All of lore.kernel.org
 help / color / mirror / Atom feed
* scsi: use-after-free in sg_start_req
@ 2017-01-30  7:25 Dmitry Vyukov
  2017-01-30 16:36 ` Bart Van Assche
  0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Vyukov @ 2017-01-30  7:25 UTC (permalink / raw)
  To: Doug Gilbert, jejb, Martin K. Petersen, Al Viro, linux-scsi,
	LKML, Johannes Thumshirn
  Cc: syzkaller

Hello,

The following program triggers use-after-free in sg_start_req:
https://gist.githubusercontent.com/dvyukov/be6561d2819fe30a78711234e53866b8/raw/1d75d4508f7a8ebb0b1ec0d18c0054fbffbc0708/gistfile1.txt

BUG: KASAN: use-after-free in bio_copy_user_iov+0xee1/0xf00
block/bio.c:1248 at addr ffff8801c8c3ed00
Read of size 8 by task /9023
CPU: 0 PID: 9023 Comm:  Not tainted 4.9.0 #5
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
 ffff8801d451f420 ffffffff82346bdf ffffffff00000000 1ffff1003a8a3e17
 ffffed003a8a3e0f 0000000041b58ab3 ffffffff84b37e38 ffffffff823468f1
 ffffffff813183a6 ffff8801d451f0e0 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff82346bdf>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff82346bdf>] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
 [<ffffffff819de90c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:161
 [<ffffffff819deb91>] print_address_description mm/kasan/report.c:199 [inline]
 [<ffffffff819deb91>] kasan_report_error+0x1d1/0x4d0 mm/kasan/report.c:288
 [<ffffffff819def8e>] kasan_report mm/kasan/report.c:308 [inline]
 [<ffffffff819def8e>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:329
 [<ffffffff822820c1>] bio_copy_user_iov+0xee1/0xf00 block/bio.c:1248
 [<ffffffff822c0d35>] __blk_rq_map_user_iov block/blk-map.c:56 [inline]
 [<ffffffff822c0d35>] blk_rq_map_user_iov+0x2c5/0x970 block/blk-map.c:133
 [<ffffffff822c1514>] blk_rq_map_user+0x134/0x1d0 block/blk-map.c:163
 [<ffffffff82d2abb1>] sg_start_req drivers/scsi/sg.c:1758 [inline]
 [<ffffffff82d2abb1>] sg_common_write.isra.20+0x12b1/0x1b00
drivers/scsi/sg.c:772
 [<ffffffff82d2fc45>] sg_write+0x785/0xda0 drivers/scsi/sg.c:675
 [<ffffffff81a27771>] __vfs_write+0x5b1/0x740 fs/read_write.c:510
 [<ffffffff81a29060>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff81a2d42b>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff81a2d42b>] SyS_write+0xfb/0x230 fs/read_write.c:599
 [<ffffffff84371941>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Object at ffff8801c8c3ed00, in cache kmalloc-256 size: 256
Allocated:
PID = 9032
 [   52.586815] [<ffffffff8129c696>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
 [   52.594037] [<ffffffff819ddba3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 [   52.600735] [<ffffffff819dde2a>] set_track mm/kasan/kasan.c:507 [inline]
 [   52.600735] [<ffffffff819dde2a>] kasan_kmalloc+0xaa/0xd0
mm/kasan/kasan.c:598
 [   52.607700] [<ffffffff819d940c>] __do_kmalloc mm/slab.c:3729 [inline]
 [   52.607700] [<ffffffff819d940c>] __kmalloc+0x12c/0x690 mm/slab.c:3738
 [   52.614520] [<ffffffff82d27deb>] kmalloc include/linux/slab.h:495 [inline]
 [   52.614520] [<ffffffff82d27deb>] kzalloc include/linux/slab.h:636 [inline]
 [   52.614520] [<ffffffff82d27deb>] sg_build_sgat
drivers/scsi/sg.c:1808 [inline]
 [   52.614520] [<ffffffff82d27deb>]
sg_build_indirect.isra.19+0x8b/0x540 drivers/scsi/sg.c:1834
 [   52.622591] [<ffffffff82d2832d>] sg_build_reserve+0x8d/0xb0
drivers/scsi/sg.c:1965
 [   52.629815] [<ffffffff82d29001>] sg_add_sfp drivers/scsi/sg.c:2152 [inline]
 [   52.629815] [<ffffffff82d29001>] sg_open+0xcb1/0x15b0 drivers/scsi/sg.c:329
 [   52.636503] [<ffffffff81a36b23>] chrdev_open+0x253/0x6b0 fs/char_dev.c:392
 [   52.643451] [<ffffffff81a1eeca>] do_dentry_open+0x6ca/0xc50 fs/open.c:753
 [   52.650660] [<ffffffff81a22ea5>] vfs_open+0x105/0x220 fs/open.c:866
 [   52.657351] [<ffffffff81a62c4f>] do_last fs/namei.c:3374 [inline]
 [   52.657351] [<ffffffff81a62c4f>] path_openat+0x100f/0x3830 fs/namei.c:3497
 [   52.664488] [<ffffffff81a69bf8>] do_filp_open+0x288/0x3f0 fs/namei.c:3532
 [   52.671538] [<ffffffff81a23dc5>] do_sys_open+0x535/0x710 fs/open.c:1053
 [   52.678484] [<ffffffff81a23fcd>] SYSC_open fs/open.c:1071 [inline]
 [   52.678484] [<ffffffff81a23fcd>] SyS_open+0x2d/0x40 fs/open.c:1066
 [   52.685000] [<ffffffff84371941>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 9032
 [   52.697636] [<ffffffff8129c696>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
 [   52.704842] [<ffffffff819ddba3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 [   52.711522] [<ffffffff819de49f>] set_track mm/kasan/kasan.c:507 [inline]
 [   52.711522] [<ffffffff819de49f>] kasan_slab_free+0x6f/0xb0
mm/kasan/kasan.c:571
 [   52.718640] [<ffffffff819dc393>] __cache_free mm/slab.c:3507 [inline]
 [   52.718640] [<ffffffff819dc393>] kfree+0xd3/0x250 mm/slab.c:3824
 [   52.724979] [<ffffffff82d23bd2>]
sg_remove_scat.isra.16+0x212/0x2d0 drivers/scsi/sg.c:1916
 [   52.732879] [<ffffffff82d2d583>] sg_ioctl+0x1903/0x3840
drivers/scsi/sg.c:970
 [   52.739745] [<ffffffff81a749bf>] vfs_ioctl fs/ioctl.c:43 [inline]
 [   52.739745] [<ffffffff81a749bf>] do_vfs_ioctl+0x1bf/0x1630 fs/ioctl.c:679
 [   52.746866] [<ffffffff81a75ebf>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [   52.746866] [<ffffffff81a75ebf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [   52.753478] [<ffffffff84371941>] entry_SYSCALL_64_fastpath+0x1f/0xc2

