From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 18 Jul 2016 19:24:06 -0400 From: Dave Jones To: Linux Kernel Cc: linux-fsdevel@vger.kernel.org Subject: 4.7-rc7: use-after-free in proc_map_files_readdir Message-ID: <20160718232406.GB23178@codemonkey.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: Just caught this spew during a fuzz-run. [ 4971.564511] ================================================================== [ 4971.570505] BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 [ 4971.582570] Read of size 4 by task trinity-main/29845 [ 4971.588672] ============================================================================= [ 4971.594906] BUG filp (Not tainted): kasan: bad access detected [ 4971.601164] ----------------------------------------------------------------------------- [ 4971.613861] Disabling lock debugging due to kernel taint [ 4971.620240] INFO: Allocated in 0x6b6b6b6b6b6b6b6b age=5745177006 cpu=2835364724 pid=-1 [ 4971.626727] 0x6b6b6b6b6b6b6b6b [ 4971.633166] 0x6b6b6b6b6b6b6b6b [ 4971.639529] 0x6b6b6b6b6b6b6b6b [ 4971.645834] 0x6b6b6b6b6b6b6b6b [ 4971.652056] 0xa56b6b6b6b6b6b6b [ 4971.658252] 0xbbbbbbbbbbbbbbbb [ 4971.664416] INFO: Slab 0xffffea00113fac00 objects=18 used=17 fp=0xffff88044feb1fc0 flags=0x8000000000004080 [ 4971.677022] INFO: Object 0xffff88044feb1f80 @offset=8064 fp=0x6b6b6b6b6b6b6b6b [ 4971.689825] Redzone ffff88044feb1f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4971.702934] Redzone ffff88044feb1f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4971.716295] Redzone ffff88044feb1f60: 02 00 00 00 00 00 00 00 c1 61 00 00 01 00 00 00 .........a...... [ 4971.729944] Redzone ffff88044feb1f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 4971.743845] Object ffff88044feb1f80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.758049] Object ffff88044feb1f90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.772553] Object ffff88044feb1fa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.787315] Object ffff88044feb1fb0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.802311] Object ffff88044feb1fc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.817570] Object ffff88044feb1fd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.833204] Object ffff88044feb1fe0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.849141] Object ffff88044feb1ff0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.865420] Object ffff88044feb2000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.881880] Object ffff88044feb2010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.898559] Object ffff88044feb2020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.915402] Object ffff88044feb2030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.932477] Object ffff88044feb2040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.949740] Object ffff88044feb2050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.967185] Object ffff88044feb2060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.984931] Object ffff88044feb2070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.002898] Object ffff88044feb2080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.020815] Object ffff88044feb2090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.038668] Object ffff88044feb20a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.056646] Object ffff88044feb20b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.074806] Object ffff88044feb20c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.092958] Object ffff88044feb20d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.111147] Object ffff88044feb20e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.129424] Object ffff88044feb20f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.148136] Object ffff88044feb2100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.167204] Object ffff88044feb2110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.186682] Object ffff88044feb2120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.206126] Object ffff88044feb2130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.225680] Object ffff88044feb2140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.245233] Object ffff88044feb2150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.264795] Object ffff88044feb2160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.284354] Redzone ffff88044feb2170: 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk [ 4972.303840] Padding ffff88044feb22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4972.323277] CPU: 2 PID: 29845 Comm: trinity-main Tainted: G B 4.7.0-rc7-think+ #2 [ 4972.342984] ffffea00113fac00 0000000076df81a9 ffff880458e47ba0 ffffffffa9589f5b [ 4972.352730] ffff88044feb0000 ffff88044feb1f80 ffff880458e47bd0 ffffffffa930b195 [ 4972.362394] ffff880462b647c0 ffffea00113fac00 ffff88044feb1f80 ffff880101e48828 [ 4972.372007] Call Trace: [ 4972.381463] [] dump_stack+0x68/0x9d [ 4972.390913] [] print_trailer+0x115/0x1a0 [ 4972.400287] [] object_err+0x34/0x40 [ 4972.409592] [] kasan_report_error+0x216/0x540 [ 4972.418804] [] ? kmem_cache_alloc_trace+0x150/0x3c0 [ 4972.427961] [] ? kasan_kmalloc+0x5e/0x70 [ 4972.437028] [] ? __fa_get_part.part.1+0x39/0xa0 [ 4972.446036] [] ? memset+0x31/0x40 [ 4972.454942] [] kasan_report+0x58/0x60 [ 4972.463762] [] ? proc_map_files_readdir+0x2e3/0x5a0 [ 4972.472545] [] __asan_load4+0x61/0x80 [ 4972.481235] [] proc_map_files_readdir+0x2e3/0x5a0 [ 4972.489878] [] ? __lock_is_held+0x25/0xd0 [ 4972.498440] [] ? proc_fill_cache+0x350/0x350 [ 4972.506913] [] ? preempt_count_sub+0x18/0xd0 [ 4972.515308] [] ? iterate_dir+0x6e/0x270 [ 4972.523617] [] iterate_dir+0xce/0x270 [ 4972.531835] [] SyS_getdents+0xf9/0x1c0 [ 4972.539960] [] ? SyS_old_readdir+0x120/0x120 [ 4972.547985] [] ? fillonedir+0x120/0x120 [ 4972.555937] [] ? syscall_trace_enter_phase2+0x12d/0x3d0 [ 4972.563846] [] ? SyS_old_readdir+0x120/0x120 [ 4972.571664] [] do_syscall_64+0xf4/0x240 [ 4972.579406] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 4972.587084] Memory state around the buggy address: [ 4972.594716] ffff88044feb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4972.602347] ffff88044feb1f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 4972.609910] >ffff88044feb2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4972.617302] ^ [ 4972.624636] ffff88044feb2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4972.631951] ffff88044feb2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4972.639157] ================================================================== [ 4972.646802] ================================================================== [ 4972.654020] BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 [ 4972.668206] Read of size 4 by task trinity-main/29845 [ 4972.675263] ============================================================================= [ 4972.682417] BUG filp (Tainted: G B ): kasan: bad access detected [ 4972.689458] ----------------------------------------------------------------------------- [ 4972.703585] INFO: Allocated in 0x6b6b6b6b6b6b6b6b age=5745178089 cpu=2835364724 pid=-1 [ 4972.710711] 0x6b6b6b6b6b6b6b6b [ 4972.717717] 0x6b6b6b6b6b6b6b6b [ 4972.724561] 0x6b6b6b6b6b6b6b6b [ 4972.731274] 0x6b6b6b6b6b6b6b6b [ 4972.737843] 0xa56b6b6b6b6b6b6b [ 4972.744278] 0xbbbbbbbbbbbbbbbb [ 4972.750567] INFO: Slab 0xffffea00113fac00 objects=18 used=17 fp=0xffff88044feb1fc0 flags=0x8000000000004080 [ 4972.763271] INFO: Object 0xffff88044feb1f80 @offset=8064 fp=0x6b6b6b6b6b6b6b6b [ 4972.775891] Redzone ffff88044feb1f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4972.788457] Redzone ffff88044feb1f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4972.801134] Redzone ffff88044feb1f60: 02 00 00 00 00 00 00 00 c1 61 00 00 01 00 00 00 .........a...... [ 4972.813794] Redzone ffff88044feb1f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 4972.826504] Object ffff88044feb1f80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.839308] Object ffff88044feb1f90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.852301] Object ffff88044feb1fa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.865378] Object ffff88044feb1fb0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.878776] Object ffff88044feb1fc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.892470] Object ffff88044feb1fd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.906480] Object ffff88044feb1fe0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.920803] Object ffff88044feb1ff0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.935382] Object ffff88044feb2000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.950258] Object ffff88044feb2010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.965469] Object ffff88044feb2020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.981031] Object ffff88044feb2030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.996940] Object ffff88044feb2040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.013140] Object ffff88044feb2050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.029845] Object ffff88044feb2060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.046768] Object ffff88044feb2070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.064196] Object ffff88044feb2080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.081863] Object ffff88044feb2090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.099761] Object ffff88044feb20a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.118026] Object ffff88044feb20b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.136261] Object ffff88044feb20c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.154560] Object ffff88044feb20d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.172809] Object ffff88044feb20e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.191305] Object ffff88044feb20f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.210307] Object ffff88044feb2100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.229675] Object ffff88044feb2110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.249401] Object ffff88044feb2120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.269100] Object ffff88044feb2130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.288884] Object ffff88044feb2140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.308679] Object ffff88044feb2150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.328658] Object ffff88044feb2160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.348735] Redzone ffff88044feb2170: 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk [ 4973.368628] Padding ffff88044feb22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4973.388562] CPU: 0 PID: 29845 Comm: trinity-main Tainted: G B 4.7.0-rc7-think+ #2 [ 4973.408490] ffffea00113fac00 0000000076df81a9 ffff880458e47ba0 ffffffffa9589f5b [ 4973.418458] ffff88044feb0000 ffff88044feb1f80 ffff880458e47bd0 ffffffffa930b195 [ 4973.428289] ffff880462b647c0 ffffea00113fac00 ffff88044feb1f80 ffff88045bbc1660 [ 4973.438053] Call Trace: [ 4973.447651] [] dump_stack+0x68/0x9d [ 4973.457263] [] print_trailer+0x115/0x1a0 [ 4973.466793] [] object_err+0x34/0x40 [ 4973.476232] [] kasan_report_error+0x216/0x540 [ 4973.485591] [] ? snprintf+0x91/0xc0 [ 4973.494861] [] ? vsprintf+0x20/0x20 [ 4973.504012] [] kasan_report+0x58/0x60 [ 4973.513100] [] ? proc_map_files_readdir+0x2e3/0x5a0 [ 4973.522213] [] __asan_load4+0x61/0x80 [ 4973.531214] [] proc_map_files_readdir+0x2e3/0x5a0 [ 4973.540194] [] ? __lock_is_held+0x25/0xd0 [ 4973.549061] [] ? proc_fill_cache+0x350/0x350 [ 4973.557882] [] ? preempt_count_sub+0x18/0xd0 [ 4973.566574] [] ? iterate_dir+0x6e/0x270 [ 4973.575182] [] iterate_dir+0xce/0x270 [ 4973.583497] [] SyS_getdents+0xf9/0x1c0 [ 4973.591838] [] ? SyS_old_readdir+0x120/0x120 [ 4973.600091] [] ? fillonedir+0x120/0x120 [ 4973.608254] [] ? syscall_trace_enter_phase2+0x12d/0x3d0 [ 4973.616388] [] ? SyS_old_readdir+0x120/0x120 [ 4973.624417] [] do_syscall_64+0xf4/0x240 [ 4973.632372] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 4973.640253] Memory state around the buggy address: [ 4973.648082] ffff88044feb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4973.655847] ffff88044feb1f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 4973.663498] >ffff88044feb2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4973.671024] ^ [ 4973.678505] ffff88044feb2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4973.686031] ffff88044feb2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4973.693425] ==================================================================