From: Dipanjan Das <mail.dipanjan.das@gmail.com>
To: maarten.lankhorst@linux.intel.com, mripard@kernel.org,
sean@poorly.run, airlied@linux.ie, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com, fleischermarius@googlemail.com,
its.priyanka.bose@gmail.com
Subject: KASAN: use-after-free Read in drm_gem_object_release
Date: Fri, 22 Jul 2022 09:23:14 -0700 [thread overview]
Message-ID: <CANX2M5Ysmgv1b4toRxeTDiKtpJyv_-dTqsRediqd8NbT=RKObQ@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 12449 bytes --]
Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: KASAN: use-after-free Read in drm_gem_object_release
affected file: drivers/gpu/drm/drm_gem.c
kernel version: 5.4.206
kernel commit: 981f87403bb9841f1e0b7953e12a51f09a47a4f0
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667
crash reproducer: attached
======================================================
Crash log:
======================================================
BUG: KASAN: use-after-free in drm_gem_object_release+0xf7/0x120
drivers/gpu/drm/drm_gem.c:952
Read of size 8 at addr ffff888069f2d110 by task syz-executor.2/9649
CPU: 0 PID: 9649 Comm: syz-executor.2 Tainted: G OE 5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1a0/0x217 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x343 mm/kasan/report.c:374
__kasan_report.cold+0x75/0x8d mm/kasan/report.c:506
kasan_report+0x10/0x20 mm/kasan/common.c:645
drm_gem_object_release+0xf7/0x120 drivers/gpu/drm/drm_gem.c:952
drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:106 [inline]
drm_gem_vram_create+0x180/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f6b40bd24ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b3eb82be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6b40cf0f60 RCX: 00007f6b40bd24ed
RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007f6b3eb82c40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00007ffc4fb462af R14: 00007f6b40cf0f60 R15: 00007f6b3eb82d80
Allocated by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc+0xd2/0xe0 mm/kasan/common.c:521
kmem_cache_alloc_trace+0x13a/0x4e0 mm/slab.c:3550
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:690 [inline]
drm_gem_vram_create+0x53/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:131
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
kasan_set_free_info mm/kasan/common.c:334 [inline]
__kasan_slab_free+0x103/0x150 mm/kasan/common.c:478
__cache_free mm/slab.c:3425 [inline]
kfree+0x10b/0x330 mm/slab.c:3756
ttm_bo_release_list+0x335/0x4e0 drivers/gpu/drm/ttm/ttm_bo.c:166
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_release+0x44c/0xf60 drivers/gpu/drm/ttm/ttm_bo.c:686
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:691 [inline]
ttm_bo_init_reserved+0x8c1/0x10c0 drivers/gpu/drm/ttm/ttm_bo.c:1390
ttm_bo_init+0x10e/0x4a0 drivers/gpu/drm/ttm/ttm_bo.c:1419
drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:97 [inline]
drm_gem_vram_create+0x15c/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888069f2d000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 272 bytes inside of
1024-byte region [ffff888069f2d000, ffff888069f2d400)
The buggy address belongs to the page:
page:ffffea0001a7cb40 refcount:1 mapcount:0 mapping:ffff888119400c40 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002831748 ffffea00019062c8 ffff888119400c40
raw: 0000000000000000 ffff888069f2d000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888069f2d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069f2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888069f2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888069f2d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069f2d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: double-free or invalid-free in
drm_gem_vram_create+0x1b7/0x1f0
drivers/gpu/drm/drm_gem_vram_helper.c:142
CPU: 0 PID: 9649 Comm: syz-executor.2 Tainted: G B OE 5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1a0/0x217 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x343 mm/kasan/report.c:374
kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:468
__kasan_slab_free+0x135/0x150 mm/kasan/common.c:457
__cache_free mm/slab.c:3425 [inline]
kfree+0x10b/0x330 mm/slab.c:3756
drm_gem_vram_create+0x1b7/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:142
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f6b40bd24ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b3eb82be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6b40cf0f60 RCX: 00007f6b40bd24ed
RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007f6b3eb82c40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00007ffc4fb462af R14: 00007f6b40cf0f60 R15: 00007f6b3eb82d80
