Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3253166rdb; Wed, 27 Dec 2023 01:03:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IEy6gWoH3Eo57wLTNHLexDr6IcBPeuhkuHGgEV60jPtSjNdbA7o/RsmOImFHF9zl+geHee+ X-Received: by 2002:a17:907:bb8c:b0:a23:4951:9962 with SMTP id xo12-20020a170907bb8c00b00a2349519962mr3812386ejc.115.1703667782852; Wed, 27 Dec 2023 01:03:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703667782; cv=none; d=google.com; s=arc-20160816; b=M/Li/8jj5+YBlIEpRak5mM0mvZ1K/0ScTHJx/3hzLHu+x4Lw2nb+NaOLpgSXkkWZgZ lmICEGsZ/LoEtSU3k7dTJd+uZPyMtUYXKrq4KplFJTyzwWXapy/+wx/woxbQXnlW/EL2 R9tkjPGR99RMhZNX7jJQN1BDpdx2uS5/n2jmaRQA/awVXJ9ncjed8IxD9vRVqiCb0L+I CVrFW4CDAUXfiAWqPS1LqEPbc21rbrxaUTRnVEYFBgLnXM5Up7daKcaUbw4NhyvUyffr hM9o/YLzXdMdLqP9FHw982dhdxuuk6rgG/azZ4VQENQz6RjiSGzvpXzE67EmWY2YXD++ wo5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:subject:message-id:date:from:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=62EGL1QvBkU3z3zaiHwmHMdg6GkLmVh2kc3PbxBdNDI=; fh=UPZMpm20G/uKIP1oJNujzw7/3DrkfxyDAjtpG/WBMNI=; b=VmLBGSz2O4HN4SnG3FhwNur4rr3Q2ymYlD/roiw8H7GVkoUHcSjZ4DFw3DIpuleJUk B271GwgKOJF3p9nE4VgYUzugt7fK6wmxIBTRIWLbnOLCVysqW+PvhbgSwUWHg6mfCAVE +aIFZ85giqCezjGFhIlsUL6MeQJH0i8PnNa4/ABuIeHNsP+ffKvtyJgOCUogAfHwvBKi mKyZdakdIUFhWC/vTA0dCAgzTS3OIOG6N83HGrOnGs7jqIOfputhKZ8kJ8av/A6mIswW nXLLD9j+qSc9pgx7GQWTu1iaDVJFW9vRsp9ST6tfxUjU3ehcLvdSrmmI6qm8sD4gOaiA +dHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Pjet2F3p; spf=pass (google.com: domain of linux-kernel+bounces-11914-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-11914-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id gh4-20020a1709073c0400b00a26a96753fdsi5035203ejc.227.2023.12.27.01.03.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Dec 2023 01:03:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-11914-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Pjet2F3p; spf=pass (google.com: domain of linux-kernel+bounces-11914-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-11914-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 843CD1F22BF9 for ; Wed, 27 Dec 2023 09:03:02 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1479F1079B; Wed, 27 Dec 2023 09:02:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Pjet2F3p" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09CD3F4F3 for ; Wed, 27 Dec 2023 09:02:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ot1-f43.google.com with SMTP id 46e09a7af769-6dbb650ad59so3176857a34.0 for ; Wed, 27 Dec 2023 01:02:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703667773; x=1704272573; darn=vger.kernel.