID: 2278 Comm: c4_fuzz Not tainted 5.8.13 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa7/0xea lib/dump_stack.c:118 print_address_description.constprop.8+0x3f/0x60 mm/kasan/report.c:383 kasan_report.cold.11+0x20/0x37 mm/kasan/report.c:513 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:151 tty_init_dev+0x41a/0x440 drivers/tty/tty_io.c:1358 tty_open_by_driver drivers/tty/tty_io.c:1983 [inline] tty_open+0x554/0x870 drivers/tty/tty_io.c:2031 chrdev_open+0x1e9/0x5b0 fs/char_dev.c:414 do_dentry_open+0x434/0xf40 fs/open.c:828 vfs_open+0x9a/0xc0 fs/open.c:942 do_open fs/namei.c:3243 [inline] path_openat+0x1658/0x2570 fs/namei.c:3360 do_filp_open+0x15e/0x210 fs/namei.c:3387 do_sys_openat2+0x2e0/0x570 fs/open.c:1179 do_sys_open+0x88/0xc0 fs/open.c:1195 ksys_open ./include/linux/syscalls.h:1388 [inline] __do_sys_open fs/open.c:1201 [inline] __se_sys_open fs/open.c:1199 [inline] __x64_sys_open+0x79/0xb0 fs/open.c:1199 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4379c0 Code: c2 c0 ff ff ff f7 d8 64 89 02 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 83 3d 51 06 29 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 64 4b 00 00 c3 48 83 ec 08 e8 3a 30 00 00 RSP: 002b:00007ffce63829f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 00000000004379c0 RDX: 000000000000000a RSI: 0000000000000002 RDI: 00007ffce6382edb RBP: 00007ffce6382a40 R08: 00000000006c5b60 R09: 00007ffce6382eee R10: 0000000000000400 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000401f20 R14: 0000000000401fb0 R15: 0000000000000000 Allocated by task 1544: save_stack+0x21/0x50 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.6+0xc7/0xd0 mm/kasan/common.c:467 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:508 kmem_cache_alloc_trace+0x139/0x330 mm/slub.c:2851 kmalloc ./include/linux/slab.h:555 [inline] kzalloc ./include/linux/slab.h:669 [inline] gs_port_alloc drivers/usb/gadget/function/u_serial.c:1151 [inline] gserial_alloc_line_no_console+0xd7/0x840 drivers/usb/gadget/function/u_serial.c:1231 gserial_alloc_line+0x17/0x70 drivers/usb/gadget/function/u_serial.c:1265 gser_alloc_inst+0x8d/0xf0 drivers/usb/gadget/function/f_serial.c:327 try_get_usb_function_instance+0x10e/0x1c0 drivers/usb/gadget/functions.c:28 usb_get_function_instance+0x17/0x80 drivers/usb/gadget/functions.c:44 function_make+0xf9/0x390 drivers/usb/gadget/configfs.c:588 configfs_mkdir+0x3f8/0xb40 fs/configfs/dir.c:1344 vfs_mkdir+0x38f/0x640 fs/namei.c:3641 do_mkdirat+0x113/0x1e0 fs/namei.c:3664 __do_sys_mkdir fs/namei.c:3680 [inline] __se_sys_mkdir fs/namei.c:3678 [inline] __x64_sys_mkdir+0x57/0x80 fs/namei.c:3678 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 2286: save_stack+0x21/0x50 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0x139/0x190 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:464 slab_free_hook mm/slub.c:1474 [inline] slab_free_freelist_hook mm/slub.c:1507 [inline] slab_free mm/slub.c:3072 [inline] kfree+0xef/0x3d0 mm/slub.c:4052 gserial_free_port+0x129/0x250 drivers/usb/gadget/function/u_serial.c:1195 gserial_free_line+0x11f/0x270 drivers/usb/gadget/function/u_serial.c:1212 gser_free_inst+0x3b/0x50 drivers/usb/gadget/function/f_serial.c:313 usb_put_function_instance+0x86/0xb0 drivers/usb/gadget/functions.c:77 serial_attr_release+0x15/0x20 drivers/usb/gadget/function/f_serial.c:262 config_item_cleanup fs/configfs/item.c:130 [inline] config_item_release fs/configfs/item.c:139 [inline] kref_put ./include/linux/kref.h:65 [inline] config_item_put.part.1+0x14e/0x1e0 fs/configfs/item.c:151 config_item_put+0xe/0x20 fs/configfs/item.c:149 configfs_rmdir+0x59c/0x870 fs/configfs/dir.c:1555 vfs_rmdir fs/namei.c:3704 [inline] vfs_rmdir+0x13f/0x440 fs/namei.c:3683 do_rmdir+0x2a3/0x330 fs/namei.c:3766 __do_sys_rmdir fs/namei.c:3784 [inline] __se_sys_rmdir fs/namei.c:3782 [inline] __x64_sys_rmdir+0x31/0x40 fs/namei.c:3782 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888039317000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 296 bytes inside of 2048-byte region [ffff888039317000, ffff888039317800) The buggy address belongs to the page: page:ffffea0000e4c400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0000e4c400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c40e080 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888039317000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888039317080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888039317100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888039317180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888039317200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Regards, Kyungtae Kim