Allocated by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc+0xd2/0xe0 mm/kasan/common.c:521
kmem_cache_alloc_trace+0x13a/0x4e0 mm/slab.c:3550
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:690 [inline]
drm_gem_vram_create+0x53/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:131
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
kasan_set_free_info mm/kasan/common.c:334 [inline]
__kasan_slab_free+0x103/0x150 mm/kasan/common.c:478
__cache_free mm/slab.c:3425 [inline]
kfree+0x10b/0x330 mm/slab.c:3756
ttm_bo_release_list+0x335/0x4e0 drivers/gpu/drm/ttm/ttm_bo.c:166
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_release+0x44c/0xf60 drivers/gpu/drm/ttm/ttm_bo.c:686
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:691 [inline]
ttm_bo_init_reserved+0x8c1/0x10c0 drivers/gpu/drm/ttm/ttm_bo.c:1390
ttm_bo_init+0x10e/0x4a0 drivers/gpu/drm/ttm/ttm_bo.c:1419
drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:97 [inline]
drm_gem_vram_create+0x15c/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888069f2d000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff888069f2d000, ffff888069f2d400)
The buggy address belongs to the page:
page:ffffea0001a7cb40 refcount:1 mapcount:0 mapping:ffff888119400c40 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002831748 ffffea00019062c8 ffff888119400c40
raw: 0000000000000000 ffff888069f2d000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888069f2cf00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
ffff888069f2cf80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff888069f2d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888069f2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069f2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
--
Thanks and Regards,
Dipanjan
[-- Attachment #2: repro.syz --]
[-- Type: application/octet-stream, Size: 171 bytes --]
r0 = syz_open_dev$dri(&(0x7f0000000540), 0x2000000000000000, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000180)={0x7, 0xfc000, 0xc39}) (fail_nth: 20)
[-- Attachment #3: repro.c --]
[-- Type: text/x-csrc, Size: 5514 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/capability.h>
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void setup_binderfs()
{
if (mkdir("/dev/binderfs", 0777)) {
}
if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
}
if (symlink("/dev/binderfs", "./binderfs")) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
static int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
if (unshare(CLONE_NEWNET)) {
}
setup_binderfs();
loop();
exit(1);
}
static int inject_fault(int nth)
{
int fd;
fd = open("/proc/thread-self/fail-nth", O_RDWR);
if (fd == -1)
exit(1);
char buf[16];
sprintf(buf, "%d", nth);
if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
exit(1);
return fd;
}
static void setup_fault()
{
static struct {
const char* file;
const char* val;
bool fatal;
} files[] = {
{"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
{"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
{"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
};
unsigned i;
for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
if (!write_file(files[i].file, files[i].val)) {
if (files[i].fatal)
exit(1);
}
}
}
uint64_t r[1] = {0xffffffffffffffff};
void loop(void)
{
intptr_t res = 0;
memcpy((void*)0x20000540, "/dev/dri/card#\000", 15);
res = -1;
res = syz_open_dev(0x20000540, 0x2000000000000000, 0);
if (res != -1)
r[0] = res;
*(uint32_t*)0x20000180 = 7;
*(uint32_t*)0x20000184 = 0xfc000;
*(uint32_t*)0x20000188 = 0xc39;
*(uint32_t*)0x2000018c = 0;
inject_fault(20);
syscall(__NR_ioctl, r[0], 0xc02064b2, 0x20000180ul);
}
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
setup_fault();
do_sandbox_none();
return 0;
}
WARNING: multiple messages have this Message-ID (diff)
From: Dipanjan Das <mail.dipanjan.das@gmail.com>
To: maarten.lankhorst@linux.intel.com, mripard@kernel.org,
sean@poorly.run, airlied@linux.ie, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Cc: fleischermarius@googlemail.com, syzkaller@googlegroups.com,
its.priyanka.bose@gmail.com
Subject: KASAN: use-after-free Read in drm_gem_object_release
Date: Fri, 22 Jul 2022 09:23:14 -0700 [thread overview]
Message-ID: <CANX2M5Ysmgv1b4toRxeTDiKtpJyv_-dTqsRediqd8NbT=RKObQ@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 12449 bytes --]
Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: KASAN: use-after-free Read in drm_gem_object_release
affected file: drivers/gpu/drm/drm_gem.c
kernel version: 5.4.206
