linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* UAF kernel bug on page_alloc.c
@ 2020-03-15 20:12 Entropy Moe
  0 siblings, 0 replies; only message in thread
From: Entropy Moe @ 2020-03-15 20:12 UTC (permalink / raw)
  To: linux-mm

[-- Attachment #1: Type: text/plain, Size: 2528 bytes --]

Hello,
I want to report a bug on linux kernel 5.6+

==================================================================
BUG: KASAN: wild-memory-access in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: wild-memory-access in page_ref_count
include/linux/page_ref.h:67 [inline]
BUG: KASAN: wild-memory-access in put_page_testzero
include/linux/mm.h:587 [inline]
BUG: KASAN: wild-memory-access in __free_pages+0x1b/0xa0 mm/page_alloc.c:4798
Read of size 4 at addr 0720072007200754 by task syz-executor.4/26529

CPU: 1 PID: 26529 Comm: syz-executor.4 Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xc6/0x11e lib/dump_stack.c:118
 __kasan_report+0x18f/0x1c0 mm/kasan/report.c:510
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 page_ref_count include/linux/page_ref.h:67 [inline]
 put_page_testzero include/linux/mm.h:587 [inline]
 __free_pages+0x1b/0xa0 mm/page_alloc.c:4798
 __vunmap+0x583/0x8d0 mm/vmalloc.c:2315
 __vfree+0x2e/0xb0 mm/vmalloc.c:2363
 vfree+0x41/0x70 mm/vmalloc.c:2393
 kcov_put+0x26/0x40 kernel/kcov.c:396
 kcov_close+0xc/0x10 kernel/kcov.c:495
 __fput+0x27e/0x770 fs/file_table.c:280
 task_work_run+0x129/0x1a0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa83/0x2b00 kernel/exit.c:801
 do_group_exit+0xff/0x310 kernel/exit.c:899
 get_signal+0x3c0/0x1f70 kernel/signal.c:2734
 do_signal+0x8f/0x14d0 arch/x86/kernel/signal.c:813
 exit_to_usermode_loop+0x13f/0x180 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x3eb/0x520 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c679
Code: Bad RIP value.
RSP: 002b:00007f8df74a5cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000076bf08 RCX: 000000000045c679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000076bf08
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000076bf0c
R13: 00007fff1295107f R14: 00007f8df74a69c0 R15: 000000000076bf0c
==================================================================

[-- Attachment #2: Type: text/html, Size: 2943 bytes --]

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-03-15 20:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-15 20:12 UAF kernel bug on page_alloc.c Entropy Moe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).