2018-11-05 00:44:42

by Toralf Förster

[permalink] [raw]
Subject: 4.19.0: BUG: KASAN: use-after-free in memcmp+0x24/0x70

Got at a stable hardened Gentoo this splat (BTW - no chance to get 4.19.0 nor 4.19.1 up and running at this headless server for longer than 1-2 minutes - it dies w/o any further log message)


Oct 22 22:24:58 mr-fox kernel: ==================================================================
Oct 22 22:24:58 mr-fox kernel: BUG: KASAN: use-after-free in memcmp+0x24/0x70
Oct 22 22:24:58 mr-fox kernel: Read of size 1 at addr ffff881b5f371e38 by task tor/3148
Oct 22 22:24:58 mr-fox kernel:
Oct 22 22:24:58 mr-fox kernel: CPU: 5 PID: 3148 Comm: tor Tainted: G T 4.19.0 #26
Oct 22 22:24:58 mr-fox kernel: Hardware name: ASUSTeK COMPUTER INC. Z10PA-U8 Series/Z10PA-U8 Series, BIOS 3403 03/01/2017
Oct 22 22:24:58 mr-fox kernel: Call Trace:
Oct 22 22:24:58 mr-fox kernel: dump_stack+0x5b/0x8b
Oct 22 22:24:58 mr-fox kernel: print_address_description+0x6b/0x360
Oct 22 22:24:58 mr-fox kernel: kasan_report+0x161/0x2e0
Oct 22 22:24:58 mr-fox kernel: ? memcmp+0x24/0x70
Oct 22 22:24:58 mr-fox kernel: ? kmem_cache_alloc+0xb4/0x160
Oct 22 22:24:58 mr-fox kernel: memcmp+0x24/0x70
Oct 22 22:24:58 mr-fox kernel: nf_conncount_count+0x1d5/0x730
Oct 22 22:24:58 mr-fox kernel: ? stack_access_ok+0x30/0x80
Oct 22 22:24:58 mr-fox kernel: ? tree_gc_worker+0x250/0x250
Oct 22 22:24:58 mr-fox kernel: ? __nf_ct_refresh_acct+0x78/0x110
Oct 22 22:24:58 mr-fox kernel: ? tcp_packet+0xa56/0x2150
Oct 22 22:24:58 mr-fox kernel: connlimit_mt+0x217/0x470
Oct 22 22:24:58 mr-fox kernel: ? connlimit_mt_check+0x80/0x80
Oct 22 22:24:58 mr-fox kernel: ? udp_mt+0x200/0x200
Oct 22 22:24:58 mr-fox kernel: ? init_conntrack+0x258/0x450
Oct 22 22:24:58 mr-fox kernel: ? nf_conntrack_free+0x90/0x90
Oct 22 22:24:58 mr-fox kernel: ? hash_conntrack_raw+0x15f/0x230
Oct 22 22:24:58 mr-fox kernel: ? ipt_do_table+0x533/0x820
Oct 22 22:24:58 mr-fox kernel: ? connlimit_mt_check+0x80/0x80
Oct 22 22:24:58 mr-fox kernel: ipt_do_table+0x533/0x820
Oct 22 22:24:58 mr-fox kernel: ? ipt_alloc_initial_table+0x2e0/0x2e0
Oct 22 22:24:58 mr-fox kernel: ? tcp_v4_connect+0x567/0x990
Oct 22 22:24:58 mr-fox kernel: ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Oct 22 22:24:58 mr-fox kernel: ? iov_iter_init+0xb0/0xb0
Oct 22 22:24:58 mr-fox kernel: ? stack_access_ok+0x30/0x80
Oct 22 22:24:58 mr-fox kernel: ? iptable_filter_net_exit+0x50/0x50
Oct 22 22:24:58 mr-fox kernel: nf_hook_slow+0x5a/0xd0
Oct 22 22:24:58 mr-fox kernel: __ip_local_out+0x15a/0x1a0
Oct 22 22:24:58 mr-fox kernel: ? ip_send_check+0x60/0x60
Oct 22 22:24:58 mr-fox kernel: ? ip_options_rcv_srr+0x510/0x510
Oct 22 22:24:58 mr-fox kernel: ? ip_copy_addrs+0x28/0x30
Oct 22 22:24:58 mr-fox kernel: ? __ip_queue_xmit+0x2d0/0x740
Oct 22 22:24:58 mr-fox kernel: ip_local_out+0x14/0x60
Oct 22 22:24:58 mr-fox kernel: __tcp_transmit_skb+0xc0f/0x15c0