kernel commit: 981f87403bb9841f1e0b7953e12a51f09a47a4f0
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667
crash reproducer: attached
======================================================
Crash log:
======================================================
BUG: KASAN: use-after-free in drm_gem_object_release+0xf7/0x120
drivers/gpu/drm/drm_gem.c:952
Read of size 8 at addr ffff888069f2d110 by task syz-executor.2/9649
CPU: 0 PID: 9649 Comm: syz-executor.2 Tainted: G OE 5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1a0/0x217 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x343 mm/kasan/report.c:374
__kasan_report.cold+0x75/0x8d mm/kasan/report.c:506
kasan_report+0x10/0x20 mm/kasan/common.c:645
drm_gem_object_release+0xf7/0x120 drivers/gpu/drm/drm_gem.c:952
drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:106 [inline]
drm_gem_vram_create+0x180/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f6b40bd24ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b3eb82be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6b40cf0f60 RCX: 00007f6b40bd24ed
RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007f6b3eb82c40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00007ffc4fb462af R14: 00007f6b40cf0f60 R15: 00007f6b3eb82d80
Allocated by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc+0xd2/0xe0 mm/kasan/common.c:521
kmem_cache_alloc_trace+0x13a/0x4e0 mm/slab.c:3550
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:690 [inline]
drm_gem_vram_create+0x53/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:131
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
kasan_set_free_info mm/kasan/common.c:334 [inline]
__kasan_slab_free+0x103/0x150 mm/kasan/common.c:478
__cache_free mm/slab.c:3425 [inline]
kfree+0x10b/0x330 mm/slab.c:3756
ttm_bo_release_list+0x335/0x4e0 drivers/gpu/drm/ttm/ttm_bo.c:166
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_release+0x44c/0xf60 drivers/gpu/drm/ttm/ttm_bo.c:686
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:691 [inline]
ttm_bo_init_reserved+0x8c1/0x10c0 drivers/gpu/drm/ttm/ttm_bo.c:1390
ttm_bo_init+0x10e/0x4a0 drivers/gpu/drm/ttm/ttm_bo.c:1419
drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:97 [inline]
drm_gem_vram_create+0x15c/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888069f2d000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 272 bytes inside of
1024-byte region [ffff888069f2d000, ffff888069f2d400)
The buggy address belongs to the page:
page:ffffea0001a7cb40 refcount:1 mapcount:0 mapping:ffff888119400c40 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002831748 ffffea00019062c8 ffff888119400c40
raw: 0000000000000000 ffff888069f2d000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888069f2d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069f2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888069f2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888069f2d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069f2d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: double-free or invalid-free in
drm_gem_vram_create+0x1b7/0x1f0
drivers/gpu/drm/drm_gem_vram_helper.c:142
CPU: 0 PID: 9649 Comm: syz-executor.2 Tainted: G B OE 5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1a0/0x217 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x343 mm/kasan/report.c:374
kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:468
__kasan_slab_free+0x135/0x150 mm/kasan/common.c:457
__cache_free mm/slab.c:3425 [inline]
kfree+0x10b/0x330 mm/slab.c:3756
drm_gem_vram_create+0x1b7/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:142
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f6b40bd24ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b3eb82be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6b40cf0f60 RCX: 00007f6b40bd24ed
RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007f6b3eb82c40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00007ffc4fb462af R14: 00007f6b40cf0f60 R15: 00007f6b3eb82d80
Allocated by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc+0xd2/0xe0 mm/kasan/common.c:521
kmem_cache_alloc_trace+0x13a/0x4e0 mm/slab.c:3550
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:690 [inline]
drm_gem_vram_create+0x53/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:131
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9649:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
kasan_set_free_info mm/kasan/common.c:334 [inline]
__kasan_slab_free+0x103/0x150 mm/kasan/common.c:478
__cache_free mm/slab.c:3425 [inline]
kfree+0x10b/0x330 mm/slab.c:3756
ttm_bo_release_list+0x335/0x4e0 drivers/gpu/drm/ttm/ttm_bo.c:166