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=62EGL1QvBkU3z3zaiHwmHMdg6GkLmVh2kc3PbxBdNDI=; b=Pjet2F3pwjGVRoXm8OlbgS8kx/DBw1ofPlJC9BnkkiBUiMnblkUiPCUUprvKitY9uX GsyTf77zJf0UiuunpootwQ/pl9KTQ8g1mbXs+GgnOZ7uZUNrcDnL1v+hub32Ni93s6yP siKwEYvcFZEt+1DITWarUFG6VStL6z3ZgLjTyY5QAFkCPACGussr/bSeYthOHsD7IwLi Nj3NxUCUq75jTuEJsAqwjwk5Gqc30rJT2+ePNYYROkYbzxt9rg/acSXmJBl60DzxANiz WgtpelSirmdcpBL5evxuY1kYwQ9djpmcZGL991fBgg2zXxDbcCAhPTBH52tfTymVk39C q8lQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703667773; x=1704272573; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=62EGL1QvBkU3z3zaiHwmHMdg6GkLmVh2kc3PbxBdNDI=; b=u2Fcawl0Id+RIoC594rxX+tYkm6C3fiPI22R+qKBIK2MpZ8LoF8fc+QX8pV14fPzUR c2iWcuMj3lBhTYQAiW57V1Y2p1Kx6fyqv6F2IXHIk81nhrrrdpZL4lGXQ8KIPn5T+14g KGJspkWPpZDtZOPPf5lEh1VVdzWWS3Q226AHaeMXUg5187gCB71jGEr/7YV/hSb7UWqY koEbq8aEMg3VIj4ccn96tiZJ23XcEWZ7frtmSjgXpvTEDQYT/NkZ5JZ4qjtUo1jf8xXo yQ8T612xa6Fonkeqx/iShaQIVRe7Bxihx9SBDvAMaM7GjUuITBLXZ3Od8/YbOokQNxhh kTzA== X-Gm-Message-State: AOJu0YyfBOte6MTWYq/7z5+DOx6+/N8sZGg+YZPIp7gVg4eoFqVG2RKt hjvZJqaNkk0kTYG7F4sThU0olY5cSrRLXvG/Y5/sZD8hpQ19PuHNr0g= X-Received: by 2002:a05:6830:22ce:b0:6dc:36:2f91 with SMTP id q14-20020a05683022ce00b006dc00362f91mr927458otc.33.1703667772756; Wed, 27 Dec 2023 01:02:52 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Zhang Zhiyu Date: Wed, 27 Dec 2023 17:02:41 +0800 Message-ID: Subject: A bug was found in Linux Kernel 6.6+: KASAN: slab-use-after-free in iommufd_test (with POC) To: linux-kernel@vger.kernel.org, iommu@lists.linux.dev, jgg@ziepe.ca, kevin.tian@intel.com, joro@8bytes.org, will@kernel.org, robin.murphy@arm.com Content-Type: text/plain; charset="UTF-8" Hi upstream community, I am fuzzing a LTS version of Linux kernel 6.6 with my modified syzkaller and I find a bug named "KASAN: slab-use-after-free in iommufd_test". By analyzing the call trace in bug report, I address the root cause of this bug at drivers/iommu/iommufd. An iommufd_object is allocated in one task through iommufd_fops_ioctl->iommufd_ioas_alloc_ioctl->iommufd_ioas_alloc and freed in another task through iommufd_fops_ioctl->iommufd_destroy. Then when the kernel invokes the calls iommufd_fops_ioctl->iommufd_test->iommufd_test_add_reserved->iommufd_put_object, an use-after-free read will occur. Detailed report, log, repro, config can be found in this google drive link: https://drive.usercontent.google.com/download?id=1nDJWUstYJNcC1zJ6q1rhB5zB0uV2yGvg&export=download&authuser=0&confirm=t The steps to reproduce the bug: 1. compile the kernel 6.6 with provided Linux-6.6.config 2. boot a qemu vm that runs the compiled kernel 3. scp the repro.c (repro.prog is not recommended) to the vm and compile it with gcc -pthread repro.c -o repro 4. execute ./repro and you will see the output stucks for a while and then KASAN is triggered and kernel panic. 5. you can speed up the crash by setting up another ssh shell to execute ./repro again. I have reproduced it on 6.6 and 6.6.1 (but haven't verified on the latest ver 6.6.8 yet). I didn't find any related reports on the internet, which indicates that it may be a 0day. Hope the upstream can help check and fix it. And I'll be happy to assist if needed. Best, Zhiyu Zhang