On commit ca63ff9b11f958efafd8c8fa60fda14baec6149c

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: scsi: use-after-free in sg_start_req
  2017-01-30  7:25 scsi: use-after-free in sg_start_req Dmitry Vyukov
@ 2017-01-30 16:36 ` Bart Van Assche
  2017-01-30 16:48   ` Dmitry Vyukov
  0 siblings, 1 reply; 3+ messages in thread
From: Bart Van Assche @ 2017-01-30 16:36 UTC (permalink / raw)
  To: linux-kernel, jthumshirn, dgilbert, martin.petersen, viro,
	dvyukov, linux-scsi, jejb
  Cc: syzkaller

On Mon, 2017-01-30 at 08:25 +0100, Dmitry Vyukov wrote:
> On commit ca63ff9b11f958efafd8c8fa60fda14baec6149c

What kernel have you been testing? That commit is not in any upstream kernel.

Bart.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: scsi: use-after-free in sg_start_req
  2017-01-30 16:36 ` Bart Van Assche
@ 2017-01-30 16:48   ` Dmitry Vyukov
  0 siblings, 0 replies; 3+ messages in thread
From: Dmitry Vyukov @ 2017-01-30 16:48 UTC (permalink / raw)
  To: Bart Van Assche
  Cc: linux-kernel, jthumshirn, dgilbert, martin.petersen, viro,
	linux-scsi, jejb, syzkaller

On Mon, Jan 30, 2017 at 5:36 PM, Bart Van Assche
<Bart.VanAssche@sandisk.com> wrote:
> On Mon, 2017-01-30 at 08:25 +0100, Dmitry Vyukov wrote:
>> On commit ca63ff9b11f958efafd8c8fa60fda14baec6149c
>
> What kernel have you been testing? That commit is not in any upstream kernel.

This is mmotm
git://git.kernel.org/pub/scm/linux/kernel/git/mhocko/mm.git
auto-latest ca63ff9b11f958efafd8c8fa60fda14baec6149c

commit ca63ff9b11f958efafd8c8fa60fda14baec6149c
Date:   Wed Jan 25 18:36:03 2017 +0800
    mm/migration: make isolate_movable_page always defined

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-01-30 16:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-30  7:25 scsi: use-after-free in sg_start_req Dmitry Vyukov
2017-01-30 16:36 ` Bart Van Assche
2017-01-30 16:48   ` Dmitry Vyukov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.