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_release+0x44c/0xf60 drivers/gpu/drm/ttm/ttm_bo.c:686
kref_put include/linux/kref.h:65 [inline]
kref_put include/linux/kref.h:62 [inline]
ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:691 [inline]
ttm_bo_init_reserved+0x8c1/0x10c0 drivers/gpu/drm/ttm/ttm_bo.c:1390
ttm_bo_init+0x10e/0x4a0 drivers/gpu/drm/ttm/ttm_bo.c:1419
drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:97 [inline]
drm_gem_vram_create+0x15c/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135
drm_gem_vram_fill_create_dumb+0x13b/0x2c0
drivers/gpu/drm/drm_gem_vram_helper.c:382
drm_gem_vram_driver_dumb_create+0x5e/0xe0
drivers/gpu/drm/drm_gem_vram_helper.c:509
drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888069f2d000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff888069f2d000, ffff888069f2d400)
The buggy address belongs to the page:
page:ffffea0001a7cb40 refcount:1 mapcount:0 mapping:ffff888119400c40 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002831748 ffffea00019062c8 ffff888119400c40
raw: 0000000000000000 ffff888069f2d000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888069f2cf00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
ffff888069f2cf80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff888069f2d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888069f2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069f2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
--
Thanks and Regards,
Dipanjan
[-- Attachment #2: repro.syz --]
[-- Type: application/octet-stream, Size: 171 bytes --]
r0 = syz_open_dev$dri(&(0x7f0000000540), 0x2000000000000000, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000180)={0x7, 0xfc000, 0xc39}) (fail_nth: 20)
[-- Attachment #3: repro.c --]
[-- Type: text/x-csrc, Size: 5514 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/capability.h>
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void setup_binderfs()
{
if (mkdir("/dev/binderfs", 0777)) {
}
if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
}
if (symlink("/dev/binderfs", "./binderfs")) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
static int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
if (unshare(CLONE_NEWNET)) {
}
setup_binderfs();
loop();
exit(1);
}
static int inject_fault(int nth)
{
int fd;
fd = open("/proc/thread-self/fail-nth", O_RDWR);
if (fd == -1)
exit(1);
char buf[16];
sprintf(buf, "%d", nth);
if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
exit(1);
return fd;
}
static void setup_fault()
{
static struct {
const char* file;
const char* val;
bool fatal;
} files[] = {
{"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
{"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
{"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
};
unsigned i;
for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
if (!write_file(files[i].file, files[i].val)) {
if (files[i].fatal)
exit(1);
}
}
}
uint64_t r[1] = {0xffffffffffffffff};
void loop(void)
{
intptr_t res = 0;
memcpy((void*)0x20000540, "/dev/dri/card#\000", 15);
res = -1;
res = syz_open_dev(0x20000540, 0x2000000000000000, 0);
if (res != -1)
r[0] = res;
*(uint32_t*)0x20000180 = 7;
*(uint32_t*)0x20000184 = 0xfc000;
*(uint32_t*)0x20000188 = 0xc39;
*(uint32_t*)0x2000018c = 0;
inject_fault(20);
syscall(__NR_ioctl, r[0], 0xc02064b2, 0x20000180ul);
}
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
setup_fault();
do_sandbox_none();
return 0;
}
next reply other threads:[~2022-07-22 16:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-22 16:23 Dipanjan Das [this message]
2022-07-22 16:23 ` KASAN: use-after-free Read in drm_gem_object_release Dipanjan Das
2022-08-02 19:02 ` Dipanjan Das
2022-08-02 19:02 ` Dipanjan Das
-- strict thread matches above, loose matches on Subject: below --
2021-05-14 6:42 Dan Bautista
2020-07-10 8:24 butt3rflyh4ck
2020-07-10 10:39 ` Greg KH
2020-07-10 11:52 ` Dan Carpenter
2020-07-10 14:01 ` butt3rflyh4ck
2020-07-10 14:03 ` butt3rflyh4ck
2020-07-13 16:12 ` Daniel Vetter
2020-07-13 16:47 ` butt3rflyh4ck
2020-07-14 7:41 ` Thomas Zimmermann
2020-07-14 8:46 ` Thomas Zimmermann
2018-10-25 19:18 syzbot
2018-10-29 11:51 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANX2M5Ysmgv1b4toRxeTDiKtpJyv_-dTqsRediqd8NbT=RKObQ@mail.gmail.com' \
--to=mail.dipanjan.das@gmail.com \
--cc=airlied@linux.ie \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=fleischermarius@googlemail.com \
--cc=its.priyanka.bose@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=sean@poorly.run \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.