Oct 22 22:24:58 mr-fox kernel: ? tcp_event_new_data_sent+0x130/0x130
Oct 22 22:24:58 mr-fox kernel: ? __tcp_select_window+0x560/0x560
Oct 22 22:24:58 mr-fox kernel: ? sched_clock_cpu+0x18/0x160
Oct 22 22:24:58 mr-fox kernel: ? rb_insert_color+0x351/0x3a0
Oct 22 22:24:58 mr-fox kernel: tcp_connect+0x9ba/0xc40
Oct 22 22:24:58 mr-fox kernel: ? tcp_fastopen_cookie_check+0xe0/0xe0
Oct 22 22:24:58 mr-fox kernel: ? tcp_make_synack+0x690/0x690
Oct 22 22:24:58 mr-fox kernel: ? __sys_socket+0xd9/0x150
Oct 22 22:24:58 mr-fox kernel: tcp_v4_connect+0x7d5/0x990
Oct 22 22:24:58 mr-fox kernel: ? tcp_v4_init_ts_off+0x60/0x60
Oct 22 22:24:58 mr-fox kernel: ? release_sock+0x8c/0xc0
Oct 22 22:24:58 mr-fox kernel: __inet_stream_connect+0x42a/0x6d0
Oct 22 22:24:58 mr-fox kernel: ? __fget+0x149/0x1c0
Oct 22 22:24:58 mr-fox kernel: ? inet_bind+0x80/0x80
Oct 22 22:24:58 mr-fox kernel: ? kmem_cache_alloc+0xb4/0x160
Oct 22 22:24:58 mr-fox kernel: ? check_stack_object+0x1f/0x60
Oct 22 22:24:58 mr-fox kernel: inet_stream_connect+0x3f/0x60
Oct 22 22:24:58 mr-fox kernel: ? __inet_stream_connect+0x6d0/0x6d0
Oct 22 22:24:58 mr-fox kernel: __sys_connect+0xff/0x1b0
Oct 22 22:24:58 mr-fox kernel: ? __ia32_sys_accept+0x50/0x50
Oct 22 22:24:58 mr-fox kernel: ? __fget_light+0xc7/0xe0
Oct 22 22:24:58 mr-fox kernel: ? fput+0x15/0xd0
Oct 22 22:24:58 mr-fox kernel: ? __sys_setsockopt+0x143/0x170
Oct 22 22:24:58 mr-fox kernel: ? sockfd_lookup_light+0xb0/0xb0
Oct 22 22:24:58 mr-fox kernel: ? __sys_socket+0xec/0x150
Oct 22 22:24:58 mr-fox kernel: ? sock_create_kern+0x10/0x10
Oct 22 22:24:58 mr-fox kernel: ? kernel_write+0x90/0x90
Oct 22 22:24:58 mr-fox kernel: __x64_sys_connect+0x39/0x40
Oct 22 22:24:58 mr-fox kernel: do_syscall_64+0x5e/0x140
Oct 22 22:24:58 mr-fox kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Oct 22 22:24:58 mr-fox kernel: RIP: 0033:0x7fc13d8e2a9f
Oct 22 22:24:58 mr-fox kernel: Code: 44 00 00 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 27 f7 ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 44 89 c7 89 44 24 08 e8 5d f7 ff ff 8b 44
Oct 22 22:24:58 mr-fox kernel: RSP: 002b:00007fff9cefeba0 EFLAGS: 00000293 ORIG_RAX: 000000000000002a
Oct 22 22:24:58 mr-fox kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc13d8e2a9f
Oct 22 22:24:58 mr-fox kernel: RDX: 0000000000000010 RSI: 00007fff9cefec60 RDI: 00000000000000c2
Oct 22 22:24:58 mr-fox kernel: RBP: 00005628b067f570 R08: 0000000000000000 R09: 0000000000000001
Oct 22 22:24:58 mr-fox kernel: R10: 00007fff9cefebe4 R11: 0000000000000293 R12: 00007fff9cefedbc
Oct 22 22:24:58 mr-fox kernel: R13: 00000000000000c2 R14: 00007fff9cefec60 R15: 00005628ace24ee0
Oct 22 22:24:58 mr-fox kernel:
Oct 22 22:24:58 mr-fox kernel: Allocated by task 3148:
Oct 22 22:24:58 mr-fox kernel: kmem_cache_alloc+0xb4/0x160
Oct 22 22:24:58 mr-fox kernel: nf_conncount_count+0x438/0x730
