From: syzbot <syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com>
To: ebiederm@xmission.com, legion@kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts
Date: Fri, 16 Jul 2021 23:22:19 -0700 [thread overview]
Message-ID: <000000000000f2d84305c74bb986@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 3dbdb38e2869 Merge branch 'for-5.14' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11f4b9d8300000
kernel config: https://syzkaller.appspot.com/x/.config?x=1700b0b2b41cd52c
dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
compiler: Debian clang version 11.0.1-2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:272
Write of size 8 at addr ffff888021498d80 by task syz-executor.1/32612
CPU: 0 PID: 32612 Comm: syz-executor.1 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:96
print_address_description+0x66/0x3b0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x163/0x210 mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:135 [inline]
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:272
release_task+0x323/0x15a0 kernel/exit.c:191
exit_notify kernel/exit.c:699 [inline]
do_exit+0x1aa2/0x2510 kernel/exit.c:845
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16c0/0x20d0 kernel/signal.c:2796
arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:789
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007fa6e68ec218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000056bf8c
RBP: 000000000056bf80 R08: 000000000000000d R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000056bf8c
R13: 00007fff105041ff R14: 00007fa6e68ec300 R15: 0000000000022000
Allocated by task 32600:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:263 [inline]
kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2997
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
alloc_ucounts+0x176/0x420 kernel/ucount.c:169
set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
__sys_setuid+0x355/0x4a0 kernel/sys.c:623
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 32580:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:229 [inline]
slab_free_hook mm/slub.c:1639 [inline]
slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1664
slab_free mm/slub.c:3224 [inline]
kfree+0xcf/0x2d0 mm/slub.c:4268
put_cred_rcu+0x221/0x400 kernel/cred.c:124
rcu_do_batch kernel/rcu/tree.c:2558 [inline]
rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2793
__do_softirq+0x372/0x783 kernel/softirq.c:558
The buggy address belongs to the object at ffff888021498d00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
192-byte region [ffff888021498d00, ffff888021498dc0)
The buggy address belongs to the page:
page:ffffea0000852600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21498
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001c8ac80 0000000400000004 ffff888011841a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 32273, ts 862400369934, free_ts 857108006622
prep_new_page mm/page_alloc.c:2445 [inline]
get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4178
__alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5386
alloc_slab_page mm/slub.c:1702 [inline]
allocate_slab+0xf1/0x540 mm/slub.c:1842
new_slab mm/slub.c:1905 [inline]
new_slab_objects mm/slub.c:2651 [inline]
___slab_alloc+0x1cf/0x350 mm/slub.c:2814
__slab_alloc mm/slub.c:2854 [inline]
slab_alloc_node mm/slub.c:2936 [inline]
slab_alloc mm/slub.c:2978 [inline]
kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2995
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
push_stack+0x86/0x710 kernel/bpf/verifier.c:1019
check_cond_jmp_op kernel/bpf/verifier.c:8815 [inline]
do_check+0x18d54/0x218b0 kernel/bpf/verifier.c:10882
do_check_common+0xc01/0x21a0 kernel/bpf/verifier.c:12865
do_check_main kernel/bpf/verifier.c:12931 [inline]
bpf_check+0x112e2/0x14720 kernel/bpf/verifier.c:13498
bpf_prog_load kernel/bpf/syscall.c:2274 [inline]
__sys_bpf+0x10923/0x11d80 kernel/bpf/syscall.c:4469
__do_sys_bpf kernel/bpf/syscall.c:4573 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4571 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4571
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1355 [inline]
free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1406
free_unref_page_prepare mm/page_alloc.c:3341 [inline]
free_unref_page_list+0x118/0xad0 mm/page_alloc.c:3457
release_pages+0x18bb/0x1af0 mm/swap.c:972
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
exit_mmap+0x404/0x7a0 mm/mmap.c:3204
__mmput+0x111/0x370 kernel/fork.c:1101
exit_mm+0x60a/0x770 kernel/exit.c:501
do_exit+0x6ae/0x2510 kernel/exit.c:812
do_group_exit+0x168/0x2d0 kernel/exit.c:922
__do_sys_exit_group+0x13/0x20 kernel/exit.c:933
__ia32_sys_exit_group+0x0/0x40 kernel/exit.c:931
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:931
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff888021498c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888021498d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888021498d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff888021498e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888021498e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2021-07-17 6:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-17 6:22 syzbot [this message]
2021-08-19 20:32 ` [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts syzbot
2021-08-20 10:09 ` Alexey Gladkov
2021-08-20 13:44 ` Eric W. Biederman
2021-08-23 16:20 ` Alexey Gladkov
2021-08-23 16:16 ` [PATCH v1] ucounts: Increase ucounts reference counter before the security hook Alexey Gladkov
2021-08-23 21:31 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000f2d84305c74bb986@google.com \
--to=syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com \
--cc=ebiederm@xmission.com \
--cc=legion@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).