Oct 22 22:24:58 mr-fox kernel: connlimit_mt+0x217/0x470
Oct 22 22:24:58 mr-fox kernel: ipt_do_table+0x533/0x820
Oct 22 22:24:58 mr-fox kernel: nf_hook_slow+0x5a/0xd0
Oct 22 22:24:58 mr-fox kernel: __ip_local_out+0x15a/0x1a0
Oct 22 22:24:58 mr-fox kernel: ip_local_out+0x14/0x60
Oct 22 22:24:58 mr-fox kernel: __tcp_transmit_skb+0xc0f/0x15c0
Oct 22 22:24:58 mr-fox kernel: tcp_connect+0x9ba/0xc40
Oct 22 22:24:58 mr-fox kernel: tcp_v4_connect+0x7d5/0x990
Oct 22 22:24:58 mr-fox kernel: __inet_stream_connect+0x42a/0x6d0
Oct 22 22:24:58 mr-fox kernel: inet_stream_connect+0x3f/0x60
Oct 22 22:24:58 mr-fox kernel: __sys_connect+0xff/0x1b0
Oct 22 22:24:58 mr-fox kernel: __x64_sys_connect+0x39/0x40
Oct 22 22:24:58 mr-fox kernel: do_syscall_64+0x5e/0x140
Oct 22 22:24:58 mr-fox kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Oct 22 22:24:58 mr-fox kernel:
Oct 22 22:24:58 mr-fox kernel: Freed by task 0:
Oct 22 22:24:58 mr-fox kernel: kmem_cache_free+0x73/0x1c0
Oct 22 22:24:58 mr-fox kernel: rcu_process_callbacks+0x29a/0x680
Oct 22 22:24:58 mr-fox kernel: __do_softirq+0x12c/0x3c8
Oct 22 22:24:58 mr-fox kernel:
Oct 22 22:24:58 mr-fox kernel: The buggy address belongs to the object at ffff881b5f371e00
Oct 22 22:24:58 mr-fox kernel: which belongs to the cache nf_conncount_rb of size 96
Oct 22 22:24:58 mr-fox kernel: The buggy address is located 56 bytes inside of
Oct 22 22:24:58 mr-fox kernel: 96-byte region [ffff881b5f371e00, ffff881b5f371e60)
Oct 22 22:24:58 mr-fox kernel: The buggy address belongs to the page:
Oct 22 22:24:58 mr-fox kernel: page:ffffea006d7cdc40 count:1 mapcount:0 mapping:ffff881bf50a1dc0 index:0x0
Oct 22 22:24:58 mr-fox kernel: flags: 0x2ffe00000000100(slab)
Oct 22 22:24:58 mr-fox kernel: raw: 02ffe00000000100 dead000000000100 dead000000000200 ffff881bf50a1dc0
Oct 22 22:24:58 mr-fox kernel: raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
Oct 22 22:24:58 mr-fox kernel: page dumped because: kasan: bad access detected
Oct 22 22:24:58 mr-fox kernel:
Oct 22 22:24:58 mr-fox kernel: Memory state around the buggy address:
Oct 22 22:24:58 mr-fox kernel: ffff881b5f371d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
Oct 22 22:24:58 mr-fox kernel: ffff881b5f371d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
Oct 22 22:24:58 mr-fox kernel: >ffff881b5f371e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
Oct 22 22:24:58 mr-fox kernel: ^
Oct 22 22:24:58 mr-fox kernel: ffff881b5f371e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
Oct 22 22:24:58 mr-fox kernel: ffff881b5f371f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
Oct 22 22:24:58 mr-fox kernel: ==================================================================
Oct 22 22:24:58 mr-fox kernel: Disabling lock debugging due to kernel taint


I attached the config of 4.18.7 from where 4.19 were built too


--
Toralf
PGP C4EACDDE 0076E94E


Attachments:
config-4.18.17 (70.94 kB)